CTF - Donation

This is the first challenge in the series provided by Security Innovation

Daniel Luca
Jan 13 · 2 min read

It’s quite simple because there’s no real hacking we need to do. This is an intro challenge that makes sure you can run transactions and understand what the ABI is.

My basic tool set for solving challenges consists of

  • Remix-ide I have a fork of this with some bugfixes and style changes (monospace fonts).
  • Ganache It’s easier and faster to test transactions in a local environment than to send to Ropsten everytime.
  • Web3-console Super easy way to create custom transactions or query the chain.

You can find the challenge here.

Description

Donate to Bob Smith!

Bob Smith is a name you can trust! He stands for your values! He cares about what you care about!

The other candidates only cares about their own constituents. Boo!

Support Bob Smith and make a difference today!

There’s a text saying that Bob Smith is trustful and we should give our money to him.

Checking the source code we see right away an easy way to extract the Ether in the contract.

function withdrawDonationsFromTheSuckersWhoFellForIt() external ctf{
msg.sender.transfer(funds);
funds = 0;
}

The ctf modifier only lets the current user interact with the contract, it does not provide additional protection.

The player can extract the funds right away, no real hacking needs to be done. Sending a transaction that calls this function will solve this challenge.

Daniel Luca

Written by

Button pusher