Open in app

Sign in

Write

Sign in

PARADIGM CTF 2022 Question Analysis 1 — RESUCE

Numen Cyber Labs
Numen Cyber Labs
Published in
5 min readAug 24, 2022

PARADIGM GM CTF 2022 competition started at 8:00 a.m. SGT on August 20, 2022 and ended at 8:00 a.m. on August 22, 2022, for a total of two days. A total of 23 questions were given in the competition, and more than 400 teams participated. It is a relatively lively and challenging blockchain security CTF competition, attracting many of the world’s top blockchain security personnel to participate, because its topic is difficult, and it is not easy to get a Flag.

What is CTF?

CTF(Capture The Flag) is a popular form of information security competition. The general process is that the participating teams take the lead in obtaining a string of strings or other content with a certain format from the competition environment given by the organizer through offensive and defensive confrontation, program analysis, etc., and submit it to the organizer to win points. For the sake of convenience, we call such content “Flag”.

Numen Cyber Labs will be publishing analytical articles on this year’s competition topics, so stay tuned. This article first discusses the question analysis, problem solving skills and ideas of the rescue together.

Question Analysis

1. MasterChefHelper.sol Contract

Analysis :From above screenshot, we can see that the main functional interface that this contract can call externally is the swapTokenForPoolToken function. The meaning of each parameter is as follows:

poolId: is to query which uniswap corresponding to the pool in the MasterChef contract which pair address.

tokenIn: is the address where tokens are exchanged into the contract.amountIn: is the amount that the user needs to redeem.

minAmountOut: is the minimum number used to obtain lPs, which can be filled in with 0.

Its main function is to exchange half of the token transferred by the user into token0 in the specified pair contract, and convert the other half to token1, and then add the two together in proportion to the pair to obtain liquidity.

2 . Setup.sol Contract

Analysis: When the Setup contract was created, it first mortgaged 10 ETH and obtained 10 WETH, and then transferring these 10 WETH to the mcHelper contract. The title asks how to transfer the 10 welts under the mcHelper contract.

The question is how to transfer 10 WETH under the mcHelper contract

Problem Solving Analysis

To solve this problem, the only function we can call is the swapTokenForPoolToken function in the MasterChefHelper.sol contract. So we can focus on finding the answer from here. We found that when adding liquidity, the two tokens under the contract will be added together. At the moment, there are 10 WETH under the current contract. We can find a way to get another token of equal proportion and put it under the contract. Then the problem can be solved. ( Notice: to call this function successfully, the tokenIn passed in cannot be equal to the corresponding token0 and token1 in the pair contract)

(1) We create an attack contract by ourselves. At first, there is a certain amount of ETH in our account. We can transfer part of it to the attack contract. At this time, we call the exchange function of uniswap to exchange the token to the one which is different with two codes in the pair corresponding to the incoming poolId. Here we exchange USDT.

(2) Because there are 10 WETH in the mcHelper contract, we query the poolId and pass in 2 in the corresponding pair, token0 and token1 are DAI and WETH respectively. At this time, if we want to add 10 WETH under the contract together, we need to add The DAI corresponding to the exchange of 10 WETH is transferred to the mcHelper contract. Here, the editor changed 20 to prevent it from being insufficient.

(3) Finally, this problem can be solved by calling the swapTokenForPoolToken function in the mcHelper contract, which is equivalent to 10 ETH worth of USDT exchanged for 5 ETH worth of WETH and 5 ETH worth of DAI, plus the transferred 20 ETH worth of DAI , you can add the previous 10 WETH under the contract to the pair in proportion to obtain liquidity, and the excess DAI will remain in the contract.

Notice Points:

① When I solved the problem for the first time, the editor did not perform the second step, because when adding liquidity to the contract, all the tokens under the contract were added. The editor thought that all the tokens were added directly, but the mechanism of uniswap is proportional Added, WETH remains in the contract.

② The ETH in your original flexible account can be used. If you don’t exchange it flexibly, it is not easy to solve this problem.

Poc code:

The following is the main logic code of this poc. If there is a better way to solve the problem, I hope you can communicate with Numen Cyber Labs. We are willing to work together with you.

Summary

This CTF questions are difficult and challenging. Numen Cyber Labs will continue to research and explore them. It is incumbent upon protecting the security of the blockchain, and we hope to make progress and sublimation in each research and exploration.

Web3
Blockchainsecurity
Paradigm Ctf

--

--

Numen Cyber Labs
Numen Cyber Labs

Written by Numen Cyber Labs

644 Followers
Editor for

Numen Cyber Technology is a Cybersecurity vendor and solution provider based in Singapore.We dedicate ourselves in Web3 Security and Threat Detection & Response

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams