Skip to content

Commit

Permalink
Merge branch 'main' into fix/delegation-exploit
Browse files Browse the repository at this point in the history
  • Loading branch information
leovct authored Nov 25, 2024
2 parents 293c3ed + e0f5bd0 commit 08b7eeb
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 20 deletions.
19 changes: 5 additions & 14 deletions src/EthernautCTF/GatekeeperOne.sol
Original file line number Diff line number Diff line change
Expand Up @@ -5,28 +5,19 @@ contract GatekeeperOne {
address public entrant;

modifier gateOne() {
require(msg.sender != tx.origin);
require(msg.sender != tx.origin, 'Gate 1');
_;
}

modifier gateTwo() {
require(gasleft() % 8191 == 0);
require(gasleft() % 8191 == 0, 'Gate 2');
_;
}

modifier gateThree(bytes8 _gateKey) {
require(
uint32(uint64(_gateKey)) == uint16(uint64(_gateKey)),
'GatekeeperOne: invalid gateThree part one'
);
require(
uint32(uint64(_gateKey)) != uint64(_gateKey),
'GatekeeperOne: invalid gateThree part two'
);
require(
uint32(uint64(_gateKey)) == uint16(uint160(tx.origin)),
'GatekeeperOne: invalid gateThree part three'
);
require(uint32(uint64(_gateKey)) == uint16(uint64(_gateKey)), 'Gate 3.1');
require(uint32(uint64(_gateKey)) != uint64(_gateKey), 'Gate 3.2');
require(uint32(uint64(_gateKey)) == uint16(uint160(tx.origin)), 'Gate 3.3');
_;
}

Expand Down
6 changes: 3 additions & 3 deletions src/EthernautCTF/GatekeeperThree.sol
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,13 @@ contract GatekeeperThree {
}

modifier gateOne() {
require(msg.sender == owner);
require(tx.origin != owner);
require(msg.sender == owner, 'Gate 1.1');
require(tx.origin != owner, 'Gate 1.2');
_;
}

modifier gateTwo() {
require(allowEntrance == true);
require(allowEntrance == true, 'Gate 2');
_;
}

Expand Down
6 changes: 3 additions & 3 deletions test/EthernautCTF/GatekeeperOneExploit.t.sol
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ contract Helper1 {
// I started with a higher base because I noticed that using 10k or 20k gas reverts with an OutOfGas error.
// 3. Tried base + 250 gas = 82,160. This failed.
// 4. Iteratively narrowed down:
// - base + 267 gas (82,177) failed
// - base + 268 gas (82,178) succeeded
// - base + 264 gas => failed
// - base + 265 gas => succeeded
require(
GatekeeperOne(_target).enter{gas: 8191 * 10 + 268}(_gateKey),
GatekeeperOne(_target).enter{gas: 8191 * 10 + 265}(_gateKey),
'Exploit succeeded'
);
}
Expand Down

0 comments on commit 08b7eeb

Please sign in to comment.