02.Fallout
2023-06-23 20:21:59 # 04.Ethernaut CTF

Fallout

题目

通关要求:夺取owner

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

import 'openzeppelin-contracts-06/math/SafeMath.sol';

contract Fallout {

using SafeMath for uint256;
mapping (address => uint) allocations;
address payable public owner;


// constructor
function Fal1out() public payable {
owner = msg.sender;
allocations[owner] = msg.value;
}

modifier onlyOwner {
require(
msg.sender == owner,
"caller is not the owner"
);
_;
}

function allocate() public payable {
allocations[msg.sender] = allocations[msg.sender].add(msg.value);
}

function sendAllocation(address payable allocator) public {
require(allocations[allocator] > 0);
allocator.transfer(allocations[allocator]);
}

function collectAllocations() public onlyOwner {
msg.sender.transfer(address(this).balance);
}

function allocatorBalance(address allocator) public view returns (uint) {
return allocations[allocator];
}
}

分析

老样子先看编译器版本^0.6.0,那么就可能出现整数溢出漏洞。但是我们看到它引用了Safemath库,那么排除整数溢出这个可能了。

然后我们看看哪里可以修改owner,嗯,找不到一个方法。嗯???function Fal1out()是什么鬼?特么的构造器名字都可以写错。那么这就不是构造器了,这就是一个方法,直接调用就修改了owner了。

这道题应该是告诉我们,0.8.0之后的版本,构造器是用constructor,而不是这个可能打错字的形式。

做题

获取题目实例地址,输入到At address,然后调用Fal1out方法。然后调用owner发现,owner已经被修改成我们的地址

image-20221222000232061

通过

image-20221222000352709

小插曲

  • 有人遇到过这个问题吗?题目代码复制过来报错
  • 引oz的包要加@
  • 试过了还是不行
  • 试过了好几个stackoverflow的路径都显示不对
  • 而且我觉得不可以修改这个源代码,不然题目不认
  • 只是一个safemath的包,除非题目自己重写了safemath
  • 你是找0.6的safemath是吧
  • 你直接放到合约里面去或者放在自己remix目录都行

image-20221222000433290

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
pragma solidity ^0.6.0;

library SafeMath {

function add(uint256 a, uint256 b) internal pure returns (uint256) {
uint256 c = a + b;
require(c >= a, "SafeMath: addition overflow");

return c;
}

function sub(uint256 a, uint256 b) internal pure returns (uint256) {
return sub(a, b, "SafeMath: subtraction overflow");
}

function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
require(b <= a, errorMessage);
uint256 c = a - b;

return c;
}
function mul(uint256 a, uint256 b) internal pure returns (uint256) {
if (a == 0) {
return 0;
}

uint256 c = a * b;
require(c / a == b, "SafeMath: multiplication overflow");

return c;
}
function div(uint256 a, uint256 b) internal pure returns (uint256) {
return div(a, b, "SafeMath: division by zero");
}

function div(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
require(b > 0, errorMessage);
uint256 c = a / b;
// assert(a == b * c + a % b); // There is no case in which this doesn't hold

return c;
}

function mod(uint256 a, uint256 b) internal pure returns (uint256) {
return mod(a, b, "SafeMath: modulo by zero");
}


function mod(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
require(b != 0, errorMessage);
return a % b;
}
}

题目原地址