05.Fatorial
2023-10-06 15:15:17 # 23.0xHackedCTF

Fatorial

题目让我们成功调用run方法,其中会staticcall回调msg.sender的factorial(uint256)5次,返回值累乘的结果是120。正常情况下,相同的返回值,累乘5次不可能刚好是120,因此我们需要返回不同的值。

因为staticcall限制不能修改状态,因此采用gas限制,根据冷热地址访问gas消耗不同,返回不同的值:第一次热访问返回120,后面4次冷访问都返回1,即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

interface IFactorial {
function solve() external;
}

contract Exploit {
IFactorial level;

// construct() {} // construct not allowed

function exploit() public {
// write code here
address target = 0x1963ead4de36524e8EB53B88ccf79ff15Fe20baB;
level = IFactorial(target);
level.solve();
}

function factorial(uint256) public view returns (bytes32) {
uint startGas = gasleft();
uint bal = address(0x100).balance;
uint usedGas = startGas - gasleft();
if (usedGas < 1000) {
bytes32 data01 = bytes32(uint256(1));
return data01;
}
bytes32 data02 = bytes32(uint256(120));
return data02;
}

}