何方圜的博客

CTF-BabyOtter题目源代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;contract BabyOtter { bool public solved = false; function solve(uint x) public { unchecked { assert(x * 0x1337 == 1); } solved = true; }} 这个题，有个unchecked 它是一个不对溢出进行的一个检查unchecked 是一个特殊的关键字，表示在代码块中进行运算时不进行溢出检查。这意味着即使在某些情况下会发生溢出，也不会触发 Solidity 默认的溢出检查错误。 那么就很容易想到溢出来解决这个题了攻击代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;interfa ...

CTF-AdultOtter题目源代码： // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.13;contract AdultOtter { bool public solved = false; function pwn(uint[16] memory code) public { uint[16] memory a; uint[16] memory b; for (uint i = 0; i < 16; i++) { assert(1337 * i < code[i] && code[i] < 1337 * (i + 1)); } for (uint i = 0; i < 16; i++) { a[i] = i**i * code[i]; } for (uint i = 1; i < 16; i++) ...

一SummaryIf the admin records the investment using the investment token instead of the stablecoin, it will lead to an error. Root CauseVulnerable code: 2024-11-vvv-exchange-update-HeYuan-33/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol Lines 268 to 277 in c1e47db for (uint256 i = 0; i < _kycAddresses.length; i++) { address kycAddress = _kycAddresses[i]; uint256 investmentRound = _investmentRounds[i]; uint256 amountToInvest = _amountsTo ...

攻击介绍2023年7月11日，Arbitrum链上的Rodeo Finance: Pool由于价格预言机操纵，而被黑客盗取了472 ETH。 攻击分析攻击者利用了预言机的缺陷控制了unshETH与ETH之间的兑换比率,预言机使用 ETH 与 unshETH 的准备金比率来检查价格。同时攻击者能够通过具有未配置策略地址的 earn 函数强制平台将 USDC 兑换为 unshETH。由于价格预言机存在缺陷，滑点控制无法生效。(具体可见Meth为0x7b37c42b的交易)。 function earn(address usr, address pol, uint256 str, uint256 amt, uint256 bor, bytes calldata dat) external loop returns (uint256){ if (status < S_LIVE) revert WrongStatus(); if (!pools[pol]) revert InvalidPool(); if (strategies[str] == addres ...

CTF-Numen-LenderPool题目有点长的，主要是接口使用多了源代码点击 要求很明显： function isSolved() public view returns (bool) { if (token0.balanceOf(address(lenderPool)) == 0) { return true; } 耗尽池中所有的token0 关键就是在flashLoan函数中一个外部调用出现了问题： token0.transfer(borrower, borrowAmount); borrower.functionCall(abi.encodeWithSignature("receiveEther(uint256)", borrowAmount)); 当发送给borrower ``token0时，会调用borrower的内部函数去接受，虽然flashLoan函数有防止重入的攻击的修饰，但是swap()函数没有防止重入攻击的修饰符，所以就可一进行一个=跨函数的重入攻击。 所以这就 ...

题目源码： // SPDX-License-Identifier: MITpragma solidity ^0.8.4;contract PrivilegeFinance { string public name = "Privilege Finance"; string public symbol = "PF"; uint256 public decimals = 18; uint256 public totalSupply = 200000000000; mapping(address => uint) public balances; mapping(address => address) public referrers; string msgsender = '0x71fA690CcCDC285E3Cb6d5291EA935cfdfE4E0'; uint public rewmax = 65000000000000000000000; uint publi ...

CTF-OnlyPwner-FREEBIE题目地址 点击 要求是将合约的余额变为零 源代码很少 pragma solidity 0.8.19;import {IVault} from "./interfaces/IVault.sol";contract Vault is IVault { uint256 public totalDeposited; function deposit() external payable { totalDeposited += msg.value; emit Deposit(msg.sender, msg.value); } function withdraw(uint256 amount) external { totalDeposited -= amount; payable(msg.sender).transfer(amount); emit Withdraw(msg.send ...

一SummaryThe attacker can register their own address as the charitable organization and then perform a self-transfer by donating to the organization, effectively receiving a specific minted NFT for free. Vulnerability DetailsVulnerability code source:https://github.com/Cyfrin/2024-11-giving-thanks/blob/304812abfc16df934249ecd4cd8dea38568a625d/src/GivingThanks.sol#L21-L23 There is no check to verify whether the charitable organization’s address is the same as the donor’s address, which allows atta ...

攻击介绍2023年7月17日，bscscan链上的NewFi被黑客攻击，一共损失了价值31k$的BUSD。 攻击分析我们使用phalcon进行分析，通过phalcon的调用栈分析，可以看到攻击者首先从4个池子贷了大量的BUSD，然后在PancakeSwap: Smart Router V3中通过以质押与回收BUSD从中套了31,099的BUSD。分析StakedV3.Invest()的调用栈，发现sqrtPriceX96从456917351256涨到了396517633895，显然攻击者通过StakedV3的Invest()方法操纵了价格。 POC // SPDX-License-Identifier: UNLICENSEDpragma solidity ^0.8.10;import "forge-std/Test.sol";import "./interface.sol";// Vulnerable Contract : 0xb8dc09eec82cab2e86c7edc8dd5882dd92d22411// Attack Tx : 0x557 ...

DeFi Hack由于这个是一个题目集，就写在一起，做个写题记录五个题目的源代码，都在这里了：源代码：点击 May The Force Be With You题目要求是：要取得合约中所有的代币 首先还是看代码，合约代码，还是简单，重点还是看向withdrew函数，要撤回合约中的所有代币， function withdraw(uint256 numberOfShares) external nonReentrant { // Gets the amount of xYODA in existence uint256 totalShares = totalSupply(); // Calculates the amount of YODA the xYODA is worth uint256 what = numberOfShares.mul(yoda.balanceOf(address(this))).div(totalShares); _burn(msg.sender, numberOfShare ...