update readme + format

minaminao · minaminao · commit 9bae21ed8eed · 2025-10-05T13:49:56.000+09:00
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ Please be aware that these contain spoilers. For contribution guidelines, please
   - [Foundry cheatcodes](#foundry-cheatcodes)
   - [Front-running](#front-running)
   - [Back-running](#back-running)
+  - [EIP-7702](#eip-7702)
   - [Head overflow bugs in calldata tuple ABI-reencoding (\< Solidity 0.8.16)](#head-overflow-bugs-in-calldata-tuple-abi-reencoding--solidity-0816)
   - [Overwriting storage slots via local storage variables (\< Solidity 0.8.1)](#overwriting-storage-slots-via-local-storage-variables--solidity-081)
   - [Overwriting arbitrary storage slots by setting array lengths to `2^256-1` (\< Solidity 0.6.0)](#overwriting-arbitrary-storage-slots-by-setting-array-lengths-to-2256-1--solidity-060)
@@ -356,28 +357,29 @@ Note:
 - Use a disassembler (e.g., [ByteGraph](https://bytegraph.xyz/), [ethersplay](https://github.com/crytic/ethersplay)).
 - Use a debugger (e.g., [Foundry Debugger](https://book.getfoundry.sh/forge/debugger)).
 
-| Challenge                                                       | Note, Keywords                          |
-| --------------------------------------------------------------- | --------------------------------------- |
-| Incognito 2.0: Ez                                               | keep in plain text                      |
-| [0x41414141 CTF: crackme.sol](src/0x41414141CTF/)               | decompile                               |
-| [0x41414141 CTF: Crypto Casino](src/0x41414141CTF/)             | bypass condition check                  |
-| Paradigm CTF 2021: Babyrev                                      |                                         |
-| 34C3 CTF: Chaingang                                             |                                         |
-| Blaze CTF 2018: Smart? Contract                                 |                                         |
-| DEF CON CTF Qualifier 2018: SAG?                                |                                         |
-| pbctf 2020: pbcoin                                              |                                         |
-| Paradigm CTF 2022: STEALING-SATS                                |                                         |
-| Paradigm CTF 2022: ELECTRIC-SHEEP                               |                                         |
-| Paradigm CTF 2022: FUN-REVERSING-CHALLENGE                      |                                         |
-| [DownUnderCTF 2022: EVM Vault Mechanism](src/DownUnderCTF2022/) |                                         |
-| [EKOPARTY CTF 2022: Byte](src/EkoPartyCTF2022/)                 | stack tracing                           |
-| [EKOPARTY CTF 2022: SmartRev](src/EkoPartyCTF2022/)             | memory tracing                          |
-| [Numen Cyber CTF 2023: HEXP](src/NumenCTF/)                     | previous block hash == gas price % 2^24 |
-| [BlazCTF 2023: Maze](src/BlazCTF2023/)                          |                                         |
-| [BlazCTF 2023: Jambo](src/BlazCTF2023/)                         |                                         |
-| [BlazCTF 2023: Ghost](src/BlazCTF2023/)                         |                                         |
-| [Curta: Lana](src/Curta/20_Lana/)                               | LLVM                                    |
-| [Ethernaut: 30. HigherOrder](src/Ethernaut/HigherOrder/)        | calldata                                |
+| Challenge                                                                            | Note, Keywords                          |
+| ------------------------------------------------------------------------------------ | --------------------------------------- |
+| Incognito 2.0: Ez                                                                    | keep in plain text                      |
+| [0x41414141 CTF: crackme.sol](src/0x41414141CTF/)                                    | decompile                               |
+| [0x41414141 CTF: Crypto Casino](src/0x41414141CTF/)                                  | bypass condition check                  |
+| Paradigm CTF 2021: Babyrev                                                           |                                         |
+| 34C3 CTF: Chaingang                                                                  |                                         |
+| Blaze CTF 2018: Smart? Contract                                                      |                                         |
+| DEF CON CTF Qualifier 2018: SAG?                                                     |                                         |
+| pbctf 2020: pbcoin                                                                   |                                         |
+| Paradigm CTF 2022: STEALING-SATS                                                     |                                         |
+| Paradigm CTF 2022: ELECTRIC-SHEEP                                                    |                                         |
+| Paradigm CTF 2022: FUN-REVERSING-CHALLENGE                                           |                                         |
+| [DownUnderCTF 2022: EVM Vault Mechanism](src/DownUnderCTF2022/)                      |                                         |
+| [EKOPARTY CTF 2022: Byte](src/EkoPartyCTF2022/)                                      | stack tracing                           |
+| [EKOPARTY CTF 2022: SmartRev](src/EkoPartyCTF2022/)                                  | memory tracing                          |
+| [Numen Cyber CTF 2023: HEXP](src/NumenCTF/)                                          | previous block hash == gas price % 2^24 |
+| [BlazCTF 2023: Maze](src/BlazCTF2023/)                                               |                                         |
+| [BlazCTF 2023: Jambo](src/BlazCTF2023/)                                              |                                         |
+| [BlazCTF 2023: Ghost](src/BlazCTF2023/)                                              |                                         |
+| [Curta: Lana](src/Curta/20_Lana/)                                                    | LLVM                                    |
+| [Ethernaut: 30. HigherOrder](src/Ethernaut/HigherOrder/)                             | calldata                                |
+| [COMPFEST CTF 2025: Synthetic Manipulation](src/Compfest2025/SyntheticManipulation/) |                                         |
 
 ### EVM assembly logic bugs
 - Logic bugs in assemblies such as Yul
@@ -529,9 +531,10 @@ Note:
 - This can be exploited in systems that track used signatures, as the alternative signature may not be recognized as already used.
 - In Ethereum's secp256k1 curve, this property can be used to bypass signature verification mechanisms.
 
-| Challenge                                                  | Note, Keywords                           |
-| ---------------------------------------------------------- | ---------------------------------------- |
-| [SmileyCTF: MultisigWallet](src/SmileyCTF/MultisigWallet/) | ECDSA, signature malleability, secp256k1 |
+| Challenge                                                              | Note, Keywords                           |
+| ---------------------------------------------------------------------- | ---------------------------------------- |
+| [SmileyCTF: MultisigWallet](src/SmileyCTF/MultisigWallet/)             | ECDSA, signature malleability, secp256k1 |
+| [COMPFEST CTF 2025: snake_inception](src/Compfest2025/SnakeInception/) | Vyper                                    |
 
 ### Brute-forcing addresses
 - Brute force can make a part of an address a specific value.
@@ -620,6 +623,13 @@ Note:
 | [MEV-Share CTF: MevShareCTFNewContract (Address)](src/MEVShareCTF/) |                |
 | [MEV-Share CTF: MevShareCTFNewContract (Salt)](src/MEVShareCTF/)    | CREATE2        |
 
+### EIP-7702
+
+| Challenge                                                                                                                                           | Note, Keywords |
+| --------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
+| [HITCON CTF 2025: Maximal Extractable Vuln](https://github.com/minaminao/my-ctf-challenges/tree/main/ctfs/hitcon-ctf-2025/maximal-extractable-vuln) |                |
+| [COMPFEST CTF 2025: snake_inception](src/Compfest2025/SnakeInception/)                                                                              | Vyper          |
+
 ### Head overflow bugs in calldata tuple ABI-reencoding (< Solidity 0.8.16)
 - See: https://blog.soliditylang.org/2022/08/08/calldata-tuple-reencoding-head-overflow-bug/
 
diff --git a/src/Compfest2025/SnakeInception/README.md b/src/Compfest2025/SnakeInception/README.md
@@ -1,5 +1,5 @@
 
-Since the contract is using raw_call,  no problem if it goes OOG.
+Since the contract is using raw_call, no problem if it goes OOG.
 
 There are a signature in a past block:
 ```
@@ -20,3 +20,7 @@ Traces:
 Transaction successfully executed.
 Gas used: 68390
 ```
+
+
+Other solutions
+- >minimal proxy with leading zero or eip 7702
diff --git a/src/Ethernaut/CoinFlip/CoinFlipFactory.sol b/src/Ethernaut/CoinFlip/CoinFlipFactory.sol
@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";
 import "./CoinFlip.sol";
 
 contract CoinFlipFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return address(new CoinFlip());
     }
 
diff --git a/src/Ethernaut/Delegation/DelegationFactory.sol b/src/Ethernaut/Delegation/DelegationFactory.sol
@@ -13,7 +13,7 @@ contract DelegationFactory is Level {
         delegateAddress = address(newDelegate);
     }
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         Delegation parity = new Delegation(delegateAddress);
         return address(parity);
     }
diff --git a/src/Ethernaut/Denial/DenialFactory.sol b/src/Ethernaut/Denial/DenialFactory.sol
@@ -8,15 +8,15 @@ import "./Denial.sol";
 contract DenialFactory is Level {
     uint256 public initialDeposit = 0.001 ether;
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         require(msg.value >= initialDeposit);
         Denial instance = new Denial();
         (bool result,) = address(instance).call{value: msg.value}("");
         require(result);
         return address(instance);
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public override returns (bool) {
         Denial instance = Denial(_instance);
         if (address(instance).balance <= 100 wei) {
             // cheating otherwise
diff --git a/src/Ethernaut/Elevator/ElevatorFactory.sol b/src/Ethernaut/Elevator/ElevatorFactory.sol
@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";
 import "./Elevator.sol";
 
 contract ElevatorFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         Elevator instance = new Elevator();
         return address(instance);
     }
diff --git a/src/Ethernaut/Fallback/FallbackFactory.sol b/src/Ethernaut/Fallback/FallbackFactory.sol
@@ -5,7 +5,7 @@ import "./Fallback.sol";
 import "../Ethernaut/Level.sol";
 
 contract FallbackFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         Fallback instance = new Fallback();
         return address(instance);
     }
diff --git a/src/Ethernaut/Fallout/FalloutFactory.sol b/src/Ethernaut/Fallout/FalloutFactory.sol
@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";
 import "./Fallout.sol";
 
 contract FalloutFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         Fallout instance = new Fallout();
         return address(instance);
     }
diff --git a/src/Ethernaut/Force/ForceFactory.sol b/src/Ethernaut/Force/ForceFactory.sol
@@ -6,11 +6,11 @@ import "../Ethernaut/Level.sol";
 import "./Force.sol";
 
 contract ForceFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return address(new Force());
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public view override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public view override returns (bool) {
         Force instance = Force(_instance);
         return address(instance).balance > 0;
     }
diff --git a/src/Ethernaut/GatekeeperOne/GatekeeperOneFactory.sol b/src/Ethernaut/GatekeeperOne/GatekeeperOneFactory.sol
@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";
 import "./GatekeeperOne.sol";
 
 contract GatekeeperOneFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         GatekeeperOne instance = new GatekeeperOne();
         return address(instance);
     }
diff --git a/src/Ethernaut/GatekeeperThree/GatekeeperThreeFactory.sol b/src/Ethernaut/GatekeeperThree/GatekeeperThreeFactory.sol
@@ -5,7 +5,7 @@ import "../Ethernaut/Level.sol";
 import "./GatekeeperThree.sol";
 
 contract GatekeeperThreeFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         GatekeeperThree instance = new GatekeeperThree();
         return payable(instance);
     }
diff --git a/src/Ethernaut/GatekeeperTwo/GatekeeperTwoFactory.sol b/src/Ethernaut/GatekeeperTwo/GatekeeperTwoFactory.sol
@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";
 import "./GatekeeperTwo.sol";
 
 contract GatekeeperTwoFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         GatekeeperTwo instance = new GatekeeperTwo();
         return address(instance);
     }
diff --git a/src/Ethernaut/GoodSamaritan/GoodSamaritanFactory.sol b/src/Ethernaut/GoodSamaritan/GoodSamaritanFactory.sol
@@ -5,11 +5,11 @@ import "../Ethernaut/Level.sol";
 import "./GoodSamaritan.sol";
 
 contract GoodSamaritanFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return address(new GoodSamaritan());
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public view override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public view override returns (bool) {
         GoodSamaritan instance = GoodSamaritan(_instance);
         return instance.coin().balances(address(instance.wallet())) == 0;
     }
diff --git a/src/Ethernaut/HelloEthernaut/HelloEthernautFactory.sol b/src/Ethernaut/HelloEthernaut/HelloEthernautFactory.sol
@@ -5,11 +5,11 @@ import "../Ethernaut/Level.sol";
 import "./HelloEthernaut.sol";
 
 contract HelloEthernautFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return address(new Instance("ethernaut0"));
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public view override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public view override returns (bool) {
         Instance instance = Instance(_instance);
         return instance.getCleared();
     }
diff --git a/src/Ethernaut/HigherOrder/HigherOrderFactory.sol b/src/Ethernaut/HigherOrder/HigherOrderFactory.sol
@@ -6,7 +6,7 @@ import "./HigherOrder-8.sol";
 import "src/utils/Create.sol";
 
 contract HigherOrderFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return Create.deploy("HigherOrder.sol:HigherOrder");
     }
 
diff --git a/src/Ethernaut/King/KingFactory.sol b/src/Ethernaut/King/KingFactory.sol
@@ -8,12 +8,12 @@ import "./King.sol";
 contract KingFactory is Level {
     uint256 public insertCoin = 0.001 ether;
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         require(msg.value >= insertCoin, "Must send at least 0.001 ETH");
         return address((new King){value: msg.value}());
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public override returns (bool) {
         King instance = King(_instance);
         (bool result,) = address(instance).call{value: 0}("");
         !result;
diff --git a/src/Ethernaut/Motorbike/MotorbikeFactory.sol b/src/Ethernaut/Motorbike/MotorbikeFactory.sol
@@ -9,7 +9,7 @@ import "openzeppelin/utils/Address.sol";
 contract MotorbikeFactory is Level {
     mapping(address => address) private engines;
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         Engine engine = new Engine();
         Motorbike motorbike = new Motorbike(address(engine));
         engines[address(motorbike)] = address(engine);
@@ -29,7 +29,7 @@ contract MotorbikeFactory is Level {
         return address(motorbike);
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public view override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public view override returns (bool) {
         return !(engines[_instance].code.length > 0);
     }
 }
diff --git a/src/Ethernaut/Preservation/PreservationExploit.sol b/src/Ethernaut/Preservation/PreservationExploit.sol
@@ -12,7 +12,7 @@ contract PreservationExploit {
     address public _timeZone2Library;
     address public owner;
 
-    function setTime(uint256 /* time */) public {
+    function setTime(uint256 /* time */ ) public {
         owner = tx.origin;
     }
 
diff --git a/src/Ethernaut/Preservation/PreservationFactory.sol b/src/Ethernaut/Preservation/PreservationFactory.sol
@@ -14,7 +14,7 @@ contract PreservationFactory is Level {
         timeZone2LibraryAddress = address(new LibraryContract());
     }
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return address(new Preservation(timeZone1LibraryAddress, timeZone2LibraryAddress));
     }
 
diff --git a/src/Ethernaut/Reentrance/ReentranceFactory.sol b/src/Ethernaut/Reentrance/ReentranceFactory.sol
@@ -8,15 +8,15 @@ import "./Reentrance.sol";
 contract ReentranceFactory is Level {
     uint256 public insertCoin = 0.001 ether;
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         require(msg.value >= insertCoin);
         Reentrance instance = new Reentrance();
         require(address(this).balance >= insertCoin);
         payable(address(instance)).transfer(insertCoin);
         return address(instance);
     }
 
-    function validateInstance(address payable _instance, address /* _player */) public view override returns (bool) {
+    function validateInstance(address payable _instance, address /* _player */ ) public view override returns (bool) {
         Reentrance instance = Reentrance(_instance);
         return address(instance).balance == 0;
     }
diff --git a/src/Ethernaut/Shop/ShopFactory.sol b/src/Ethernaut/Shop/ShopFactory.sol
@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";
 import "./Shop.sol";
 
 contract ShopFactory is Level {
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         Shop _shop = new Shop();
         return address(_shop);
     }
diff --git a/src/Ethernaut/Stake/StakeFactory.sol b/src/Ethernaut/Stake/StakeFactory.sol
@@ -14,7 +14,7 @@ contract DWETH is ERC20 {
 contract StakeFactory is Level {
     address _dweth = address(new DWETH());
 
-    function createInstance(address /* _player */) public payable override returns (address) {
+    function createInstance(address /* _player */ ) public payable override returns (address) {
         return address(new Stake(address(_dweth)));
     }
 
diff --git a/src/Ethernaut/Switch/SwitchFactory.sol b/src/Ethernaut/Switch/SwitchFactory.sol
diff --git a/src/Ethernaut/Telephone/TelephoneFactory.sol b/src/Ethernaut/Telephone/TelephoneFactory.sol
diff --git a/src/Ethernaut/Vault/VaultFactory.sol b/src/Ethernaut/Vault/VaultFactory.sol

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";`
`6`	`6`	`import "./CoinFlip.sol";`
`7`	`7`
`8`	`8`	`contract CoinFlipFactory is Level {`
`9`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`9`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`10`	`10`	`return address(new CoinFlip());`
`11`	`11`	`}`
`12`	`12`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ contract DelegationFactory is Level {`
`13`	`13`	`delegateAddress = address(newDelegate);`
`14`	`14`	`}`
`15`	`15`
`16`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`16`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`17`	`17`	`Delegation parity = new Delegation(delegateAddress);`
`18`	`18`	`return address(parity);`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";`
`6`	`6`	`import "./Elevator.sol";`
`7`	`7`
`8`	`8`	`contract ElevatorFactory is Level {`
`9`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`9`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`10`	`10`	`Elevator instance = new Elevator();`
`11`	`11`	`return address(instance);`
`12`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@ import "./Fallback.sol";`
`5`	`5`	`import "../Ethernaut/Level.sol";`
`6`	`6`
`7`	`7`	`contract FallbackFactory is Level {`
`8`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`8`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`9`	`9`	`Fallback instance = new Fallback();`
`10`	`10`	`return address(instance);`
`11`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";`
`6`	`6`	`import "./Fallout.sol";`
`7`	`7`
`8`	`8`	`contract FalloutFactory is Level {`
`9`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`9`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`10`	`10`	`Fallout instance = new Fallout();`
`11`	`11`	`return address(instance);`
`12`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,11 +6,11 @@ import "../Ethernaut/Level.sol";`
`6`	`6`	`import "./Force.sol";`
`7`	`7`
`8`	`8`	`contract ForceFactory is Level {`
`9`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`9`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`10`	`10`	`return address(new Force());`
`11`	`11`	`}`
`12`	`12`
`13`		`- function validateInstance(address payable _instance, address /* _player */) public view override returns (bool) {`
	`13`	`+ function validateInstance(address payable _instance, address /* _player */ ) public view override returns (bool) {`
`14`	`14`	`Force instance = Force(_instance);`
`15`	`15`	`return address(instance).balance > 0;`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import "../Ethernaut/Level.sol";`
`6`	`6`	`import "./GatekeeperOne.sol";`
`7`	`7`
`8`	`8`	`contract GatekeeperOneFactory is Level {`
`9`		`- function createInstance(address /* _player */) public payable override returns (address) {`
	`9`	`+ function createInstance(address /* _player */ ) public payable override returns (address) {`
`10`	`10`	`GatekeeperOne instance = new GatekeeperOne();`
`11`	`11`	`return address(instance);`
`12`	`12`	`}`