BlockChain-Owner-Pwned

Overview

it's a simple Blockchain introductory challenge

Source Code

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
 
 

contract Challenge1 {

    address public me;
    mapping(address => uint256) balances;

//constructor
    function initWallet() public {
        me = msg.sender;
    }

    function deposit() external payable {
        balances[msg.sender] += msg.value;
    }
    
    function withdraw(uint256 amount) public {
        require(amount <= balances[msg.sender]);
        payable(msg.sender).transfer(amount);
        balances[msg.sender] -= amount;
    }
//If there is an emergency, i'm protected \o/
    function migrateTo(address to) public {
        require(msg.sender == me, "Only me can withdraw all the funds");
        payable(to).transfer(address(this).balance);
    }
//getBalance returns the balance of the contract, it is always nice to check my fortune 
    function getBalance() public view returns (uint) 
    {
        return (address(this).balance / 1 ether);
    }

}

the contract allows any user to deposit ether into their balance without any checks on the amount or source of the ether. This could potentially lead to issues with re-entrancy attacks or other vulnerabilities if the contract relies on the balance being accurate or if there are other functions that interact with the balance in a complex way. Another concern is that the migrateTo function allows the contract owner to withdraw all the funds from the contract and transfer them to a specified address. While this can be useful in case of an emergency, it also means that the contract owner has full control over the funds, which could be a security risk if the contract owner is compromised or malicious. It's also worth noting that the contract does not have any access controls or permission mechanisms to restrict access to certain functions or to restrict who can deposit or withdraw ether.

Solution

we have variable me with address of the person who called initWallet function and balance.
Now deposit will deposit money in the contract, withdraw will withdraw funds and send it to us.
migrateTo will transfer all funds to given address only if you are address equal to me.
getBalance will return you balance.

We got our deployed contract address it's time to got to remix and Hack it!! we can see contract has 90 ether. now

attack plan is call initWallet then address will change. once owner is changed we can just send this all funds to our address in me using migrateTo function now Funds in contract are zero so PWNED and after verifying in website we got the flag.

Flag

	dvCTF{Wh3r3D1DMyMon3YW3nt}

Last updated 7 months ago