Description:
This CTF challenge is developed to showcase the vulnerability which can be introduced by using delegatecall() incorrectly.
“Handle with care, It’s D31eg4t3”
How to Submit Solution:
Use the below submission form to submit the solution: https://quillaudits.typeform.com/QuillCTF
Objective of CTF
- Become the owner of the contract.
- Make canYouHackMe mapping to true for your own address.
Note: You can create POCs using Foundry or Hardhat. Without proper POC, your submissions will not be accepted.
Georli Link: 0x971e55f02367dcdd1535a7faed0a500b64f2742d
Contract Code:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract D31eg4t3{
uint a = 12345;
uint8 b = 32;
string private d;
uint32 private c;
string private mot;
address public owner;
mapping (address => bool) public canYouHackMe;
modifier onlyOwner{
require(false, "Not a Owner");
_;
}
constructor() {
owner = msg.sender;
}
function hackMe(bytes calldata bites) public returns(bool, bytes memory) {
(bool r, bytes memory msge) = address(msg.sender).delegatecall(bites);
return (r, msge);
}
function hacked() public onlyOwner{
canYouHackMe[msg.sender] = true;
}
}
‣