Description:
Uncover the hidden hex values within addresses to access NFT minting or face the cost of 1 ether in this exciting CTF challenge!
How to Submit a Solution:
Use the below submission form to submit the solution: https://quillaudits.typeform.com/QuillCTF
Objective of CTF
You are provided with 0 ether. After the hack you should have 1 ether.
Instructions:
- Paste your address in place of <Your Address> in the setUp() function
- Give your solution in //Solution marked space in testKeyCraft() function.
Note: You can create POCs using Foundry/Hardhat. Without proper POC, your submissions will not be accepted.
Contract Code:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.19;
import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
contract KeyCraft is ERC721 {
uint totalSupply;
address owner;
bool buyNFT;
constructor(string memory _name, string memory _symbol)
ERC721(_name, _symbol)
{
_mint(msg.sender, totalSupply++);
owner = msg.sender;
}
modifier checkAddress(bytes memory b) {
bool q;
bool w;
if (msg.sender == owner) {
buyNFT = true;
} else {
uint a = uint160(uint256(keccak256(b)));
q = (address(uint160(a)) == msg.sender);
a = a >> 108;
a = a << 240;
a = a >> 240;
w = (a == 13057);
}
buyNFT = (q && w) || buyNFT;
_;
buyNFT = false;
}
function mint(bytes memory b) public payable checkAddress(b) {
require(msg.value >= 1 ether || buyNFT, "Not allowed to mint.");
_mint(msg.sender, totalSupply++);
}
function burn(uint tok) public {
address a = ownerOf(tok);
require(msg.sender == a);
_burn(tok);
totalSupply--;
payable(a).transfer(1 ether);
}
}
Foundry setUp:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.19;
import {Test} from "forge-std/Test.sol";
import "forge-std/console.sol";
import "../src/KeyCraft.sol";
contract KC is Test {
KeyCraft k;
address owner;
address user;
address attacker;
function setUp() public {
owner = makeAddr("owner");
user = makeAddr("user");
attacker = <Your Address>
vm.deal(user, 1 ether);
vm.startPrank(owner);
k = new KeyCraft("KeyCraft", "KC");
vm.stopPrank();
vm.startPrank(user);
k.mint{value: 1 ether}(hex"dead");
vm.stopPrank();
}
function testKeyCraft() public {
vm.startPrank(attacker);
//Solution
vm.stopPrank();
assertEq(attacker.balance, 1 ether);
}
}
Solutions:
Coming Soon…..