Private Club

Description:

Ah yes, a private club with lots of money just waiting to be stolen. What could possibly go wrong?

How to Submit a Solution:

Use the below submission form to submit the solution: https://quillaudits.typeform.com/QuillCTF

Objective of CTF

Become a member of a private club.
Block future registrations.
Withdraw all Ether from the privateClub contract.

Note: You can create POCs using Foundry/Hardhat. Without proper POC, your submissions will not be accepted.

Contract Code:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "openzeppelin-contracts/contracts/access/Ownable.sol";
import "openzeppelin-contracts/contracts/security/ReentrancyGuard.sol";

contract PrivateClub is ReentrancyGuard, Ownable {
    uint private registerEndDate;
    event setRegEndDate(uint registerEndDate);
    event memberWithdrawevent(address member, address to, uint amount);
    address[] public members_;
    mapping(address => bool) public members;

    receive() external payable {}

    uint public membersCount;

    function setRegisterEndDate(uint _newRegisterEndDate) external onlyOwner {
        registerEndDate = _newRegisterEndDate;
        emit setRegEndDate(registerEndDate);
    }

    function becomeMember(
        address[] calldata _members
    ) external payable nonReentrant {
        require(block.timestamp < registerEndDate, "registration closed");
        require(_members.length == membersCount, "wrong members length");
        require(msg.value == membersCount * 1 ether, "need more ethers");
        for (uint i = 0; i < _members.length; i++) {
            _members[i].call{value: 1 ether}("");
        }
        membersCount += 1;
        members[msg.sender] = true;
        members_.push(msg.sender);
    }

    modifier onlyMember() {
        bool member;
        for (uint i = 0; i < membersCount; i++) {
            if (members_[i] == msg.sender) {
                member = true;
            }
        }

        require(member == true, "you are not a member");
        _;
    }

    function adminWithdraw(address to, uint amount) external onlyOwner {
        payable(to).call{value: amount}("");
    }

    function addMemberByAdmin(address newMember) external onlyOwner {
        membersCount += 1;
        members[newMember] = true;
        members_.push(newMember);
    }

    function buyAdminRole(address newAdmin) external payable onlyMember {
        require(msg.value == 10 ether, "need 10 ethers");
        _transferOwnership(newAdmin);
    }
}

Foundry setUp:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "forge-std/Test.sol";
import "../src/PrivateClub.sol";

contract Hack is Test {
    PrivateClub club;

    address clubAdmin = makeAddr("clubAdmin");
    address adminFriend = makeAddr("adminFriend");
    address user2 = makeAddr("user2");
    address user3 = makeAddr("user3");
    address user4 = makeAddr("user4");
    address hacker = makeAddr("hacker");
    uint blockGasLimit = 120000;

    function setUp() public {
        vm.deal(clubAdmin, 100 ether);
        vm.deal(hacker, 10 ether);
        vm.deal(user2, 10 ether);
        vm.deal(user3, 10 ether);
        vm.deal(user4, 10 ether);
        vm.startPrank(clubAdmin);
        club = new PrivateClub();
        club.setRegisterEndDate(block.timestamp + 5 days);
        club.addMemberByAdmin(adminFriend);
        address(club).call{value: 100 ether}("");
        vm.stopPrank();
        vm.startPrank(user2);
        address[] memory mForUser2 = new address[](1);
        mForUser2[0] = adminFriend;
        club.becomeMember{value: 1 ether}(mForUser2);
        vm.stopPrank();
        vm.startPrank(user3);
        address[] memory mForUser3 = new address[](2);
        mForUser3[0] = adminFriend;
        mForUser3[1] = user2;
        club.becomeMember{value: 2 ether}(mForUser3);
        vm.stopPrank();
    }

    function test_attack() public {
        vm.startPrank(hacker);
        // task1: become member of the club and
        // block future registrations (reason: out of gas - block gas limit)
        // solution:

        vm.stopPrank();
        // check - hacker is member
        assertTrue(club.members(hacker));


        // check - user4 can not become member - blockGasLimit
        vm.startPrank(user4);
        address[] memory mForUser4 = new address[](club.membersCount());
        for (uint i = 0; i < club.membersCount(); i++) {
            mForUser4[i] = club.members_(i);
        }
        uint etherAmount = mForUser4.length * 1 ether;
        uint gasleftbeforeTxStart = gasleft();
        club.becomeMember{value: etherAmount}(mForUser4);
        uint gasleftAfterTxStart = gasleft();

        assertGt(gasleftbeforeTxStart - gasleftAfterTxStart, blockGasLimit);
        vm.stopPrank();


        vm.startPrank(hacker);
        // task2: buy admin role and withdraw all ether from the club
        // solution:


        // check - hacker is owner of club
        assertEq(club.owner(), hacker);
        assertGt(hacker.balance, 110000000000000000000 - 1);
    }
}

Solutions:

Private Club Walkthrough

Author -

SovaSlava