Description:
You stumbled across a governance contract that implements a system such that , every time the secret data is doubled , emergency function starts it execution somewhere else that burns out all the funds.
How to Submit a Solution:
Use the below submission form to submit the solution: https://quillaudits.typeform.com/QuillCTF
Objective of CTF
Your goal is to find a way to trigger that emergency function.
Note: You can create POCs using Foundry/Hardhat. Without proper POC, your submissions will not be accepted.
Contract Code:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract governance {
mapping(address => bool) public isAdmin;
uint public secretData;
constructor() {
isAdmin[msg.sender] = true;
secretData = 42;
}
modifier onlyAdmin() {
require(isAdmin[msg.sender], "Unauthorized");
_;
}
function verifySignature(bytes32 messageHash, uint8 v, bytes32 r, bytes32 s) public pure returns (address) {
bytes32 prefixedHash = keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", messageHash));
address signer = ecrecover(prefixedHash, v, r, s);
return signer;
}
function processMessage(bytes32 messageHash, uint8 v, bytes32 r, bytes32 s) public {
address signer = verifySignature(messageHash, v, r, s);
require(signer != address(0), "Invalid signer");
// Process the message and update the contract state
secretData = secretData * 2;
}
function changeAdmin(address newAdmin) public onlyAdmin {
require(newAdmin != address(0), "Invalid address");
isAdmin[newAdmin] = true;
}
function withdrawFunds(address payable recipient) public onlyAdmin {
require(address(this).balance > 0, "No funds available");
recipient.transfer(address(this).balance);
}
function isAdminAddress(address _address) public view returns (bool) {
return isAdmin[_address];
}
function getsecretData() public view returns (uint) {
return secretData;
}
receive() external payable {}
}
Foundry setUp:
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import "forge-std/Test.sol";
import "src/governance.sol";
import "forge-std/console.sol";
contract testgovernance is
Test,
governance
{
governance _governance;
address user = 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4;
function setUp() public {
_governance = new governance();
}
function testskill () public {
vm.startPrank(user);
// your solution
vm.stopPrank();
assertEq(_governance.getsecretData(), 84);
}
}