Aliencodex #89
Aliencodex #89
Conversation
contracts/levels/AlienCodex.sol
Outdated
| _; | ||
| } | ||
|
|
||
| function make_contact(bytes32[] _impossible_message) public { |
There was a problem hiding this comment.
Seems as though _impossible_message gives it away a touch - what if you named it something in keeping with the awesome theme, like _firstContactMessage, or you could emphasize that the message has to be big and important with something like _momentousMessage?
There was a problem hiding this comment.
_firstContactMessage is much better. Changed - thanks!
contracts/levels/AlienCodex.sol
Outdated
| contact = true; | ||
| } | ||
|
|
||
| function push(bytes32 _content) contacted public { |
There was a problem hiding this comment.
You could use some function names with more gravitas here too - push, pop, edit sort of suggest that there's an array that needs to be manipulated, whereas record, retract, revise (or whatever you think is cool) make me think "Ok, I'm really interacting with an alien codex here".
| @@ -0,0 +1,6 @@ | |||
| Claim ownership of the Alien contract to complete this level. | |||
|
|
|||
| TODO | |||
There was a problem hiding this comment.
You might want to mention of the underhanded coding contest here (without linking to the winners 😄) to give a small nudge to the answer. Your call!
test/levels/AlienCodex.test.js
Outdated
| it('codex array should underflow, giving user all storage access to become owner', async function() { | ||
|
|
||
| await instance.pop(); | ||
| let _data = `0xe537637d4ef1d2ad89edf8c4d91132028e8195cdf30bb4b5053d4f8cd260341d4805f30a000000000000000000000001`+ player.substr(2); |
There was a problem hiding this comment.
Think it would be doable to use the contract interface for this rather than a raw transaction?
There was a problem hiding this comment.
Possible for us to keep the raw trx? 😄Hoping most players solve this lvl with console/command line, without using an attack contract or Remix.
For better readability, I refactored the _data bytecode and added comments
…eadability, minor edits to lvl desc
|
Thank you for the review @0age ! I've revised per your feedback. Happy to iterate further - thanks again |
|
Level is live! Awesome @nczhu !! |
|
BTW, I'd suggest that you try the level in the official ethernaut dapp. I think there might be a problem with the gas limit you entered in gamedata.json. Try manually setting a large gas amount in metamask, and then put that in gamedata.json. |
LEVEL idea:
This level exploits the fact that the EVM doesn't validate an array's ABI-encoded length vs its actual payload. Additionally, it exploits the arithmetic underflow of array length, by expanding the array's bounds to the entire storage area of 2^256. The user is then able to modify all contract storage.
The narrative is that you have to 1. make contact with this Alien contract to access the Codex for an Alien race. 2. Upon making contact, you can manipulate the Codex and gain ownership of entire Alien contract.
😂
This lvl addresses @ajsantander 's #19 and #22 , two issues from Underhanded 2017
Let me know what you think and suggestions to improve upon it. Thanks so much!