33 lines
1.6 KiB
Markdown
33 lines
1.6 KiB
Markdown
# Bad Parity
|
|
|
|
## Story
|
|
|
|
You are still working at an IT Security Consultant company called *AllmostAllsafe*.
|
|
The biggest customer of *AllmostAllsafe* is *EveCorp*.
|
|
*EveCorp* is highly interested in Blockchain and Smart Contract projects lately (as almost every company...).
|
|
After the great success of their fund raising DAO, the company wants to put their funds into a very secure *Wallet contract* so that all funds are better protected.
|
|
|
|
Therefore, they have decided to put their faith into a *Wallet contract* library form a subcontractor called *BadParity*.
|
|
|
|
That is the story so far.
|
|
|
|
*ring ring late night emergency call*
|
|
|
|
There is a major security breach within the wallet contracts of *BadParity* and you have to handle the incident response!
|
|
Since it is a smart contract we cannot simply patch the vulnerability.
|
|
Moreover, the admin of the customer who is under the controll of the keys for the *Wallet contract* is on vacation - therefore we cannot simply use those keys.
|
|
|
|
To the rescue: It is your task to find the vulnerability, exploit it and withdraw all the money from the *Wallet contract* before an attacker can do that.
|
|
|
|
## Technical description
|
|
|
|
There is an instance of the *Wallet contract* for every student, initialized with a balance of `30` *EveCoins*.
|
|
The *Wallet contract* is of course owned by an *EveCorp* account, that is not under your control.
|
|
|
|
The challenge is solved when the balance of your *Wallet contract* is `0`
|
|
|
|
## Hints
|
|
|
|
* http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/
|
|
* http://solidity.readthedocs.io/en/v0.4.23/introduction-to-smart-contracts.html
|