2023 Business CTF: Funds Secured

#htb #ctf #blockchain #smart-contract #multisig #ecdsa

Challenge Information

AttributeDetails
Event2023 Business CTF
CategoryBlockchain
ChallengeFunds Secured
DifficultyEasy

Summary

A crowdfunding campaign has raised 1100 ether through a smart contract controlled by a Council Wallet requiring 6 out of 11 signatures to close and withdraw funds. Your task is to exploit the multi-signature mechanism and steal all the funds from the campaign contract.

Analysis

The Setup contract initializes:

  • 11 council members with addresses address(uint160(i)) for i from 0 to 10
  • A CouncilWallet controlling a Crowdfunding campaign
  • 1100 ether deposited in the Crowdfunding contract

The CouncilWallet requires at least 6 valid signatures from council members to execute closeCampaign().

Key contract code:

constructor(address[] memory members) {
    require(members.length == 11);
    councilMembers = members;
}


function closeCampaign(bytes[] memory signatures, address to, address payable crowdfundingContract) public {
    // ... signature verification loop ...
    // 6 signatures are enough to proceed
    if (i > 5) {
        break;
    }
}

The Crowdfunding contract can be destroyed with selfdestruct() to transfer funds to any address.

Solution

The vulnerability is that council member addresses are predictable - they’re simply address(uint160(0)) through address(uint160(10)).

Exploit steps:

  1. Generate signatures from the 6 predictable council member addresses for a message containing your target withdrawal address
  2. Sign the message keccak256(abi.encode(yourAddress)) with 6 valid council member private keys
  3. Call closeCampaign() with the 6 signatures, your address, and the crowdfunding contract address
  4. The contract calls selfdestruct(), sending all funds to your address

The key insight is that address(0) through address(10) have publicly known or easily determinable private keys in a test environment.

Key Takeaways

  • Multi-signature wallets are only secure with proper key management
  • Using sequential or predictable addresses compromises security
  • ECDSA signature recovery can be spoofed if private keys are known
  • The selfdestruct pattern combined with multi-sig can be dangerous
  • Always use proper randomness for critical cryptographic operations