2023 Business CTF: Paid Contr-actor

#htb #ctf #blockchain #smart-contract #trivial

Challenge Information

AttributeDetails
Event2023 Business CTF
CategoryBlockchain
ChallengePaid Contr-actor
DifficultyVery Easy

Summary

As a newly enlisted expert in blockchain security for the United Nations of Zenium military, you must complete paperwork by “signing” a contract. The contract has a simple condition that must be met to mark yourself as signed and complete the enrollment.

Analysis

The challenge provides two smart contracts:

Setup.sol:

function isSolved() public view returns (bool) {
    return TARGET.signed();
}

Contract.sol:

bool public signed;


function signContract(uint256 signature) external {
    if (signature == 1337) {
        signed = true;
    }
}

The vulnerability is trivial - the “signature” is just a magic number (1337) with no actual cryptographic verification.

Solution

The solution is straightforward:

  1. Connect to the blockchain using the provided RPC endpoint and private key
  2. Get the target Contract address from the Setup contract
  3. Call signContract(1337) on the target contract with the magic number
  4. The signed boolean will be set to true
  5. Call isSolved() on the Setup contract to verify success

Simple exploit code:

# Call the contract with the magic number
contract.functions.signContract(1337).transact()


# Verify
assert contract.functions.signed().call() == True

Key Takeaways

  • Not all blockchain challenges require complex cryptography
  • Magic numbers and hardcoded values are security anti-patterns
  • Proper access control should replace simple condition checks
  • This serves as a warm-up challenge for blockchain CTF participants
  • Always validate input properly in smart contracts