2024 Business CTF - Vault of Hope: Recruitment

#htb #ctf #blockchain #solidity #smart-contracts

Challenge Information

AttributeDetails
Event2024 Business CTF - Vault of Hope
CategoryBlockchain
ChallengeRecruitment
AuthorMonte
DifficultyVery Easy

Summary

This blockchain challenge requires deploying and interacting with a Solidity smart contract that validates a candidate’s skills through multiple checks: hacking ability, stealth skills, engineering skills, and demolition expertise. The contract Recruitment acts as a crew hiring mechanism where participants must pass all validation requirements to be marked as recruited and receive a reward.

Analysis

The challenge provides two Solidity contracts:

  1. Setup.sol: Deploys the main Recruitment contract and provides an isSolved() function to check if the challenge is completed
  2. Recruitment.sol: Contains the main contract with an application() function that validates candidate skills

The application() function requires two parameters:

  • input1 (uint16): Must equal 1337 (hacking skills check)
  • input2 (string): Must be “BOOM” (demolition skills check)

Additional validation requirements:

  • Block timestamp must be even (block.timestamp % 2 == 0)
  • Transaction originator and sender must be the same (tx.origin == msg.sender)
  • Block number must be less than 20 (block.number < 20)
  • Gas remaining must be less than or equal to 50000 (gasleft() <= 50000)

Solution

The Recruitment contract validates four distinct skills:

  1. Hacking Skills: Verify input1 == 1337
  2. Stealth Skills: Ensure block.number < 20 (must execute early in contract deployment)
  3. Engineering Skills: Maintain gasleft() <= 50000 (consume enough gas before the call)
  4. Demolition Skills: Verify input2 == "BOOM"

Call the application() function with these parameters:

application(1337, "BOOM")

Additional constraints:

  • Execute when block.timestamp % 2 == 0 (even timestamp)
  • Ensure tx.origin == msg.sender (no contract intermediaries)
  • Call within the first 20 blocks of contract deployment

Upon successful validation, the contract marks the sender as recruited:

crew[msg.sender] = true;
payable(msg.sender).transfer(1 wei);

Key Takeaways

  • Solidity smart contracts require careful validation of external input constraints
  • Block-dependent checks (block.timestamp, block.number) can act as timing mechanisms
  • Gas consumption checks can be used as another form of validation
  • The require() statement is essential for enforcing preconditions in smart contracts
  • Multi-step validation challenges test understanding of blockchain-specific properties like block time and gas mechanics