[CTF] Verilog CTF (Offchain)
Introduction
Source code of the challenge: https://github.com/Verilog-Solutions/CTF-2022-wMaticV2
The project consists of a buggy WMATICv2 token contract containing a function redeem
allowing reentrancy attack. Additionally, there is a Bounty.sol
contract, which rewards the first person who successfully calls its getBounty
function.
There are two trackers of the total supply of WMATICv2 tokens and our goal is to successfully call getBounty
, which requires these two trackers to be significantly deviated.
Below is the intended solution that conducts flash loan and reentrancy attacks:
Using ItyFuzz to Solve
We have modified some code to make it easier to deploy: https://ityfuzz.assets.fuzz.land/verilog.zip
Step 1: Add Invariants
Download the above contracts and modify the contracts to insert an invariant, determining whether the logic breaks. Here, the logic holds if the two trackers are equal and break otherwise.
Modify Bounty.sol
as follows:
We inserted an event AssertionFailed
to indicate that the invariant is broken and the challenge is solved. ItyFuzz uses AssertionFailed(string)
events to determine whether the challenge is solved.
We also remove the transfer of WMATIC token to the winner since we will not deploy the WMATIC token contract. Instead, we will use ItyFuzz to simulate the execution of the contract and determine whether the invariant is broken.
Step 2: Build
Ensure you have installed solc >= 0.8.0
. Then, run the following command to build the contracts:
Step 3: Run ItyFuzz
Use the following command to run ItyFuzz:
The above command will run ItyFuzz in offchain mode and specify the target contracts (-t
). -f
enables the fuzzer to conduct flash loan operations. It will automatically detect the invariant violation and generate exploits in less than 10 seconds.
Last updated