7. Compromised

https://www.damnvulnerabledefi.xyz/challenges/compromised/

Objective

  • A related on-chain exchange is selling (absurdly overpriced) collectibles called “DVNFT”, now at 999 ETH each.

  • This price is fetched from an on-chain oracle, based on 3 trusted reporters: 0xA732...A105,0xe924...9D15 and 0x81A5...850c.

  • Starting with just 0.1 ETH in balance, pass the challenge by obtaining all ETH available in the exchange.

  • While poking around a web service of one of the most popular DeFi projects in the space, you get a somewhat strange response from their server. Here’s a snippet:

  • 4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35

4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68 59 32 52 6d 59 54 6c 6c 5a 44 67 34 4f 57 55 32 4f 44 56 6a 4d 6a 4d 31 4e 44 64 68 59 32 4a 6c 5a 44 6c 69 5a 57 5a 6a 4e 6a 41 7a 4e 7a 46 6c 4f 54 67 33 4e 57 5a 69 59 32 51 33 4d 7a 59 7a 4e 44 42 69 59 6a 51 34

Solution

On the server response: convert the hex strings to UTF8:

  • MHhjNjc4ZWYxYWE0NTZkYTY1YzZmYzU4NjFkNDQ4OTJjZGZhYzBjNmM4YzI1NjBiZjBjOWZiY2RhZTJmNDczNWE5

  • MHgyMDgyNDJjNDBhY2RmYTllZDg4OWU2ODVjMjM1NDdhY2JlZDliZWZjNjAzNzFlOTg3NWZiY2Q3MzYzNDBiYjQ4

Decode via base64:

  • 0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9

  • 0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48

More on Base64 encoding: https://www.redhat.com/sysadmin/base64-encoding

These could be private keys. Let us derive the public keys from them:

They appear to match with two of the trusted reporters for the oracle. This means we can manipulate the oracle and post prices favourable to our attack.

We can use foundry to prank as these explorted oracles. The steps would be as follows:

  1. prank with both oracles calling postPrice, updating price to be 0

  2. Buy NFT for 0 cost

  3. update price to reflect exchange balances

  4. Sell NFT to exchange, draining it.

  5. Update price to original price.

Previous6. SelfieNext8. Puppet

Last updated