# 7. Compromised

## Objective

* A related on-chain exchange is selling (absurdly overpriced) collectibles called “DVNFT”, now at 999 ETH each.
* This price is fetched from an on-chain oracle, based on 3 trusted reporters: `0xA732...A105`,`0xe924...9D15` and `0x81A5...850c`.
* Starting with just 0.1 ETH in balance, pass the challenge by obtaining all ETH available in the exchange.
* While poking around a web service of one of the most popular DeFi projects in the space, you get a somewhat strange response from their server. Here’s a snippet:
* ```
  4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35

  4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68 59 32 52 6d 59 54 6c 6c 5a 44 67 34 4f 57 55 32 4f 44 56 6a 4d 6a 4d 31 4e 44 64 68 59 32 4a 6c 5a 44 6c 69 5a 57 5a 6a 4e 6a 41 7a 4e 7a 46 6c 4f 54 67 33 4e 57 5a 69 59 32 51 33 4d 7a 59 7a 4e 44 42 69 59 6a 51 34
  ```

## Solution

**On the server response: convert the hex strings to UTF8:**

* MHhjNjc4ZWYxYWE0NTZkYTY1YzZmYzU4NjFkNDQ4OTJjZGZhYzBjNmM4YzI1NjBiZjBjOWZiY2RhZTJmNDczNWE5
* MHgyMDgyNDJjNDBhY2RmYTllZDg4OWU2ODVjMjM1NDdhY2JlZDliZWZjNjAzNzFlOTg3NWZiY2Q3MzYzNDBiYjQ4

**Decode via base64:**

* 0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9
* 0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48

{% hint style="info" %}
More on Base64 encoding: <https://www.redhat.com/sysadmin/base64-encoding>
{% endhint %}

These could be private keys. Let us derive the public keys from them:

<figure><img src="https://1628544884-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTgomzlmn9NrxUY0OQ3cD%2Fuploads%2FN1bJAJ8UAuSPN8wjYKmp%2Fimage.png?alt=media&#x26;token=87875cd2-488d-4782-8627-574511cfd32c" alt=""><figcaption></figcaption></figure>

They appear to match with two of the trusted reporters for the oracle. This means we can manipulate the oracle and post prices favourable to our attack.

We can use foundry to prank as these explorted oracles. The steps would be as follows:

1. prank with both oracles calling `postPrice`, updating price to be 0
2. Buy NFT for 0 cost
3. update price to reflect exchange balances
4. Sell NFT to exchange, draining it.
5. Update price to original price.