Sherlock — Writeup

Description

What else do we have?

Transaction Analysis

tx: 0x9aaf62afc8469edddc5d592c17f1eeda06674929b3e0bb564ecd39d559bec6c2
tx: 0x7172f6a930828d6b8520fb20210ab5a3343fb91442f4151b6c712b6f9b34bee4
tx: 0xc8359c38b03dcb46a14058af8f04d4532173d8a5969e307160ca10a39d739d77
tx: 0x41362d69d2328ed06481b54974a2609e5a98b4cc0c4cd979919dd94422ab08d7

What Next?

Understanding the Storage Slot

| - - - - - - - -Slot 0 - - - - - - - -|
uint256 public var256_1 = 1337;
| - - - - - - - -Slot 1 - - - - - - - -|
bool public bool_1 = false;
bool public bool_2 = false;
bool public bool_3 = true;
uint16 public var16_1 = 32;
uint16 private var16_2 = 64;
address public contractAdd = address(this);
| - - - - - - - -Slot 2 - - - - - - - -|
uint256 private var256_2 = 3445;
| - - - - - - - -Slot 3 - - - - - - - -|
uint256 private var256_3 = 6677;
| - - - - - - - -Slot 4 - - - - - - - -|
bytes32 private iGotThePassword;
| - - - - - - - -Slot 5 - - - - - - - -|
bytes32 private actuallPass;
| - - - - - - - -Slot 6 - - - - - - - -|
bytes32 private definitelyThePass;
| - - - - - - - -Slot 7 - - - - - - - -|
uint256 public var256_4 = 7788;
| - - - - - - - -Slot 8 - - - - - - - -|
uint16 public var16_3 = 69;
uint16 private var16_4 = 7;
bool private _Pass = true;
bool private _The = true;
bool private _Password = false;
address private owner;
uint16 private counter;
| - - - - - - - -Constants - - - - - - |
bytes32 public constant thePassword
bytes32 private constant ohNoNoNoNoNo
| - - - - - - Slot 9–12 - - - - - - - -|
bytes32[4] private passHashes;
struct Passwords {
bytes32 name;
uint256 secretKey;
bytes32 password;
}
| - - - - - - - -Slot 13 - - - - - - - -|
Passwords[] private passwords;
| - - - - - - - -Slot 14 - - - - - - - -|
mapping (uint256 => Passwords) private destiny;

Accessing the storage slots

truffle console --network rinkeby
truffle(rinkeby)> addr = "
"
'0x3a6CAE3af284C82934174F693151842Bc71b02b2'
truffle(rinkeby)> web3.eth.getStorageAt(addr,0)
'0x0000000000000000000000000000000000000000000000000000000000000539'
truffle(rinkeby)> parseInt("0x0539", 16)
1337
truffle(rinkeby)> web3.eth.getStorageAt(addr,1)
‘0x00000000003a6cae3af284c82934174f693151842bc71b02b200400020010000’
truffle(rinkeby)> web3.eth.getStorageAt(addr,4)
‘0x7930755f6730745f703473735730526400000000000000000000000000000000’
truffle(rinkeby)> web3.utils.toAscii(‘0x7930755f6730745f703473735730526400000000000000000000000000000000’)
y0u_g0t_p4ssW0Rd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00’
truffle(rinkeby)> web3.eth.getStorageAt(addr,5)
‘0x61633175614c2d50347353000000000000000000000000000000000000000000’
truffle(rinkeby)> web3.utils.toAscii(‘0x61633175614c2d50347353000000000000000000000000000000000000000000’)
ac1uaL-P4sS\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00’
truffle(rinkeby)> web3.eth.getStorageAt(addr,6)
‘0x5930755f53755233000000000000000000000000000000000000000000000000’
truffle(rinkeby)>
web3.utils.toAscii(‘0x5930755f53755233000000000000000000000000000000000000000000000000’)
Y0u_SuR3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00’
truffle(rinkeby)> web3.eth.getStorageAt(addr, 9)
'0x0000000000000000000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.eth.getStorageAt(addr, 10)
'0x0000000000000000000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.eth.getStorageAt(addr, 11)
'0x0000000000000000000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.eth.getStorageAt(addr, 12)
'0x0000000000000000000000000000000000000000000000000000000000000000'

About to reach the Destiny

truffle(rinkeby)> web3.utils.soliditySha3({type: "uint", value: 13})
'0xd7b6990105719101dabeb77144f2a3385c8033acd3af97e9423a695e81ad1eb5'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xd7b6990105719101dabeb77144f2a3385c8033acd3af97e9423a695e81ad1eb5')
'0x736865726c6f636b000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.utils.toAscii('0x736865726c6f636b000000000000000000000000000000000000000000000000')
'sherlock\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xd7b6990105719101dabeb77144f2a3385c8033acd3af97e9423a695e81ad1eb6')
'0x000000000000000000000000000000000000000000000000000000000000848f'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xd7b6990105719101dabeb77144f2a3385c8033acd3af97e9423a695e81ad1eb7')
'0x738e58e5a6aacbcf070d643ca922d8570351454244da967af8e88dd6978a8b4d'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xd7b6990105719101dabeb77144f2a3385c8033acd3af97e9423a695e81ad1eb8')
'0x776174736f6e0000000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.utils.toAscii('0x776174736f6e0000000000000000000000000000000000000000000000000000')
'watson\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Destiny

truffle(rinkeby)> web3.utils.soliditySha3({type: "uint", value: 0}, {type: "uint", value: 14})
'0xe710864318d4a32f37d6ce54cb3fadbef648dd12d8dbdf53973564d56b7f881c'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xe710864318d4a32f37d6ce54cb3fadbef648dd12d8dbdf53973564d56b7f881c')
'0x687564736f6e0000000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.utils.toAscii('0x687564736f6e0000000000000000000000000000000000000000000000000000')
'hudson\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xe710864318d4a32f37d6ce54cb3fadbef648dd12d8dbdf53973564d56b7f881d')
'0x0000000000000000000000000000000000000000000000000000000000002775'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xe710864318d4a32f37d6ce54cb3fadbef648dd12d8dbdf53973564d56b7f881e')
'0x72f2b2b65299526b6287b9c3f8031fc16e5ccb514c61c6b0be54853be7f5fbab'
web3.utils.soliditySha3({type: "uint", value: 1}, {type: "uint", value: 14})
'0xa7c5ba7114a813b50159add3a36832908dc83db71d0b9a24c2ad0f83be958207'
web3.eth.getStorageAt(addr, '0xa7c5ba7114a813b50159add3a36832908dc83db71d0b9a24c2ad0f83be958207')
'0x72617a7a6f720000000000000000000000000000000000000000000000000000'
truffle(rinkeby)> web3.utils.toAscii('0x72617a7a6f720000000000000000000000000000000000000000000000000000')
'razzor\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xa7c5ba7114a813b50159add3a36832908dc83db71d0b9a24c2ad0f83be958208')
'0x0000000000000000000000000000000000000000000000000000000000000001'
truffle(rinkeby)> web3.eth.getStorageAt(addr, '0xa7c5ba7114a813b50159add3a36832908dc83db71d0b9a24c2ad0f83be958209')
'0xcd7bfc1df0a853a60c6d1fddc112e54eb4e1c7c25144889e2263e4334da67945'

Key Takeaways:

References:

Connect With Me:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Razzor

Razzor

Blockchain Security Researcher | Penetration Tester