Mr Steal Yo Crypto Wargame Primer & Hints
Solidity CTF challenges based on irl exploits
Mr Steal Yo Crypto is a series of wargame challenges where you are tasked with exploiting smart contracts covering varying use cases within crypto. All challenges are loosely (or directly) inspired by real world exploits.
Aside: My intention is for this wargame to be completed after Ethernaut and Damn Vulnerable Defi. Most challenges are based directly on irl exploits, meaning you’ll get the chance to read (pared down) project code in a very simplified environment. You might find this simplicity helpful before you dive into the c4 grind, or to help prepare yourself to design your upcoming protocol with security in mind.
Below are hints for all challenges if you find yourself in need of a nudge in the right direction without looking at the solutions.
Interested in the reference exploits for the challenges? Check out the thread.
Jpeg Sniper: When is extcodesize equal to 0?
Safu Vault: Are all external functions properly protected?
Game Assets: What are the implications of using safe functions in ERC1155?
Free Lunch: What slippage do they tolerate during swaps?
Safu Wallet: Who owns the library contract?
Tasty Stake: Are all inputs being properly validated?
Freebie: Seems there’s a lot of freedom to specify inputs for external calls.
NFT Bonanza: Do external functions correctly handle all edge cases?
Inflationary Net Worth: Consider the implications of deflationary tokens for the internal accounting of MasterChef.
Governance Shenanigans: Doesn’t look like they lock up the tokens for voting.
Bonding Curve: Changes in EminenceCurrency seem to affect the bonding curve for EminenceCurrencyBase but not vice versa.
Flash Loaner: What are the different ways you can affect totalAssets()?
Safu Swapper: Kinda weird they don’t validate that baseAmount / tokenAmount equals the balances of the pool contract in all places.
Side Entrance: Is there any way you can craft your own params?
Malleable: Signature malleability.
Extractoor: I wonder what multicall might allow you to do.
Opyn Sesame: Double spend, anyone?
Degen Jackpot: Where might you find a reentrancy opportunity?
Fatality: Looks like they’re using the BUNNY-BNB spot price as an oracle.
Safu Lender: What are the implications of using ERC777?
Reach out on twitter.