跳转至
2023 | CrewCTF | Web3

positive

#smart contract #fuzzing

Description

Stay positive.

nc positive.chal.crewc.tf 60003

Setup.sol 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
pragma solidity =0.7.6;

import "./Positive.sol";

contract Setup {
    Positive public immutable TARGET;

    constructor() payable {
        TARGET = new Positive(); 
    }

    function isSolved() public view returns (bool) {
        return TARGET.solved();
    }
}
Positive.sol 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// SPDX-License-Identifier: MIT
pragma solidity =0.7.6;

contract Positive{
    bool public solved;

    constructor() {
        solved = false;
    }

    function stayPositive(int64 _num) public returns(int64){
        int64 num;
        if(_num<0){
            num = -_num;
            if(num<0){
                solved = true;
            }
            return num;
        }
        num = _num;
        return num;
    }

}

Solution

  • We need to find a number of type int64 that is less than 0, and its opposite is also negative

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
    function stayPositive(int64 _num) public returns(int64){
    int64 num;
    if(_num<0){
        num = -_num;
        if(num<0){
            solved = true;
        }
        return num;
    }
    num = _num;
    return num;
}

If you have int x = type(int).min;, then -x does not fit the positive range. This means that unchecked { assert(-x == x); } works 1

  • As int64 type values range from -9223372036854775808 to 9223372036854775807, the answer will be -9223372036854775808

  • During the competition, I used fuzzing to get the answer uwu

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
    contract PositiveTest is Test {
    Setup setup;
    Positive target;

    function setUp() public {
        setup = new Setup();
        target = setup.TARGET();
    }

    function testSolve(int64 a) public {
        target.stayPositive(a);
        assert(!target.solved());
    }
}

    1
2
3
    Failing tests:
Encountered 1 failing test in test/Positive.t.sol:PositiveTest
[FAIL. Reason: EvmError: InvalidFEOpcode Counterexample: calldata=0xecd6eb4fffffffffffffffffffffffffffffffffffffffffffffffff8000000000000000, args=[-9223372036854775808]] testSolve(int64) (runs: 66, μ: 8924, ~: 8925)

Flag

crew{9o5it1v1ty1sth3k3y}

  1. Addition, Subtraction and Multiplication 

最后更新: 2023年7月10日 10:55:12
Contributors: YanhuiJessica

评论