Distract and Destroy — HackTheBox

Description

We are given a smart contract of a creature with 1000 health points. Our task is to reduce its health to zero and claim the "loot", which marks the challenge as solved.

Analysis

The challenge presents two main contracts: Setup.sol and Creature.sol.

Creature.sol

The contract contains the following key elements:

• lifePoints: initial value of 1000.
• aggro: the address that first attacked the creature.
• attack(uint256 _damage): function to deal damage.
• _isOffBalance(): helper function that checks the condition tx.origin != msg.sender.

function attack(uint256 _damage) external {
    if (aggro == address(0)) {
        aggro = msg.sender;
    }

    if (_isOffBalance() && aggro != msg.sender) {
        lifePoints -= _damage;
    } else {
        lifePoints -= 0;
    }
}

Conditions for dealing damage:

1. _isOffBalance() must be true, meaning tx.origin != msg.sender. This occurs when the contract is called by another contract, not directly by a user.
2. aggro != msg.sender: the current caller (msg.sender) must not be the one holding "aggro".

Vulnerability

The vulnerability lies in the aggro check logic and the use of tx.origin.

• tx.origin is the wallet address that initiated the transaction.
• msg.sender is the address of the immediate call sender.

If we call attack through an intermediary exploit contract, then msg.sender will be the exploit's address, while tx.origin will be our wallet. This satisfies the _isOffBalance() condition.

However, if we simply call the exploit first, it will become the aggro, and the condition aggro != msg.sender (where both are the exploit's address) will not be satisfied.

Solution

...