From 9f4ab8f8356b9c5ff2de3e764136926b9b60270e Mon Sep 17 00:00:00 2001 From: Songhyun Bae Date: Thu, 28 Nov 2024 12:09:32 +0900 Subject: [PATCH] Update 2024-11-26-SECCON-CTF-13-Quals-Writeup.md --- _posts/2024-11-26-SECCON-CTF-13-Quals-Writeup.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/_posts/2024-11-26-SECCON-CTF-13-Quals-Writeup.md b/_posts/2024-11-26-SECCON-CTF-13-Quals-Writeup.md index 9154ee3f44..690a2ee634 100644 --- a/_posts/2024-11-26-SECCON-CTF-13-Quals-Writeup.md +++ b/_posts/2024-11-26-SECCON-CTF-13-Quals-Writeup.md @@ -92,7 +92,8 @@ struct Wallet { Wallet[] public wallets; ``` -As a result, the storage slot for a new element in the array can be calculated using the formula: +As a result, the storage slot for a new element in the array can be calculated using the formula: `keccak(0) + array length x 3` + By manipulating the array length in slot 0, we can cause an integer overflow during the multiplication step. This overflow allows us to overwrite the balance field of the Wallet struct with the owner address. By strategically creating wallets and controlling the overflow, we can target specific storage slots, overwrite critical data, and eventually drain all funds.