Just saw @0xkaden publish an interesting onchain CTF. The money was gone, but I wanted to walk through it so my followers and students can see how to approach these challenges.
The challenge: a contract with 0.1 ETH, no source code, just raw bytecode. Your mission: drain it.
First observation: the bytecode is tiny. This is perfect for brain symbolic execution 🤣
Let me show you the complete symbolic analysis...
INITIAL STATE
- Calldata: with the first 32 bytes denoted as CD
- Stack: []
ENTRY POINT (0x00-0x07)
This branches into code paths based on the value of CD
BRANCH A: CD == 0 (Delegatecall Path)
Standard proxy: forwards all calls to whatever address is stored in slot 0.
BRANCH B: CD != 0 (Upgrade Logic)
This is where it gets wild. Let me trace every single stack operation:
First check - selector validation:
Now the crazy bit manipulation to extract an address:
Now watch the stack ballet for the bit shifting:
The formula is: A = ((CD >> 8) << ((S+12)*8)) >> ((S+12)*8)
This keeps only the lower (256 - SHIFT) bits, effectively extracting an address from the calldata.
Now the second constraint - the code size check:
If both checks pass, update storage:
Now the task becomes clear. To drain the contract, we need an implementation contract satisfying these constraints:
Two Requirements:
1. S / 3 >= 1 → selector must be ≥ 3
2. EXTCODESIZE(A) == S / 3 → code size must equal S/3
How to construct such a contract?
Let's examine the winning solution. There are three transactions:
tx1 - deployment
tx2 - upgrade
tx3 - drain
The exploit contract at 0x000000000000AbCcd31Cd7F023902B3FA91e9b15 has only two opcodes:
0x33 = CALLER // Push msg.sender
0xff = SELFDESTRUCT // Send all ETH to caller
Code size = 2 bytes. When delegatecalled, it selfdestructs the proxy and sends all ETH to the caller.
Calldata of upgrade tx: 0x0000000000000000000000000000000000abccd31cd7f023902b3fa91e9b1506
Breaking it down:
Last byte: 0x06 (selector S)
Remaining bytes: encoded address data
S = 6 → S/3 = 2 ✅ matches the 2-byte contract size
SHIFT = (6+12)*8 = 144 bits preserves addresses with leading zeros perfectly
After bit manipulation: extracts 0x000000000000AbCcd31Cd7F023902B3FA91e9b15
Result: storage[0] now points to the exploit contract
8.14K
61
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.