script (⏱,💰)

script (⏱,💰)

HomeStarkNetMyShell

NG#8 - Contract Account

#Node Guardians#Guide#StarkNet160
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The NG8 challenge consists of three subtasks related to contract accounts, collectively known as the "bad account" series. This article focuses on the first task, "Stealing Souls." The task involves stealing all the $SOUL tokens from two contract accounts, tombkeeper_1.cairo and tombkeeper_2.cairo, which are automatically minted with 100 $SOUL tokens each. The first contract has a validation function that checks if the called contract address is not blacklisted (the Soul ERC20 contract address) to prevent direct transfer token transactions. However, the execution function in this contract lacks caller validation, allowing it to bypass the validation and directly call the execute function. The second contract fixes this bug by adding caller validation in the execute function. The task requires constructing a call to transfer the $SOUL tokens without paying the transaction fee and executing it using the serialized calls array. The SDK (starknet.js) is used to sign the transaction locally and call other contracts using the Tombkeeper account. The author deploys the "sand_devils" contract and uses the SDK to call the "slay" function to complete the task. However, the author discovers that only 0.1 SOUL is deducted as a transaction fee instead of the expected 100 SOUL. It is concluded that the validate function alone does not cause a state change, and a bundled transaction with both validate and execute functions is required. The author successfully sends a bundled transaction with 1000 calls, completing the task by depleting all the SOUL tokens in the Tombkeeper account. The NG8 challenge provides an opportunity to understand contract accounts and their operations from both the contract and SDK perspectives, as well as gain familiarity with using the SDK to connect to contracts and send bundled transactions.

About the contract account, there are 3 subtasks that make up the bad account series. This article is the first task of the series, Stealing Souls.

After downloading the task, there are 2 contract accounts, tombkeeper_1.cairo and tombkeeper_2.cairo. When deployed, 100 $SOUL will be automatically minted to the contract. Each transaction will deduct 0.1 $SOUL, and the task requires stealing all $SOUL.

Contract 1#

In the validate_calls function, there is a comment stating that it will verify that the interacting contract address is not blacklisted (i.e., the Soul ERC20 contract address), meaning that direct Transfer Token transactions cannot be sent.

    fn validate_calls(mut calls: Array<Call>, blacklisted: ContractAddress) {
        match calls.pop_front() {
            Option::Some(call) => {
                // Trying to steal some soul? Nice try...
                assert(call.to != blacklisted, 'CANNOT_CALL_SOUL_TOKEN');
            },
            Option::None(_) => { return (); }
        }

        validate_calls(calls, blacklisted)
    }

However, the __execute__ function of this contract lacks validation for the caller, allowing it to bypass __validate__ and directly call __execute__.

In the snforge test, construct a call to transfer soul tokens without fees. After passing the local test, serialize the test calls and send them to __execute__ using sncast or a browser to complete the task.

Contract 2#

Contract 2 has a bug fix:

  • fn __execute__ adds assert(get_caller_address().is_zero(), 'INVALID_CALLER');, preventing direct function calls from other contract wallets.
  • If the recipient is the $SOUL contract, an extremely large value of IMPOSSIBLE_SOUL_FEE is required as gas. Since the type is u256, overflow is not possible.
if call.to == blacklisted {
    // Trying to steal some soul? Nice try...
    total_fee + IMPOSSIBLE_SOUL_FEE
} else {
    total_fee + SOUL_FEE
}

First, I tried passing 1000 calldata calls to __validate__, intending to increase the total_fee to 100 and then create a random call to execute and transfer the tokens.

After modifying the total_fee, it was found that the execute function initially set that it cannot be called by a contract, as it is to prevent attacks from other contracts. This blocked the method of directly calling using starkli and a browser.

After consulting with the mentor, it was suggested to sign with a local private key and use Tombkeeper as an account to call other contracts to complete the task. This requires the use of the SDK.

I redeployed the sand_devils contract from the Introduction to CTF and set the count to 1000, allowing any number to be subtracted from 1000 each time.

The SDK has versions in different languages, and I used starknet.js. The important steps are:

  1. Use getClassAt to get the ABI and create an instance of the sand_devil contract.
  2. Create an Account instance using the Tombkeeper2 account address and the private key used to deploy the contract.
  3. Use await devilContract.invoke("slay", [1],{ parseRequest: false} to send the transaction.

It was found that only 0.1 SOUL was deducted as a fee, and the previous 1000 calls to __validate__ did not increase the fee to 100 SOUL. It seems that there is a check at the lower level that if __execute__ is not called, a separate __validate__ will not cause a change in state.

So I tried to directly send a transaction with 1000 calls using starknet.js, which should complete both __validate__ and __execute__ at the same time. The account contract supports transaction bundling operations.

By sending a bundled transaction in starknet.js using contract.populate to convert the address, variables, and parameters into the built-in Call type, and using account.execute to send Call[], even with 1000 transactions, it can be confirmed quickly.

By checking the hash in the browser, it was successful in embedding 1000 slay calls and one transfer in a single transaction, depleting all the SOUL in the Tombkeeper account.

Summary#

ng8 end

Account abstraction is an important part of StarkNet, and the two tasks operate on custom contracts from both the contract side and the SDK side, allowing users to deepen their understanding of account abstraction. Additionally, there is an introduction to using the SDK, learning how to connect to contracts and send bundled transactions.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.