Challenge 4: Who can sign this?
In this challenge, you need to mint a flag using a signature from an authorized minter.
Contract Overview
The contract includes:
- A list of authorized minters managed by the owner
- A mintFlag function that requires:
- A valid minter address
- A signature from that minter approving the mint for your address
Hints
Hint 1
The authorized minter address (0xFABB0ac9d68B0B445fB7357272Ff202C5651694a) is a commonly used test address
Hint 2
Many development environments (Hardhat, Ganache) come with predefined accounts and their private keys
Hint 3
If you know the private key, you can generate valid signatures for any message!
Solution
Click to reveal solution
The authorized minter is using a well-known Hardhat test account:
- Address: 0xFABB0ac9d68B0B445fB7357272Ff202C5651694a
- Private Key: 0xa267530f49f8280200edf313ee7af6b827f2a8bce2897751d06a843f644967b1
1. Construct the message:
bytes32 message = keccak256(abi.encode("BG CTF Challenge 4", your_address));
bytes32 hash = message.toEthSignedMessageHash();
2. Sign it with the known private key to get your signature
3. Call the contract:
challenge4.mintFlag(MINTER_ADDRESS, signature);
Congratulations! You've learned about the dangers of using known private keys! 🎉
Remember: In production, private keys should be secure, random, and never shared or reused from test environments!
Why This Matters
Using known private keys in production is catastrophic:
- The Harmony Horizon Bridge hack (2022, $100M lost) involved compromised private keys
- Multiple projects have been drained after accidentally committing private keys to GitHub
- The Slope wallet incident (2022) exposed thousands of private keys through logging
This challenge demonstrates why you should:
- Never use known test accounts in production
- Keep private keys secure and never reuse test keys
- Be wary of any system using well-known addresses