bg-ctf

Challenge 8: The unverified

In this challenge, you’re presented with raw bytecode for a contract. You need to understand what it does and how to interact with it to get your flag!

Contract Overview

The contract is provided as raw bytecode, making it harder to understand its functionality. However, we can deduce that:

• It’s deployed with a parameter (an address)
• It has at least two functions
• It interacts with our NFT contract

Hints

Hint 1

The bytecode includes function selectors. One important one is 0x8fd628f0

Hint 2

When a contract's source code isn't available, you can use tools like Etherscan's bytecode decompiler or the Dedaub decompiler

Hint 3

The contract expects an address parameter and compares it with msg.sender

Solution

Click to reveal solution

1. First, we can identify that the contract has two functions:

0x8fd628f0 - Main function that mints the flag
0xd56d229d - Getter for an address variable

2. The main function expects an address parameter and requires:

require(parameter == msg.sender, "Invalid sender");

3. Call the contract with your address:

(bool success, ) = challenge8.call(
    abi.encodeWithSelector(0x8fd628f0, yourAddress)
);

The contract will: - Verify you're calling with your own address - Mint the flag token to you Congratulations! You've successfully analyzed and interacted with raw bytecode! 🎉

Remember: In production, always verify your contract source code. Unverified contracts are a red flag and require careful analysis before interaction!

Why This Matters

Working with raw bytecode and contract verification is crucial in blockchain security:

1. Multiple “rugpulls” have hidden malicious logic in unverified contracts
2. The “Fake Token” scams often use bytecode that looks similar to legitimate tokens

This demonstrates:

• The importance of contract verification
• How to analyze raw bytecode
• How an unverified contract is not a good way to obfuscate logic