Ethernaut — Level 16 — Preservation
Welcome Back. To complete this challenge you need to revisit the concept of delegatecall and storage in solidity. But let me quickly explain you these concepts as simple as I can so that we can proceed with the challenge.
delegatecall & storage
When Contract A delegates a function call to Contract B then the B’s code is executed with storage of A and this storage is in the form of slot system, where in each slot can store 256 bits of data.
Click here to access the source code.
Investigation
We see two contracts Preservation and LibraryContract and four variables defined in the contract. timeZone1Library and timeZone2Library are initialized at the call of the Preservation’s constructor.
Now, if we make a function call to setFirstTime and pass the contract address of our malicious contract, timeZone1Library will be set to our malicious contract address — this is from our understanding about delegatecall & storage.
The Solution
We need to follow the same variable declaration format used in Preservation contract in our malicious smart contract. Now, when we make the setFirstTime call, we know that timeZone1Library now has the value set to the malicious contract.
The above function call makes it possible to call delegated function from malicious contract address and take over the ownership.
We have already defined a setTime function which sets the owner to a msg.sender address i.e., theOwner variable.
Note: When we call the setFirstTime the second time, the updated variable is owner and not timeZone1Library because we are following the slot order same as the Preservation contract. So when the delegated call is made, the owner variable is updated.
Thanks for Reading.
