Alien Codex

Claim ownership of the Alien Codex contract by exploiting array length manipulation and storage slot collisions.

Vulnerable Code

Analyze the Solidity code below to find the vulnerability.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// From OpenZeppelin Contracts v4.x
import "@openzeppelin/contracts/access/Ownable.sol";

contract AlienCodex is Ownable {

  bool public contact; // slot 1
  bytes32[] public codex; // slot 2 - Dynamic array

  modifier contacted() {
    require(contact, "Make contact first");
    _;
  }

  function make_contact() public {
    contact = true;
  }

  // Underflow vulnerability if codex.length is 0
  function retract() contacted public {
    // codex.length is uint256
    // If length is 0, 0 - 1 underflows to type(uint256).max
    codex.length--;
  }

  // Allows writing to arbitrary indices if bounds check is bypassed
  function revise(uint i, bytes32 _content) contacted public {
    // Array access checks i < codex.length
    codex[i] = _content;
  }
}

Submit Explanation

Explain the vulnerability and how to exploit it.

Your Explanation

Hints (10)

Just a little peak

Hint 1

Hint 2

Hint 3

Hint 4

Hint 5

Hint 6

Hint 7

Hint 8

Hint 9

Hint 10

Explanation

Discomfort = Learning

Alien Codex

Unveil Explanation