Preservation

Take ownership of the Preservation contract by exploiting storage layout and delegatecall.

Vulnerable Code

Analyze the Solidity code below to find the vulnerability.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

// Contract with time zone libraries and delegatecall vulnerability
contract Preservation {

  address public timeZone1Library;
  address public timeZone2Library;
  address public owner;
  uint storedTime; // Slot 1

  constructor(address _timeZone1LibraryAddress, address _timeZone2LibraryAddress) {
    timeZone1Library = _timeZone1LibraryAddress;
    timeZone2Library = _timeZone2LibraryAddress;
    owner = msg.sender;
  }

  // Sets the time for timezone 1
  function setFirstTime(uint _timeStamp) public {
    // Delegatecall to timeZone1Library
    (bool success, ) = timeZone1Library.delegatecall(abi.encodeWithSignature("setTime(uint256)", _timeStamp));
    require(success, "Delegatecall failed");
  }

  // Sets the time for timezone 2
  function setSecondTime(uint _timeStamp) public {
    // Delegatecall to timeZone2Library
    (bool success, ) = timeZone2Library.delegatecall(abi.encodeWithSignature("setTime(uint256)", _timeStamp));
    require(success, "Delegatecall failed");
  }
}

// Simple library contract to set time
library TimeZoneLib {
  // Stores the time in storage slot 0 -> Overwrites Preservation.timeZone1Library
  uint storedTime;

  function setTime(uint _time) public {
    storedTime = _time;
  }
}

Submit Explanation

Explain the vulnerability and how to exploit it.

Your Explanation

Hints (6)

Just a little peak

Hint 1

Hint 2

Hint 3

Hint 4

Hint 5

Hint 6

Explanation

Discomfort = Learning

Preservation

Unveil Explanation