OnlyPwner - SEAL 911 - Writeup-魔法少女雪殇

题目信息

题目名称: SEAL 911
作者: 3doc
难度: 高级
类型: EVM 预编译合约利用

题目描述

You barely manage to get off bed as your phone rings. It's THAT ringtone: there's a call for you from the SEAL 911 white hat hotline.

The uber famous Safu DAO just realized that a sophisticated social engineering scheme allowed a hacker to gain access to the private key managing their centralized vault.

The Safu DAO's team incident response procedure is stuck in a bug that was introduced after the last rehearsal. The team shared the leaked key with you, hoping you can recover funds faster than the hacker.

胜利条件

将 Vault 中的所有资金（100 ETH）转移到 safe 地址。

合约分析

Vault.sol 核心代码

contract Vault is IERC165, IERC721, IERC721Errors {
    address public owner;
    address public operator;

    function safeTransferFrom(
        address from,
        address to,
        uint256 tokenId,
        bytes memory data
    ) public {
        _requireZero(tokenId);

        if (owner != from) {
            revert ERC721IncorrectOwner(from, tokenId, owner);
        }

        address spender = msg.sender;
        if (spender != owner && spender != operator) {
            revert ERC721InsufficientApproval(spender, tokenId);
        }

        address _owner = owner;      // ① 保存旧 owner
        address _operator = operator; // ② 保存旧 operator

        _changeOwnership(to);         // ③ 改变所有权

        _owner.call{value: address(this).balance}("");  // ④ 资金发给旧 owner！

        bytes4 retval = IERC721TokenReceiver(to).onERC721Received(
            _operator,  // ⑤ 使用旧 operator 作为参数
            from,
            tokenId,
            data
        );
        if (retval != IERC721TokenReceiver.onERC721Received.selector) {
            revert ERC721InvalidReceiver(to);
        }
    }

    function _changeOwnership(address newOwner) internal {
        if (newOwner == address(0) || newOwner.code.length > 0) {  // ⑥ 检查！
            revert ERC721InvalidReceiver(newOwner);
        }
        owner = newOwner;
        operator = newOwner;
    }
}