HigherOrder
Reference
目标
成为合约的leaderShip
分析
commander
uint256 public treasury;
function registerTreasury(uint8) public {
assembly {
sstore(treasury_slot, calldataload(4))
}
}
function claimLeadership() public {
if (treasury > 255) commander = msg.sender;
else revert("Only members of the Higher Order can become Commander");
}
- 只要
treasury大于255,任何地址就可以成为commander registerTreasury(uint8)通过uint8限制传参(最大值255)- 但是函数调用可以通过直接底层的call调用,
call调用中数据被编码成256bit,数值远大于255 - 因此,只需要在
calldata中输入任意大于 255 的数值就可以更新treasury的值 0x211c85ab0000000000000000000000000000000000000000000000000000000000000100