add SmileyCTF MultisigWallet

Author: minaminao

.github/workflows/test.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.13'
           cache: 'pip'
 
       - name: Install Vyper

README.md

@@ -46,6 +46,7 @@ If there are any incorrect descriptions, I would appreciate it if you could let
   - [Oracle manipulation attacks with flash loans](#oracle-manipulation-attacks-with-flash-loans)
   - [Sandwich attacks](#sandwich-attacks)
   - [Recoveries of private keys by same-nonce attacks](#recoveries-of-private-keys-by-same-nonce-attacks)
+  - [ECDSA signature malleability attacks](#ecdsa-signature-malleability-attacks)
   - [Brute-forcing addresses](#brute-forcing-addresses)
   - [Recoveries of public keys](#recoveries-of-public-keys)
   - [Encryption and decryption in secp256k1](#encryption-and-decryption-in-secp256k1)
@@ -435,6 +436,15 @@ Note:
 | [Paradigm CTF 2021: Babycrypto](src/ParadigmCTF2021)        |                |
 | [MetaTrust CTF: ECDSA](src/MetaTrustCTF/ECDSA/)             |                |
 
+### ECDSA signature malleability attacks
+- ECDSA signatures have a property called malleability, where for a given message and signature `(v, r, s)`, there exists another valid signature `(v', r, -s mod n)` for the same message.
+- This can be exploited in systems that track used signatures, as the alternative signature may not be recognized as already used.
+- In Ethereum's secp256k1 curve, this property can be used to bypass signature verification mechanisms.
+
+| Challenge                                                  | Note, Keywords                           |
+| ---------------------------------------------------------- | ---------------------------------------- |
+| [SmileyCTF: MultisigWallet](src/SmileyCTF/MultisigWallet/) | ECDSA, signature malleability, secp256k1 |
+
 ### Brute-forcing addresses
 - Brute force can make a part of an address a specific value.
 

src/SmileyCTF/MultisigWallet/Exploit.t.sol

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.20;
+
+import {Test, console} from "forge-std/Test.sol";
+import {SetupLocker, Locker, signature} from "./challenge/Locker.sol";
+
+contract ExploitTest is Test {
+    address playerAddr = makeAddr("player");
+    SetupLocker setup;
+    Locker locker;
+    signature[] signatures;
+
+    function setUp() public {
+        vm.deal(playerAddr, 1 ether);
+        setup = new SetupLocker(playerAddr);
+        locker = Locker(setup.deploy());
+    }
+
+    function test() public {
+        vm.startPrank(playerAddr, playerAddr);
+
+        // python src/SmileyCTF/MultisigWallet/calculateSignature.py
+        signatures.push(
+            signature({
+                v: 28,
+                r: 0x36ade3c84a9768d762f611fbba09f0f678c55cd73a734b330a9602b7426b18d9,
+                s: 0x90cd9cb819a5174da7cf411180c5bc89c57933efc06d4e19d0184f74e3479798
+            })
+        );
+        signatures.push(
+            signature({
+                v: 27,
+                r: 0x57f4f9e4f2ef7280c23b31c0360384113bc7aa130073c43bb8ff83d4804bd2a7,
+                s: 0x96bbcfdfa5949da337af916badf752cbfbe59762eff9df25664b559919d7f831
+            })
+        );
+        signatures.push(
+            signature({
+                v: 28,
+                r: 0xe2e9d4367932529bf0c5c814942d2ff9ae3b5270a240be64b89f839cd4c78d5d,
+                s: 0x93f37ba485770a5dc692808a4ac952a73ef12a68068868d21679abe2f9c5296f
+            })
+        );
+
+        bytes32 msgHash = locker.msgHash();
+        for (uint256 i = 0; i < signatures.length; i++) {
+            signature memory sig = signatures[i];
+            address recoveredAddress = ecrecover(msgHash, sig.v, sig.r, sig.s);
+            console.log("Recovered address:", recoveredAddress);
+        }
+
+        locker.distribute(signatures);
+
+        vm.stopPrank();
+
+        assertTrue(setup.isSolved(), "Challenge not solved");
+    }
+}

src/SmileyCTF/MultisigWallet/README.md

@@ -0,0 +1,19 @@
+- CTF期間中はインフラが壊れていて取り組めなかった
+
+## Overview
+- 添付ファイルとして Setup.sol と Locker.sol が与えられる
+- Locker.sol に Setup コントラクトの実態である SetupLocker コントラクトがあるからこれを読む
+- SetupLocker の deploy 関数は誰でも呼び出せるが、インスタンスが返るだけで、インスタンスアドレスは `challenge` にセットされない
+    - （これは作問ミスだったらしい）
+    - ![](assets/image.png)
+- Locker はマルチシグウォレットで、deploy 関数呼び出し時に指定した 3 つの署名によって Locker が初期化される
+- validateMultiSig 関数を呼び出すと署名が正しいか検証されるが、一度使用した署名は利用できない
+- 当然、deploy 時に使った署名も使用できない
+- また、その署名に結びつくコントローラーの秘密鍵はわからない
+
+## Solution
+- 前提: Ethereum の ECDSA 署名において楕円曲線は secp256k1 を使っている
+    - あるメッセージにおいて、`(v, r, s)` と `(v', r, -s mod n)` の二種類の署名が存在する
+    - ここで、`n` は secp256k1 曲線の order
+    - また、トランザクションは EIP-2 によって、order の半分より大きいと無効になるが、`ECRECOVER` は禁止されていない
+- 3つの署名の `(v', r, -s mod n)` を生成し、`distribute` を実行することで署名検証をパスし、 `isSolved` を `true` にできる

src/SmileyCTF/MultisigWallet/assets/image.png

@@ -0,0 +1,9 @@
+curve_order = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
+
+s1 = -0x6f326347e65ae8b25830beee7f3a4374f535a8f6eedb5221efba0f17eceea9a9 % curve_order
+s2 = -0x694430205a6b625cc8506e945208ad32bec94583bf4ec116598708f3b65e4910 % curve_order
+s3 = -0x6c0c845b7a88f5a2396d7f75b536ad577bbdb27ea8c03769a958b2a9d67117d2 % curve_order
+
+print(f"s1: {hex(s1)}")
+print(f"s2: {hex(s2)}")
+print(f"s3: {hex(s3)}")

src/SmileyCTF/MultisigWallet/calculateSignature.py

@@ -0,0 +1,168 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.0;
+
+import {Setup} from "./Setup.sol";
+/**
+ * @title Locker
+ * @author BrokenAppendix
+ */
+
+struct signature {
+    uint8 v;
+    bytes32 r;
+    bytes32 s;
+}
+
+event LockerDeployed(
+    address lockerAddress, uint256 lockId, uint8[] v, bytes32[] r, bytes32[] s, address[] controllers, uint256 threshold
+);
+
+// SlockDotIt ECLocker factory
+contract Locker {
+    uint256 public immutable lockId;
+    bytes32 public immutable msgHash;
+    address[] public controllers;
+    uint256 public immutable threshold;
+    uint256 public tokens;
+
+    mapping(bytes32 => bool) public usedSignatures;
+
+    constructor(uint256 _lockId, signature[] memory signatures, address[] memory _controllers, uint256 _threshold) {
+        require(_controllers.length >= _threshold && _threshold > 0, "Invalid config");
+
+        lockId = _lockId;
+        threshold = _threshold;
+        controllers = _controllers;
+        tokens = 1;
+
+        // Compute the expected hash
+        bytes32 _msgHash;
+        assembly {
+            mstore(0x00, "\x19Ethereum Signed Message:\n32") // 28 bytes
+            mstore(0x1C, _lockId)
+            _msgHash := keccak256(0x00, 0x3c)
+        }
+        msgHash = _msgHash;
+
+        validateMultiSig(signatures);
+
+        // Flatten signature arrays
+        uint8[] memory vArr = new uint8[](signatures.length);
+        bytes32[] memory rArr = new bytes32[](signatures.length);
+        bytes32[] memory sArr = new bytes32[](signatures.length);
+
+        for (uint256 i = 0; i < signatures.length; i++) {
+            vArr[i] = signatures[i].v;
+            rArr[i] = signatures[i].r;
+            sArr[i] = signatures[i].s;
+        }
+
+        emit LockerDeployed(address(this), lockId, vArr, rArr, sArr, controllers, threshold);
+    }
+
+    function distribute(signature[] memory signatures) external {
+        validateMultiSig(signatures);
+        tokens -= 1;
+    }
+
+    function isSolved() external view returns (bool) {
+        return tokens == 0;
+    }
+
+    function validateMultiSig(signature[] memory signatures) public {
+        address[] memory seen = new address[](controllers.length);
+        uint256 validCount = 0;
+        for (uint256 i = 0; i < signatures.length; i++) {
+            address recovered = _isValidSignature(signatures[i]);
+            require(!_isInArray(recovered, seen), "Same signer cannot sign multiple times");
+
+            // Ensure no duplicate
+            for (uint256 j = 0; j < validCount; j++) {
+                require(seen[j] != recovered, "Duplicate signer");
+            }
+
+            /// seenの上書きはできるっちゃできる
+            /// が、それができるならそもそもdistributeもできる
+            seen[validCount] = recovered;
+            validCount++;
+        }
+        require(validCount == threshold, "Not enough valid signers");
+    }
+
+    function _isValidSignature(signature memory sig) internal returns (address) {
+        uint8 v = sig.v;
+        bytes32 r = sig.r;
+        bytes32 s = sig.s;
+        address _address = ecrecover(msgHash, v, r, s);
+        require(_isInArray(_address, controllers), "Signer is not a controller");
+
+        bytes32 signatureHash = keccak256(abi.encode([uint256(r), uint256(s), uint256(v)]));
+        require(!usedSignatures[signatureHash], "Signature has already been used");
+        usedSignatures[signatureHash] = true;
+        return _address;
+    }
+
+    function _isInArray(address addr, address[] memory arr) internal pure returns (bool) {
+        for (uint256 i = 0; i < arr.length; i++) {
+            if (arr[i] == addr) return true;
+        }
+        return false;
+    }
+}
+
+/**
+ * @dev This is the Setup Contract which checks if the challenge is solved or not
+ * (not a part of the challenge)
+ */
+
+// Private Keys randomly generated online
+// Signatures generated in signature_generator.js
+// Signatures retrieved by player by reading events in read_signatures.js
+
+contract SetupLocker is Setup {
+    constructor(address player_address) payable Setup(player_address) {}
+
+    signature[] signatures;
+    address[] controllers;
+
+    function deploy() public override returns (address) {
+        uint256 lockId = 0;
+        signatures.push(
+            signature({
+                v: 27,
+                r: 0x36ade3c84a9768d762f611fbba09f0f678c55cd73a734b330a9602b7426b18d9,
+                s: 0x6f326347e65ae8b25830beee7f3a4374f535a8f6eedb5221efba0f17eceea9a9
+            })
+        );
+        signatures.push(
+            signature({
+                v: 28,
+                r: 0x57f4f9e4f2ef7280c23b31c0360384113bc7aa130073c43bb8ff83d4804bd2a7,
+                s: 0x694430205a6b625cc8506e945208ad32bec94583bf4ec116598708f3b65e4910
+            })
+        );
+        signatures.push(
+            signature({
+                v: 27,
+                r: 0xe2e9d4367932529bf0c5c814942d2ff9ae3b5270a240be64b89f839cd4c78d5d,
+                s: 0x6c0c845b7a88f5a2396d7f75b536ad577bbdb27ea8c03769a958b2a9d67117d2
+            })
+        );
+        controllers.push(0x9dF23180748A2E168a24F5BBAB2a50eE38A7d309);
+        controllers.push(0x8Ab87699287fe024A8b4d53385AC848930b19FfF);
+        controllers.push(0x10Bab59adbDd06E90996361181b7d2129A5Eeb5A);
+        uint256 threshold = 3;
+
+        Locker _instance = new Locker(lockId, signatures, controllers, threshold);
+
+        /// 作問ミスを修正
+        challenge = address(_instance);
+
+        return address(_instance);
+    }
+
+    function isSolved() external view override returns (bool) {
+        return Locker(challenge).isSolved();
+    }
+}

src/SmileyCTF/MultisigWallet/challenge/Locker.sol

@@ -0,0 +1,14 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+abstract contract Setup {
+    address public challenge;
+    address public player;
+
+    constructor(address _player) {
+        player = _player;
+    }
+
+    function deploy() public virtual returns (address);
+    function isSolved() external view virtual returns (bool);
+}