Higher Order - New Level

[0xneves]

We have developed a new level for Ethernaut that exploits a weakness in compilers below version 0.8.0. In this scenario, the inputs handled by the functions will not be checked in their entirety. This means that when we use the calldataload(4) command to take the transaction input, we can tamper with the bytes and this altered set of bytes will go unnoticed by the functions.

This weakness is also known as Dirty Higher Order Bits and exploits byte manipulation to bypass security checks. We made a pun on the name of this vulnerability with the scenario and narrative proposed for the level developed, where the contract is a "supreme association" known as the Higher Order, and this secret group has a treasure and a commander! For the attacker to become the commander, he must deliver a treasure greater than uint8 (255) via the input of the registerTreasury function.

Through the exploit proposed by Dirty Bits, we can define any value for the treasure as long as it fits into the size of one bytes32. We do this by editing a calldata - changing a few bits from 0 to higher values - before sending it as an attack, in a low-level call to the registerTreasury function. So, with our hands on the enormous treasure that is knowledge, we can call the claimLeadership function and prove that we are the new Commander!

This level was built between the following community members:
0xneves
luizfolly
fefeupz
r4wd0g
gabrielsdev

[xaler5]

Thanks @0xneves, due to some refactor that we moved to Foundry, I moved the PR here #719. It will still preserves your commits