Description
We've created a simple contract to store a secret flag. But you currently are not the owner of the contract... Only the owner of the contract should be able to access it. Contract: here
Download and read AccessControl.sol.
Set up Foundry or cast/web3 to interact with the deployed contract.
cat AccessControl.solSolution
Walk me through it- Step 1Read AccessControl.sol and find the exposed functionOpen the source and look for any externally callable function that writes to
owner. In this contract there's a publicclaimOwnership()with no msg.sender check, so anyone can call it. See smart contract CTF bugs for the full taxonomy of access control flaws.bashcat AccessControl.solLearn more
Access control in Solidity smart contracts relies on the developer correctly checking who is calling a function. The canonical pattern is an
onlyOwnermodifier that comparesmsg.senderto a storedowneraddress. When this check is missing, broken, or bypassable, any caller can claim ownership.The four flaws to scan for in a CTF contract:
- The owner variable is public and set in a function anyone can call (this challenge).
tx.originis used instead ofmsg.sender.tx.originis always the EOA that signed the outermost transaction, so a victim calling an attacker contract still authenticates as the victim.- The
initialize()function lacks a flag preventing re-initialization, letting anyone replay it after deployment. - A pre-0.5 contract uses a same-named function as a constructor (typo or deliberate), making it permanently callable.
The Foundry toolkit's
castcommand-line tool is invaluable for interacting with deployed contracts without writing a full script.cast callreads state,cast sendsends transactions. Read the Solidity source first, always. - Step 2Become the ownerSend a transaction to the exposed function with your funded private key. Replace CONTRACT, YOUR_ADDR, RPC_URL, and PRIVATE_KEY with the values from the instance page.bash
YOUR_ADDR=$(cast wallet address --private-key $PRIVATE_KEY)bashcast send $CONTRACT 'claimOwnership()' --from $YOUR_ADDR --rpc-url $RPC_URL --private-key $PRIVATE_KEYbash# Alternate flaw: setOwner(address) is publicbashcast send $CONTRACT 'setOwner(address)' $YOUR_ADDR --from $YOUR_ADDR --rpc-url $RPC_URL --private-key $PRIVATE_KEYLearn more
In Ethereum, all state-changing contract calls are transactions that must be signed by a private key. The
msg.senderglobal variable always holds the address that signed the current transaction. If a contract allows anyone to call a function that setsowner = msg.sender, you simply call it and you become the owner.The Uninitialized Storage Pattern is a related vulnerability: if a proxy contract's storage slot for the implementation address overlaps with the owner slot, an attacker can set the implementation to their own contract and upgrade themselves to owner. This affected several real DeFi protocols.
For CTF challenges, the challenge typically provides a funded private key (shown on the instance page). Use
cast wallet address --private-key KEYto derive your address, then sign transactions with--private-key. Always confirm state changes withcast callafter eachcast send. - Step 3Verify ownership transferredBefore reading the flag, confirm the previous step actually worked. cast call is free and quick.bash
cast call $CONTRACT 'owner()(address)' --rpc-url $RPC_URLbash# Output should match $YOUR_ADDRLearn more
This is the cheapest sanity check available.
cast callqueries state without a transaction (no gas, instant), so use it after every state-changing call to confirm the chain saw what you expected. If the returned address doesn't match yours, yourclaimOwnership()reverted silently or you sent it from the wrong key. - Step 4Read the flagWith ownership in hand, call getFlag() and decode the returned string.bash
cast call $CONTRACT 'getFlag()(string)' --rpc-url $RPC_URL --from $YOUR_ADDRLearn more
cast callexecutes a read-only call (no transaction, no gas cost) against a deployed contract. The function signature format'getFlag()(string)'tells cast both the input types (none) and output types (string) so it can ABI-decode the return value for you.In production Solidity, sensitive data is rarely returned directly even to the owner - instead, events are emitted or data is stored off-chain. However, CTF contracts intentionally expose flags through a guarded function, which is why bypassing the access control directly yields the flag.
The broader lesson is that blockchain data is public: even "private" Solidity state variables can be read by anyone via
eth_getStorageAtRPC calls. True secrets should never be stored on-chain unencrypted - but in this CTF challenge the flag is gated behind an access-controlled function rather than encrypted storage, making ownership the only protection.
Flag
picoCTF{4cc3ss_c0ntr0l_byp4ss_...}
The contract's owner check is bypassable - the ownership can be claimed by anyone due to a missing or broken access modifier.
How to prevent this
How to prevent this
Smart contract access control is mostly about not trusting tx.origin and not leaving init functions reachable.
- Use OpenZeppelin's
OwnableorAccessControlrather than rolling your own. Both ship auditedonlyOwner/onlyRolemodifiers and constructor-time owner assignment. - Always compare against
msg.sender, nevertx.origin.tx.origincan be manipulated by routing the call through an attacker-controlled proxy contract. - For upgradeable contracts, use OpenZeppelin's
Initializablewith theinitializermodifier. Under the hood it sets a boolean storage flag (_initialized) on first call and checks it on entry, so any subsequent call reverts withInvalidInitialization(). Pair with Slither and a Foundry invariant test that asserts the owner can never change unexpectedly.