# [Paradigm-CTF 2023] Blacksheep Write Up The key is to leverage the un-used call result of the method `CHECKVALUE`. The call result of the `CHECKVALUE` would help us bypass the noauth check. ```huff= /* Interface */ #define function withdraw(bytes32,uint8,bytes32,bytes32) payable returns () #define macro CHECKVALUE() = takes (0) returns (0) { callvalue 0x10 gt over jumpi // [callvalue < 0x10] 0x00 dup1 revert over: 0x00 0x00 0x00 0x00 callvalue 0x02 mul caller 0xFFFFFFFF call // [call_result] } #define macro CHECKSIG() = takes (0) returns (1) { // last call left a call result in stack 0x04 calldataload // [call_result, calldata_32byte] 0x00 mstore // mem: [0x00 - calldata_32byte] stack: [call_result] 0x24 calldataload 0x20 mstore // mem: [0x20 - calldata_32byte, 0x00 -- calldata_32byte] stack: [call_result] 0x44 calldataload 0x40 mstore 0x64 calldataload 0x60 mstore // mem: [0x20 - calldata_32byte, 0x00 -- calldata_32byte] stack: [call_result] 0x20 0x80 0x80 0x00 0x1 // call the pre-compile contract -- ecrecover(hash,v,r,s) // mem // [0; 31] hash // [32; 63] v // [64; 95] r // [96; 127] s 0xFFFFFFFF staticcall // [call_result, static_callresult] iszero invalidSigner jumpi 0x80 mload 0xd8dA6Bf26964AF9D7eed9e03e53415D37AA96044 eq correctSigner jumpi end jump correctSigner: 0x00 end jump invalidSigner: 0x01 end jump end: // [call_result] } #define macro WITHDRAW() = takes (0) returns (0){ CHECKVALUE() CHECKSIG() // !call_result iszero iszero noauth jumpi 0x00 dup1 dup1 dup1 selfbalance caller gas call end jump noauth: 0x00 dup1 revert end: } #define macro MAIN() = takes (0) returns (0) { // Identify which function is being called. 0x00 calldataload 0xE0 shr // [methodID] dup1 __FUNC_SIG(withdraw) eq withdrawj jumpi callvalue 0x00 lt recieve jumpi 0x00 0x00 revert withdrawj: WITHDRAW() recieve: } ``` With that context we can write any exploit contract that can return success when the black sheep contract call with a value.