diff --git a/test/EthernautCTF/MagicNumberExploit.t.sol b/test/EthernautCTF/MagicNumberExploit.t.sol
index 817a23a..29b26ae 100644
--- a/test/EthernautCTF/MagicNumberExploit.t.sol
+++ b/test/EthernautCTF/MagicNumberExploit.t.sol
@@ -65,6 +65,8 @@ contract MagicNumberExploit is Test {
     // PUSH1 0x00
     // MSTORE
     // 2. Return 10 bytes from memory, starting at offset 22.
+    // Why an offset of 22? Because the runtime code length is 10 bytes and when we store it in
+    // memory, it's padded with zero bytes (22 zero bytes) to get a 32-byte value.
     // PUSH1 0x0a (10 in hexadecimal)
     // PUSH1 0x16 (22 in hexadecimal)
     // RETURN