EVM Puzzle 2 solution

StErMi
2 min readJun 12, 2022

--

Ryoji Iwata Unsplash

This is Part 2 of the “Let’s play EVM Puzzles” series, where I will explain how to solve each puzzle challenge.

EVM Puzzles is a project developed by Franco Victorio (@fvictorio_nan) that is a perfect fit if you are in the process of learning how the Ethereum EVM works, and you want to apply some of the knowledge you have just acquired.

EVM Puzzle 2

00 34 CALLVALUE
01 38 CODESIZE
02 03 SUB
03 56 JUMP
04 FD REVERT
05 FD REVERT
06 5B JUMPDEST
07 00 STOP
08 FD REVERT
09 FD REVERT

The problem is similar to the Puzzle 1 challenge, where we need to find a way to have in the EVM Stack the correct value when the JUMP opcode is executed. We need to have into the stack the value 6 to land in a valid JUMPDEST opcode.

Let’s review each operation and plan ahead

  • CALLVALUE as we know from the previous, challenge will push the msg.value (in wei) to the stack
  • CODESIZE push into the stack the contract’s code size in bytes
  • SUB pop two values from the stack, subtract V1 (position 1 in the stack) from V0 (position 0 in the stack), pushing the result of the operation into the stack

This would be the stack before the SUB opcode:

| POSITION  | VALUE   | REASON                |
| — — — — — | — — — — | — — — - - - - - - - - |
| #0 | V1 | pushed by `CODESIZE` |
| #1 | V0 | pushed by `CALLVALUE` |

After `SUB` the stack would have the value V0-V1 (CODESIZE — CALLVALUE). It’s important to remember that the EVM Stack operates as a LIFO (last in, first out) queue.

Solution

The contract code is nothing more than the ordered list of Opcodes that will be executed by the EVM. Each opcode is 1 byte so CODESIZE op will push the value 0x0A to the stack (hex conversion of 10 in decimal).

To have 6 as the result of SUB we need CALLVALUE to push the value 4 into the Stack to make JUMP the PC jump to the sixth position of our code.

Here’s the link to the solution of Puzzle 2 on EVM Codes website to simulate it.

--

--

StErMi

#web3 dev + auditor | @SpearbitDAO security researcher, @yAcademyDAO resident auditor, @developer_dao #459, @TheSecureum bootcamp-0, @code4rena warden