/tags/eh4x/ Recent content in Eh4x on Zero's Blog Hugo en-us Wed, 04 Mar 2026 14:00:00 +0700 /posts/eh4x-ctf-2026-writeup/ Wed, 04 Mar 2026 14:00:00 +0700 /posts/eh4x-ctf-2026-writeup/ <h2 id="overview">Overview</h2> <p>This post collects the solved EH4X CTF 2026 challenges and the practical exploitation approach used for each.</p> <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#heist-v1-blockchain">Heist V1 (Blockchain)</a></li> <li><a href="#i-guess-bro-reverse">i-guess-bro (Reverse)</a></li> <li><a href="#womp-womp-pwn">Womp Womp (Pwn)</a></li> <li><a href="#lulocator-pwn">Lulocator (Pwn)</a></li> <li><a href="#sarcasm--sarcasm-pwn">SarcAsm / Sarcasm (Pwn)</a></li> <li><a href="#inferno-sprint-misc">Inferno Sprint (Misc)</a></li> <li><a href="#chusembly-misc">Chusembly (Misc)</a></li> <li><a href="#final-notes">Final Notes</a></li> </ul> <hr> <h2 id="heist-v1-blockchain">Heist V1 (Blockchain)</h2> <h3 id="tldr">TL;DR</h3> <p>The vault trusted governance too much. By setting governance to an attacker contract and abusing delegatecall execution, storage got overwritten (<code>admin</code>/<code>paused</code>), then funds could be withdrawn.</p>