NexHunt CTF 2025 - RustRoll

Overview

RustRoll implements a simplified blockchain/rollup node written in Rust. Users can submit transactions signed with Ed25519, and account ownership is determined by a derived address. The goal is to steal funds from a privileged “Vault” account.

Category	Difficulty	Flag
Blockchain	Medium	`nexus{Th1s-Is_A-Hard#Fl4g!}`

Analysis

Transaction Structure

The challenge defines a custom transaction format (120 bytes):

1
struct Transaction {
2
    from_addr: u32,    // 4 bytes (Little Endian)
3
    to_addr: u32,      // 4 bytes (Little Endian)
4
    amount: u64,       // 8 bytes (Little Endian)
5
    nonce: u64,        // 8 bytes (Little Endian)
6
    pubkey: [u8; 32],  // Ed25519 Public Key
7
    signature: [u8; 64]// Ed25519 Signature
8
}

Address Derivation

The from_addr field is only a 32-bit integer. Investigating the source (or black-box testing) reveals the address derivation logic involves Blake3 hashing:

1
# Derived Address Logic
2
addr = unpack_u32(blake3(pubkey)[0:4]) & 0xFFFFF

[!WARNING] The address space is explicitly masked to 0xFFFFF, meaning there are only 2²⁰ (1,048,576) possible addresses!

Reconnaissance

Connecting to the challenge instance reveals the target Vault:

addr=622488 balance=999358175823 nonce=49

Target Address: 622488
Goal: Steal funds (transfer to our account).

The Vulnerability

Since the address space is small (20 bits), we can easily perform an Address Collision Attack.

The system verifies transactions by checking if the Provided Public Key derives to the from_addr. It does not check if you are the original owner of that address (because addresses are just hashes of public keys).

If we find a different Ed25519 keypair that creates the same 20-bit hash as the Vault’s address, the system will accept our signatures as valid for the Vault account.

1
graph TD
2
    A[Generate Random Keypair] --> B[Calculate BLAKE3 Hash]
3
    B --> C[Truncate to 20 bits]
4
    C --> D{Equals 622488?}
5
    D -- No --> A
6
    D -- Yes --> E[Collision Found!]
7
    E --> F[Sign Transaction as Vault]

Exploit

1. Generating a Collision

We can bruteforce this in Python locally. With $2^{20}$ possibilities, it takes only a few seconds.

1
from blake3 import blake3
2
from nacl.signing import SigningKey
3
import struct
4

5
VAULT_ADDR = 622488
6

7
def addr_from_pk(pk: bytes) -> int:
8
    # First 4 bytes of Blake3 hash, masked to 20 bits
9
    return struct.unpack("<I", blake3(pk).digest()[:4])[0] & 0xFFFFF
10

11
print("[-] Bruteforcing collision...")
12
while True:
13
    sk = SigningKey.generate()
14
    pk = sk.verify_key.encode()
15

16
    if addr_from_pk(pk) == VAULT_ADDR:
17
        print(f"[+] Found Private Key: {sk.encode().hex()}")
18
        print(f"[+] Found Public Key:  {pk.hex()}")
19
        break

2. Crafting the Transaction

Once we have the keypair, we create a transaction transferring funds from the Vault (622488) to our target address (1337).

[!NOTE] Don’t forget to use the correct nonce! The recon showed the vault had nonce=49.

Solution Script

1
#!/usr/bin/env python3
2
import socket
3
import struct
4
import time
5
from nacl.signing import SigningKey
6
from blake3 import blake3
7

8
HOST = "4.211.248.144"
9
PORT = 8080
10

11
TARGET_TO = 1337
12
TARGET_AMOUNT = 13_371_337
13

14
def addr_from_pk(pk: bytes) -> int:
15
    return struct.unpack("<I", blake3(pk).digest()[:4])[0] & 0xFFFFF
16

17
def recv_all(s, timeout=0.3):
18
    s.settimeout(timeout)
19
    data = b""
20
    try:
21
        while True:
22
            data += s.recv(4096)
23
    except:
24
        pass
25
    return data.decode()
26

27
# 1. Connect and Recon
28
s = socket.socket()
29
s.connect((HOST, PORT))
30
recv_all(s)
31
s.sendall(b"LIST\n")
32
time.sleep(0.2)
33
data = recv_all(s)
34
s.close()
35

36
vault_addr = None
37
vault_nonce = None
38
max_balance = -1
39

40
# Parse LIST output to find the rich vault
41
for line in data.splitlines():
42
    if line.startswith("addr="):
43
        p = line.split()
44
        addr = int(p[0].split("=")[1])
45
        bal = int(p[1].split("=")[1])
46
        nonce = int(p[2].split("=")[1])
47
        if bal > max_balance:
48
            max_balance = bal
49
            vault_addr = addr
50
            vault_nonce = nonce
51

52
print(f"[*] Target Vault: {vault_addr} (Balance: {max_balance}, Nonce: {vault_nonce})")
53

54
# 2. Collision Attack
55
print("[*] Searching for key collision...")
56
collision_sk = None
57
collision_pk = None
58

59
while True:
60
    sk = SigningKey.generate()
61
    pk = sk.verify_key.encode()
62
    if addr_from_pk(pk) == vault_addr:
63
        collision_sk = sk
64
        collision_pk = pk
65
        break
66

67
print("[+] Collision found!")
68

69
# 3. Send Malicious Transaction
70
payload = struct.pack(
71
    "<IIQQ",
72
    vault_addr,
73
    TARGET_TO,
74
    TARGET_AMOUNT,
75
    vault_nonce
76
)
77

78
sig = collision_sk.sign(payload).signature
79
tx_blob = payload + collision_pk + sig
80

81
print(f"[+] TX Blob: {tx_blob.hex()}")
82
# Sending this blob to the server would trigger the flag

Flag: nexus{Th1s-Is_A-Hard#Fl4g!}