This story was originally published on HackerNoon at: https://hackernoon.com/exploiting-eip-7702-delegation-in-the-ethernaut-cashback-challenge-a-step-by-step-writeup.
How to exploit EIP-7702 delegation flaws: A deep dive into the Ethernaut Cashback challenge with bytecode hacks and storage attacks
Check more stories related to web3 at: https://hackernoon.com/c/web3. You can also check exclusive content about #ethernaut, #eip-7702, #security, #exploiting-eip-7702, #eip-7702-delegation, #paywithcashback, #cashback-contract, #hackernoon-top-story, and more.
This story was written by: @hacker39947670. Learn more about this writer by checking @hacker39947670's about page, and for more stories, please visit hackernoon.com.
The Ethernaut Cashback challenge exploits flawed EIP-7702 delegation security. The contract's modifiers assume strict access controls, but have critical vulnerabilities: First exploit: Craft a contract with the Cashback address embedded in bytecode at the expected offset, bypassing the onlyDelegatedToCashback modifier. Jump over the address to execute normally. Call accrueCashback directly to gain max cashback for both currencies and one NFT. Second exploit: Use storage collision—delegate your EOA to a contract that writes to the same nonce slot, inject nonce = 9999, then re-delegate to Cashback and execute one final transaction to reach nonce 10,000 and mint a second NFT with your player address. Key lesson: Never store security-critical state in EOAs—delegation allows unrestricted storage manipulation across delegated contracts.Retry