Rating:
**TLDR** (Full writeup @ [https://www.nullhardware.com/reference/hacking-101/picoctf-2022-greatest-hits/solfire/](https://www.nullhardware.com/reference/hacking-101/picoctf-2022-greatest-hits/solfire/))
1. To successfully call into `handle_withdraw`, the first account (index 0) must contain the substring `C1ock` when b58 encoded. It does not need to exist or have initialized data, but it **MUST NOT** be `SysvarC1ock11111111111111111111111111111111` (that account contains valid data and will not pass the timestamp check).
2. `handle_withdraw` contains an off-by-one error, allowing you to read/write past the end of ledger data.
3. This is *only* exploitable if you manually create the account yourself with exactly `0` data bytes allocated and specify `solfire.so` as the owner.
4. Call `handle_withdraw` with the offset set to `0x280` and a lamport value of approximately 50,000 or more (*but not too much more*). You will also be required to know the nonce for the vault account.
5. ...
6. Profit!