//Event Horizon

>Challenge Summary

• Contract: 0x5FbDB2315678afecb367f032d93F642f64180aa3

• RPC: http://4.211.248.144:8545

• Chain ID: 31337

• Category: web3, bytecode-only target rejecting “standard transactions.”

>Tools

• Foundry cast for on-chain reads and disassembly.

• Basic hex-to-ASCII inspection (no source ABI available).

>Step 1 — Grab the Runtime Bytecode

cast code --rpc-url http://4.211.248.144:8545 0x5FbDB2315678afecb367f032d93F642f64180aa3

This returns the full runtime bytecode (starts with 0x6080...0033).

>Step 2 — Disassemble to Human-Readable EVM

cast disassemble <bytecode>

Key things spotted in the disassembly:

• Two function selectors checked in the dispatcher: 0x5c0df9a4 and 0xe9e9d0ee (not present in 4byte.directory).

• Two literal strings in data section: Synced and Rejected.

• A pair of PUSH32 instructions containing a long ASCII-looking payload — likely the flag.

>Step 3 — Locate Embedded Strings

Scrolling near the tail of the disassembly shows:

Concatenating the last two PUSH32 payloads and decoding as ASCII yields:

Because the flag is embedded as static data, no state changes or special calldata are required.

>Step 4 — (Optional) Quick Storage Check

To confirm there is no hidden state gating the flag, I inspected the first couple storage slots:

cast storage --rpc-url http://4.211.248.144:8545 0x5FbDB2315678afecb367f032d93F642f64180aa3 0 2

Both slots were zero, reinforcing that the interesting bits are all in the bytecode constants.

>Flag

>Takeaways

• Disassembling runtime bytecode often reveals embedded constants and messages even without an ABI.

• Searching for ASCII-looking PUSH data is a fast path to flags in many bytecode-only CTF contracts.

• cast disassemble is lightweight and sufficient when the challenge discourages on-chain interaction.