-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
327 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
// SPDX-License-Identifier: GPL-3.0-or-later | ||
pragma solidity 0.8.24; | ||
|
||
import "../../interfaces/external/ISSVWhitelistingContract.sol"; | ||
import "../../interfaces/ISSVClusters.sol"; | ||
import "./BeneficiaryContract.sol"; | ||
import "@openzeppelin/contracts/utils/introspection/ERC165.sol"; | ||
|
||
contract AttackerContract { | ||
address private ssvContract; | ||
|
||
constructor(address _ssvContract) { | ||
ssvContract = _ssvContract; | ||
} | ||
|
||
function startAttack( | ||
bytes calldata _publicKey, | ||
uint64[] memory _operatorIds, | ||
bytes calldata _sharesData, | ||
uint256 _amount, | ||
ISSVNetworkCore.Cluster memory _cluserData | ||
) external { | ||
ISSVClusters(ssvContract).registerValidator(_publicKey, _operatorIds, _sharesData, _amount, _cluserData); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
// SPDX-License-Identifier: GPL-3.0-or-later | ||
pragma solidity 0.8.24; | ||
|
||
import "../../interfaces/external/ISSVWhitelistingContract.sol"; | ||
import "../../interfaces/ISSVClusters.sol"; | ||
import "./BeneficiaryContract.sol"; | ||
import "@openzeppelin/contracts/utils/introspection/ERC165.sol"; | ||
import "hardhat/console.sol"; | ||
|
||
/// @notice Whitelisted contract that passes the validatity check of supporting ISSVWhitelistingContract | ||
/// and tries to re-enter SSVNetwork.registerValidator function. | ||
contract BadOperatorWhitelistingContract is ERC165 { | ||
BeneficiaryContract private beneficiaryContract; | ||
|
||
constructor(BeneficiaryContract _beneficiaryContract) { | ||
beneficiaryContract = _beneficiaryContract; | ||
} | ||
|
||
function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) { | ||
return interfaceId == type(ISSVWhitelistingContract).interfaceId || super.supportsInterface(interfaceId); | ||
} | ||
|
||
fallback() external { | ||
bytes4 selector = bytes4(msg.data); | ||
// only proceed if the function being called is isWhitelisted | ||
if (selector == ISSVWhitelistingContract.isWhitelisted.selector) { | ||
// decode the operator Id | ||
(uint256 operatorId) = abi.decode(msg.data[36:], (uint256)); | ||
// call BeneficiaryContract to withdraw operator earnings | ||
beneficiaryContract.withdrawOperatorEarnings(10000000); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
// SPDX-License-Identifier: GPL-3.0-or-later | ||
pragma solidity 0.8.24; | ||
|
||
import "../../interfaces/external/ISSVWhitelistingContract.sol"; | ||
import "../../interfaces/ISSVOperators.sol"; | ||
import "@openzeppelin/contracts/utils/introspection/ERC165.sol"; | ||
import "hardhat/console.sol"; | ||
|
||
contract BeneficiaryContract { | ||
ISSVOperators private ssvContract; | ||
uint64 private targetOperatorId; | ||
|
||
constructor(ISSVOperators _ssvContract) { | ||
ssvContract = _ssvContract; | ||
} | ||
|
||
function setTargetOperatorId(uint64 _operatorId) external { | ||
targetOperatorId = _operatorId; | ||
} | ||
|
||
function withdrawOperatorEarnings(uint256 amount) external { | ||
// Call SSVNetwork contract, acting as the owner of the operator to try withdraw earnings | ||
ISSVOperators(ssvContract).withdrawOperatorEarnings(targetOperatorId, amount); | ||
} | ||
|
||
function registerOperator() external returns (uint64 operatorId) { | ||
return ISSVOperators(ssvContract).registerOperator("0xcafecafe", 100000000); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
// SPDX-License-Identifier: GPL-3.0-or-later | ||
pragma solidity 0.8.24; | ||
|
||
import "../../interfaces/external/ISSVWhitelistingContract.sol"; | ||
import "@openzeppelin/contracts/utils/introspection/ERC165.sol"; | ||
|
||
/// @notice Whitelisted contract that passes the validatity check of supporting ISSVWhitelistingContract | ||
/// and tries to re-enter SSVNetwork.registerValidator function. | ||
contract FakeWhitelistingContract is ERC165 { | ||
struct Cluster { | ||
uint32 validatorCount; | ||
uint64 networkFeeIndex; | ||
uint64 index; | ||
bool active; | ||
uint256 balance; | ||
} | ||
|
||
bytes private publicKey; | ||
uint64[] private operatorIds; | ||
bytes private sharesData; | ||
uint256 private amount; | ||
Cluster private clusterData; | ||
|
||
address private ssvContract; | ||
|
||
constructor(address _ssvContract) { | ||
ssvContract = _ssvContract; | ||
} | ||
|
||
function setRegisterValidatorData( | ||
bytes calldata _publicKey, | ||
uint64[] memory _operatorIds, | ||
bytes calldata _sharesData, | ||
uint256 _amount, | ||
Cluster memory _cluserData | ||
) external { | ||
publicKey = _publicKey; | ||
operatorIds = _operatorIds; | ||
sharesData = _sharesData; | ||
amount = _amount; | ||
clusterData = _cluserData; | ||
} | ||
|
||
function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) { | ||
return interfaceId == type(ISSVWhitelistingContract).interfaceId || super.supportsInterface(interfaceId); | ||
} | ||
|
||
fallback() external { | ||
bytes4 selector = bytes4(msg.data); | ||
if (selector == ISSVWhitelistingContract.isWhitelisted.selector) { | ||
// Encoding the registerValidator function selector and arguments | ||
bytes memory data = abi.encodeWithSignature( | ||
"registerValidator(bytes,uint64[],bytes,uint256,(uint32,uint64,uint64,bool,uint256))", | ||
publicKey, | ||
operatorIds, | ||
sharesData, | ||
amount, | ||
clusterData | ||
); | ||
// Making the low-level call | ||
(bool success, bytes memory returnData) = ssvContract.call(data); | ||
|
||
// Handling the call response | ||
if (!success) revert("Call failed or was reverted"); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters