A realistic way of funding an attacker's account when testing

To avoid discovering false-positives, and promote the use of "good practices" within the web3 whitehat community, we are adding to **Forge POC Templates** the `dealFrom( token, from, to, amount )` cheat-code, which impersonates the user `from` using the `prank` cheat-code and does a normal transfer with `token.transfer(to, amount)`. The implementation is very simple: ```solidity /** * @notice transfers tokens from one address to another using a Prank call. * @param token The address of the ERC20 token to transfer. * @param from The address to transfer tokens from. * @param to The address to transfer tokens to. * @param amount The amount of tokens to transfer. */ function dealFrom( address token, address from, address to, uint256 amount ) public { vm.prank(from); IERC20(token).transfer(to, amount); } ``` This is the most realistic way of funding an attacker's balance while testing a system or creating a proof of concept.
immunefi-team · Dec 22, 2023 · 5a5b2bf · 5a5b2bf
1 parent 2c26129
commit 5a5b2bf
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/src/tokens/Tokens.sol b/src/tokens/Tokens.sol
@@ -18,6 +18,18 @@ abstract contract Tokens is Test {
             deal(address(token), to, amount);
         }
     }
+
+    /**
+     * @notice Transfers tokens from one address to another using a Prank call.
+     * @param token The IERC20 token to transfer.
+     * @param from The address to transfer tokens from.
+     * @param to The address to transfer tokens to.
+     * @param amount The amount of tokens to transfer.
+     */
+    function dealFrom(IERC20 token, address from, address to, uint256 amount) public {
+        vm.prank(from);
+        token.transfer(to, amount);
+    }
 }
 
 library EthereumTokens {