From 5a5b2bf6cd232988259f095fa1cb85c9b35ab382 Mon Sep 17 00:00:00 2001 From: InfoSec-US-Team <93061989+infosec-us-team@users.noreply.github.com> Date: Fri, 22 Dec 2023 16:04:55 -0500 Subject: [PATCH] A realistic way of funding an attacker's account when testing To avoid discovering false-positives, and promote the use of "good practices" within the web3 whitehat community, we are adding to **Forge POC Templates** the `dealFrom( token, from, to, amount )` cheat-code, which impersonates the user `from` using the `prank` cheat-code and does a normal transfer with `token.transfer(to, amount)`. The implementation is very simple: ```solidity /** * @notice transfers tokens from one address to another using a Prank call. * @param token The address of the ERC20 token to transfer. * @param from The address to transfer tokens from. * @param to The address to transfer tokens to. * @param amount The amount of tokens to transfer. */ function dealFrom( address token, address from, address to, uint256 amount ) public { vm.prank(from); IERC20(token).transfer(to, amount); } ``` This is the most realistic way of funding an attacker's balance while testing a system or creating a proof of concept. --- src/tokens/Tokens.sol | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/tokens/Tokens.sol b/src/tokens/Tokens.sol index 21a2ee2..323c857 100644 --- a/src/tokens/Tokens.sol +++ b/src/tokens/Tokens.sol @@ -18,6 +18,18 @@ abstract contract Tokens is Test { deal(address(token), to, amount); } } + + /** + * @notice Transfers tokens from one address to another using a Prank call. + * @param token The IERC20 token to transfer. + * @param from The address to transfer tokens from. + * @param to The address to transfer tokens to. + * @param amount The amount of tokens to transfer. + */ + function dealFrom(IERC20 token, address from, address to, uint256 amount) public { + vm.prank(from); + token.transfer(to, amount); + } } library EthereumTokens {