diff --git a/past/2021/README.md b/past/2021/README.md index 0e9a42a3..22010460 100644 --- a/past/2021/README.md +++ b/past/2021/README.md @@ -3,7 +3,6 @@ ## Before 2021 - List of Past DeFi Incidents 40 incidents included. - [20211221 Visor Finance](#20211221-visor-finance---reentrancy) [20211218 Grim Finance](#20211218-grim-finance---flashloan--reentrancy) @@ -34,6 +33,8 @@ [20210804 WaultFinance](#20210804-waultfinace---flashloan-price-manipulation) +[20210803 Popsicle](#20210803-popsicle---repeated-reward-claim---logic-flaw) + [20210728 Levyathan Finance](#20210728-levyathan-finance---i-lost-keys-and-minting-ii-vulnerable-emergencywithdraw) [20210710 Chainswap](#20210710-chainswap---bridge-logic-flaw) @@ -84,6 +85,25 @@ [20171106 Parity - 'Accidentally Killed It'](#20171106-parity---accidentally-killed-it) + + +### 20210803 Popsicle - Repeated Reward Claim - Logic Flaw + +### Lost: 20M + + +```sh +forge test --contracts ./src/test/Popsicle_exp.sol -vvv +``` +#### Contract +[Popsicle_exp.sol](src/test/Popsicle_exp.sol) +### Link reference + +https://blocksecteam.medium.com/the-analysis-of-the-popsicle-finance-security-incident-9d9d5a3045c1 + +--- + + ### 20211221 Visor Finance - Reentrancy #### Lost: $8.2 million diff --git a/src/test/Popsicle_exp.sol b/src/test/Popsicle_exp.sol index 58e3ee24..666c4d4c 100644 --- a/src/test/Popsicle_exp.sol +++ b/src/test/Popsicle_exp.sol @@ -328,7 +328,20 @@ contract TokenVault { (succ,) = target.call(dataTocall); } } -//Note most of the vault attacks are in profit excent for wbtc and dai balances,something to check later,overall the poc is correct + +// @KeyInfo - Total Lost : 20M +// Attacker : https://etherscan.io/address/0xf9E3D08196F76f5078882d98941b71C0884BEa52 +// Attack Contract : https://etherscan.io/address/0xdFb6faB7f4bc9512d5620e679E90D1C91C4EAdE6 +// Vulnerable Contract : https://etherscan.io/address/0xc4ff55a4329f84f9Bf0F5619998aB570481EBB48 +// Attack Tx : https://etherscan.io/tx/0xcd7dae143a4c0223349c16237ce4cd7696b1638d116a72755231ede872ab70fc + +// @Info +// Vulnerable Contract Code : https://etherscan.io/address/0xc4ff55a4329f84f9Bf0F5619998aB570481EBB48#code + +// @Analysis +// Post-mortem : https://blocksecteam.medium.com/the-analysis-of-the-popsicle-finance-security-incident-9d9d5a3045c1 +// Twitter Guy : https://twitter.com/BlockSecTeam/status/1422786223156776968 +// Hacking God : https://twitter.com/BlockSecTeam/status/1422786223156776968 contract PopsicleExp is Test { using SafeERC20 for IERC20;