✅Operation magic redemption

AMAZEX-DSS-PARIS/src/1_MagicETH/README.md at main · ret2basic/AMAZEX-DSS-PARISGitHub

MagicETH

Objective

A prominent protocol, InsecStar, finds itself under attack. Their token, MagicETH (mETH), has been drained through an exploit in their borrow & loan protocol.

InsecStar has urgently summoned you to devise a method to recover the stolen tokens and redeem them for ETH before the situation worsens. This is a critical test of your capabilities. Can you rise to the occasion and secure the tokens, thereby reinforcing the strength and resilience of the Ethereum ecosystem?

📌 Recover 1000 mETH from the exploiter wallet.

📌 Convert the mETH to ETH to avoid further losses.

🗒️ Concepts you should be familiar with (spoilers!)

• The ERC20 token standard

• Review the $DEI incident.

---

The contracts that you will hack are:

• MagicETH.sol

The test script where you will have to write your solution is:

• Challenge1.t.sol

Writeup

In burnFrom():

uint256 currentAllowance = allowance(msg.sender, account);

Always check if the parameters are provided in correct order. In this case, the function definition is allowance(address owner, address spender), and clearly msg.sender shouldn't be the owner. The variable currentAllowance is used here:

_approve(account, msg.sender, currentAllowance - amount);

Developer assumed this line is going to reduce msg.sender's allowance on account. However, due to the bug in currentAllowance, we can first call approve() to grant max allowance for exploiter and then call burnFrom(exploiter, 0) to trigger:

_approve(exploiter, whitehat, type(uint256).max);

After that a simple transferFrom() call will take all mETH from the exploiter.

PoC

AMAZEX-DSS-PARIS/test/Challenge1.t.sol at main · ret2basic/AMAZEX-DSS-PARISGitHub

MagicETH PoC