https://github.com/CyberHoward/cosmwasm-re-entrancy-example
An example re-entrancy attack on a flashloan vault.
https://github.com/CyberHoward/cosmwasm-re-entrancy-example
Last synced: 27 days ago
JSON representation
An example re-entrancy attack on a flashloan vault.
- Host: GitHub
- URL: https://github.com/CyberHoward/cosmwasm-re-entrancy-example
- Owner: CyberHoward
- License: mit
- Created: 2022-11-24T09:48:26.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-11-25T08:55:26.000Z (over 2 years ago)
- Last Synced: 2024-11-04T20:42:09.494Z (6 months ago)
- Language: Rust
- Size: 255 KB
- Stars: 16
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-ccamel - CyberHoward/cosmwasm-re-entrancy-example - An example re-entrancy attack on a flashloan vault. (Rust)
README
# CosmWasm re-entrancy Exploit Example
> The exploit example is located in `contracts/liquidity_hub/vault-network/exploit_contract`.
A vault in `contracts/liquidity_hub/vault-network/vault` allows users to get a flashloan for a fee.
The user provide a callback for the flashloan which is sandwiched between the vault's own messages. The execution order is:
- Call vault for flashloan
- Vault sends tokens, executes the callback and **inserts its own callback**.
- The calling contract executes whatever he wishes with the received funds
- the vault callback executes.
The vault contract can ensure that all lent-out funds are returned by the lender by extending the `Response` with a callback [`vault::CallbackMsg::AfterTrade`]. This callback is ensured to be the last call in the execution order.
The edge-case that was overlooked was the case in which the lender performs a deposit with his lent funds. This edge-case is shown to be exploitable in `tests/exploit.rs`.
## Run
cd into `contracts/liquidity_hub/vault-network/exploit_contract` and run `cargo test`. The exploit test can be viewed in `tests/exploit.rs`.