search

mouseless-eth / rusty-sando

Implementation of a competitive v2/v3 multi-meat MEV sandwich bot written using Rust and Huff.
MIT License
767 stars 256 forks source link

Recover WETH and ETH JUMPDEST #36

Closed SadeRespector closed 1 year ago

SadeRespector commented 1 year ago

Testing the JUMPDEST for recover WETH when using cast send for recover ETH and WETH results in "(code: -32000, message: invalid jump destination, data: None)"

used>> cast send --rpc-url https://goerli.infura.io/v3/7f4a751c20c34aaa81865fc15e95d236 --private-key 0x04d3fA39350C28FD5B192129f3f962C09CA5FCFa 0x41 Error: (code: -32000, message: invalid jump destination, data: None)

0xDmtri commented 1 year ago

Testing the JUMPDEST for recover WETH when using cast send for recover ETH and WETH results in "(code: -32000, message: invalid jump destination, data: None)"

used>> cast send --rpc-url https://goerli.infura.io/v3/7f4a751c20c34aaa81865fc15e95d236 --private-key 0x04d3fA39350C28FD5B192129f3f962C09CA5FCFa 0x41 Error: (code: -32000, message: invalid jump destination, data: None)

read the code dude, you need to encode amt as well. abi.encodePacked(jumpdest, amount)

SadeRespector commented 1 year ago

I was able to recover weth using cast send --rpc-url https://goerli.infura.io/v3/7f4a751c20c34aaa81865fc15e95d236 --private-key 0x04d3fA39350C28FD5B192129f3f962C09CA5FCFa0x37000000000000000000000000000000000000000000000000016345785d8a0000 The documentation says recover weth is used with 0x41 jumpdest, however I was able to successfully recover the weth using 0x37 jumpdest with amount out calculated using ethers to hex function and attatched to the payload. Will close issue when I figure out if recover weth is possible with a different jumpdest.

SadeRespector commented 1 year ago

Testing the JUMPDEST for recover WETH when using cast send for recover ETH and WETH results in "(code: -32000, message: invalid jump destination, data: None)" used>> cast send --rpc-url https://goerli.infura.io/v3/7f4a751c20c34aaa81865fc15e95d236 --private-key 0x04d3fA39350C28FD5B192129f3f962C09CA5FCFa 0x41 Error: (code: -32000, message: invalid jump destination, data: None)

read the code dude, you need to encode amt as well. abi.encodePacked(jumpdest, amount)

I will try this as well I was sending raw data and not using abi.encode.

SadeRespector commented 1 year ago

The JUMPDEST for recover ETH is 0x32. I found this by running the test and logging the JUMPDEST returned from the contract SandoCommon.

[37292] SandoTest::testRecoverEth() ├─ [0] VM::startPrank(me) │ └─ ← () ├─ [9503] SandoCommon::getJumpDestFromSig(recoverEth) [delegatecall] │ └─ ← 50 ├─ [172] 0xf92CE891Ab58B70486487043DD3f2e6eD713e019::fallback() │ ├─ [0] me::fallback() │ │ └─ ← () │ └─ ← () ├─ [9503] SandoCommon::getJumpDestFromSig(recoverEth) [delegatecall] │ └─ ← 50 ├─ [0] console::f5b1bba9(0000000000000000000000000000000000000000000000000000000000000032) [staticcall] │ └─ ← () └─ ← ()

[69940] SandoTest::testRecoverWeth() ├─ [0] VM::startPrank(me) │ └─ ← () ├─ [2534] 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2::balanceOf(0xf92CE891Ab58B70486487043DD3f2e6eD713e019) [staticcall] │ └─ ← 0x0000000000000000000000000000000000000000000000056bc75e2d63100000 ├─ [2534] 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2::balanceOf(me) [staticcall] │ └─ ← 0x0000000000000000000000000000000000000000000000000000000000000000 ├─ [10299] SandoCommon::getJumpDestFromSig(recoverWeth) [delegatecall] │ └─ ← 55 ├─ [21385] 0xf92CE891Ab58B70486487043DD3f2e6eD713e019::37000000(0000000000000000000000000000000000000000056bc75e2d63100000) │ ├─ [21162] 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2::transfer(me, 100000000000000000000 [1e20]) │ │ ├─ emit Transfer(from: 0xf92CE891Ab58B70486487043DD3f2e6eD713e019, to: me, amount: 100000000000000000000 [1e20]) │ │ └─ ← 0x0000000000000000000000000000000000000000000000000000000000000001 │ └─ ← () ├─ [10299] SandoCommon::getJumpDestFromSig(recoverWeth) [delegatecall] │ └─ ← 55 ├─ [0] console::f5b1bba9(0000000000000000000000000000000000000000000000000000000000000037) [staticcall] │ └─ ← () ├─ [534] 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2::balanceOf(0xf92CE891Ab58B70486487043DD3f2e6eD713e019) [staticcall] │ └─ ← 0x0000000000000000000000000000000000000000000000000000000000000000 ├─ [534] 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2::balanceOf(me) [staticcall] │ └─ ← 0x0000000000000000000000000000000000000000000000056bc75e2d63100000 └─ ← ()

If you look at the console lines in both of these tests you can see where I got my jumpdest's from. Hope this helps people.