MATHLETE PARSING ATTEMPT

# MATHLETE PARSING ATTEMPT ### This nerd here https://etherscan.io/tx/0x060c88431464162a67f7390f7a15df50f096d67b07c849893949a7407b4f0a5a #### So, I've broken this down by "sections" We found the very first 4byte in the deployed contract, see below 0xc348eaf7 : check decompiled contract shits ![](https://i.imgur.com/YbwrDaZ.png) ``` 0000000000000000000000000000000000000000000605c11ada422151c47400 #flash loan size 0000000000000000000000001111111254fb6c44bac0bed2854e76f90643097d #1inch v4 0000000000000000000000000000000000000000000000000000000000000060 # offset dynamic data 0000000000000000000000000000000000000000000000000000000000000408 # 1032 bytes of data ``` Above, you can see the params, and the 1032 bytes matches approx the lengh of the whole message (there's some zero padding at the very end) Next section, we hit the 1inch 4byte. 7c025200 : swap(address,(address,address,address,address,uint256,uint256,uint256,bytes),bytes) ``` 000000000000000000000000220bda5c8994804ac96ebe4df184d25e5c2196d4 # Weird 1inch contract 0000000000000000000000000000000000000000000000000000000000000060 <-- what is happening 0000000000000000000000000000000000000000000000000000000000000180 <-- in these two lines ``` I don't understand the `0x60` and `0x180` up above -- I would expect the `0x60` to be `0x40` #### #### The four addresses of the 1inch swap ``` 0000000000000000000000006b175474e89094c44da98b954eedeac495271d0f # DAI 000000000000000000000000a0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 # USDC 000000000000000000000000220bda5c8994804ac96ebe4df184d25e5c2196d4 # Weird 1inch contract 0000000000000000000000004bba760285eddc7d64060298fe683fe443b1b806 # Hacker contract ``` Why is he using this **other** 1inch contract for this swap? #### #### The 3 uints in the call ``` 00000000000000000000000000000000000000000002f39f6d3a2ddd7a392c00 # QTY DAI 0000000000000000000000000000000000000000000000000000033dfc35c22a # MIN USDC RCVD 0000000000000000000000000000000000000000000000000000000000000004 # 4 args in array ``` #### The last bytes arg to 1inch swap ``` 0000000000000000000000000000000000000000000000000000000000000100 # Zero 0000000000000000000000000000000000000000000000000000000000000000 # Fucking 0000000000000000000000000000000000000000000000000000000000000260 # Clue 0000000000000000000000000000000000000000000000000000000000000040 # WTF 0000000000000000000000000000000000000000000000000000000000000002 # 2 args in array 0000000000000000000000000000000000000000000000000000000000000040 # ?? 0000000000000000000000000000000000000000000000000000000000000140 # ?? ``` This next section is very unusual -- I don't understand the whole mess... #### The unknown bytes ``` 8000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000060 0000000000000000000000000000000000000000000000000000000000000064 ``` Now this is how we interact with the DSS PSM The `64` is saying `4byte + 3 32bit words` eb5625d9 : safeApprove(address,address,uint256) ``` 0000000000000000000000006b175474e89094c44da98b954eedeac495271d0f # DAI 00000000000000000000000089b78cfa322f6c5de0abceecab66aee45393cc5a # DSS PSM 00000000000000000000000000000000000000000002f39f6d3a2ddd7a392c00 # QTY ``` #### More unknown shit ``` 0000000000000000000000000000000000000000000000000000000080000000 000000000000000089b78cfa322f6c5de0abceecab66aee45393cc5a00000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000006000000000 00000000000000000000000000000000000000000000000000000044 ``` The `44` is saying `4byte + 2 32bit words` 8d7ef9bb : buyGem(address,uint256) ``` 0000000000000000000000001111111254fb6c44bac0bed2854e76f90643097d # 1inch router 0000000000000000000000000000000000000000000000000000033ed0e61dd8 # QTY Gems to buy ``` #### Yet more unknown shit ``` 00000000000000000000000000000000000000000000000000000000cfee7c08 000000000000000000000000000000000000000000000000 ```