ProxyMr Steal Yo Crypto - Jpeg Sniper
DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesBaseLaunchpegNFT is basically an ERC721 ownable token that uses the counters contract to track the number of NFTs for functions that return the total...
ProxySynopsis of DeFiRanger: Detecting Price Manipulation Attacks On DeFi Applications
Paper Source: https://arxiv.org/pdf/2104.15068.pdfIntroductionThe most popular DeFi applications are Decentralized Exchanges (DEXes) and lending apps. They both heavily depend on getting the price of an asset correct. There are two types of attacks that manipulate the price of an asset. Direct and indirect price manipulation attacks. As the name suggests, the former one means that an attacker directly manipulates the token price in a pool of an AMM. It is usually achieved through performing a...
ProxyMr Steal Yo Crypto - Game Assets
DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesGameAsset and AssetHolder seem like normal ERC721 and ERC1155 contractsLooking at AssetWrapper contracts wrap function we see it immediately calls _w...
Web3 Security and Hacks that I find interesting.
ProxyMr Steal Yo Crypto - Jpeg Sniper
DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesBaseLaunchpegNFT is basically an ERC721 ownable token that uses the counters contract to track the number of NFTs for functions that return the total...
ProxySynopsis of DeFiRanger: Detecting Price Manipulation Attacks On DeFi Applications
Paper Source: https://arxiv.org/pdf/2104.15068.pdfIntroductionThe most popular DeFi applications are Decentralized Exchanges (DEXes) and lending apps. They both heavily depend on getting the price of an asset correct. There are two types of attacks that manipulate the price of an asset. Direct and indirect price manipulation attacks. As the name suggests, the former one means that an attacker directly manipulates the token price in a pool of an AMM. It is usually achieved through performing a...
ProxyMr Steal Yo Crypto - Game Assets
DisclaimerThis is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.NotesGameAsset and AssetHolder seem like normal ERC721 and ERC1155 contractsLooking at AssetWrapper contracts wrap function we see it immediately calls _w...
Share Dialog
Share Dialog
Web3 Security and Hacks that I find interesting.
Subscribe to Proxy
Subscribe to Proxy
This is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.
Since we start with 10_000 USDC I tried to figure out a way to manipulate the calculation uint256 r = (balance() * _shares) / (totalSupply()) in withdraw by transferring some USDC directly, but could not find a way.
deposit seems like it is susceptible to first deposit attack / inflation attack since it just mints shares when totalSupply() == 0 and does not mint them to address(0) like Uniswap does
We can’t use this however since in the test file somebody already deposited 10_000 USDC in the vault
depositFor takes in an arbitrary token address as an input parameter
Allowing a user to specify which token to use with IERC20(token) is never a good idea, because there is always a possibility for an attacker to create their own token and use it in a malicious way.
As soon as a user can specify which external function a contract will execute, it can be used in a malicious way
We can create a new contract where we call depositFor and input token as that contract where we have created a custom transferFrom function
In transferFrom we will transfer USDC to SafuVault and call depositFor again to reenter the contract
Checkout my comments on depositFor function in SafuVault for a better understanding of how funds increase with every reenter - here
Also I highly suggest upping the verbosity when executing the test file to see all function calls
If there are more than one way to deposit / withdraw funds make sure all of them do it in the same way, and make sure that way is not exploitable
Compare opposite functions like deposit and withdraw - do they do the inverse of each other ?
This is not a walkthrough of every contract or code of the challenge. I am sharing my notes and resources I have used to complete this challenge, as well as some lessons I think are useful to take away after completing the challenge. I highly recommend you finish the challenge yourself first and only use this as additional content.
Since we start with 10_000 USDC I tried to figure out a way to manipulate the calculation uint256 r = (balance() * _shares) / (totalSupply()) in withdraw by transferring some USDC directly, but could not find a way.
deposit seems like it is susceptible to first deposit attack / inflation attack since it just mints shares when totalSupply() == 0 and does not mint them to address(0) like Uniswap does
We can’t use this however since in the test file somebody already deposited 10_000 USDC in the vault
depositFor takes in an arbitrary token address as an input parameter
Allowing a user to specify which token to use with IERC20(token) is never a good idea, because there is always a possibility for an attacker to create their own token and use it in a malicious way.
As soon as a user can specify which external function a contract will execute, it can be used in a malicious way
We can create a new contract where we call depositFor and input token as that contract where we have created a custom transferFrom function
In transferFrom we will transfer USDC to SafuVault and call depositFor again to reenter the contract
Checkout my comments on depositFor function in SafuVault for a better understanding of how funds increase with every reenter - here
Also I highly suggest upping the verbosity when executing the test file to see all function calls
If there are more than one way to deposit / withdraw funds make sure all of them do it in the same way, and make sure that way is not exploitable
Compare opposite functions like deposit and withdraw - do they do the inverse of each other ?
<100 subscribers
<100 subscribers
No activity yet