3. Truster

https://www.damnvulnerabledefi.xyz/challenges/truster/

Objective

A new pool has launched that is offering flash loans of DVT tokens for free. The pool holds 1 million DVT tokens. You have nothing.

Take all tokens out of the pool. If possible, in a single transaction.

Approach

The pool only has 1 function, flashLoan()

We notice:

  • balances are checked against the token contract

  • there is a nonReentrant modifier

  • target.funtionCall(data)

Code for Address.functionCall:

require(address(this).balance >= value, "Address: insufficient balance for call");
require(isContract(target), "Address: call to non-contract");(bool success, bytes memory returndata) = target.call{value: value}(data);
return verifyCallResult(success, returndata, errorMessage);

  • this means that target must be a contract

  • trusterLenderPool contract will execute target.call{value: value}(data); using its own context.

  • In short, we can use target.functionCall to approve allowances from the pool to the attacker; thereby draining the pool.

Solution

  • since target accepts bytes data as a parameter, we must pass the approve function together with its parameters as data into it. this is done via abi.encondeWithSignature

  • attacker calls the flashloan function, with said payload -> allowances would be approved

  • attacker than calls token contract to drain the pool, utilising the allowances granted earlier.

Previous2. Naive receiverNext4. Side Entrance

Last updated