3. Truster
https://www.damnvulnerabledefi.xyz/challenges/truster/
Objective
A new pool has launched that is offering flash loans of DVT tokens for free. The pool holds 1 million DVT tokens. You have nothing.
Take all tokens out of the pool. If possible, in a single transaction.
Approach
The pool only has 1 function, flashLoan()
We notice:
balances are checked against the token contract
there is a nonReentrant modifier
target.funtionCall(data)
Code for Address.functionCall:
this means that
target
must be a contracttrusterLenderPool contract will execute
target.call{value: value}(data);
using its own context.In short, we can use target.functionCall to approve allowances from the pool to the attacker; thereby draining the pool.
Solution
since target accepts bytes data as a parameter, we must pass the approve function together with its parameters as data into it. this is done via abi.encondeWithSignature
attacker calls the flashloan function, with said payload -> allowances would be approved
attacker than calls token contract to drain the pool, utilising the allowances granted earlier.
Last updated