3. Truster

https://www.damnvulnerabledefi.xyz/challenges/truster/

Objective

A new pool has launched that is offering flash loans of DVT tokens for free. The pool holds 1 million DVT tokens. You have nothing.

Take all tokens out of the pool. If possible, in a single transaction.

Approach

The pool only has 1 function, flashLoan()

We notice:

balances are checked against the token contract
there is a nonReentrant modifier
target.funtionCall(data)

Code for Address.functionCall:

require(address(this).balance >= value, "Address: insufficient balance for call");
require(isContract(target), "Address: call to non-contract");(bool success, bytes memory returndata) = target.call{value: value}(data);
return verifyCallResult(success, returndata, errorMessage);

this means that target must be a contract
trusterLenderPool contract will execute target.call{value: value}(data); using its own context.
In short, we can use target.functionCall to approve allowances from the pool to the attacker; thereby draining the pool.

Solution

since target accepts bytes data as a parameter, we must pass the approve function together with its parameters as data into it. this is done via abi.encondeWithSignature
attacker calls the flashloan function, with said payload -> allowances would be approved
attacker than calls token contract to drain the pool, utilising the allowances granted earlier.

Previous2. Naive receiver Next4. Side Entrance

Last updated 1 year ago