7. Compromised
https://www.damnvulnerabledefi.xyz/challenges/compromised/
Last updated
https://www.damnvulnerabledefi.xyz/challenges/compromised/
Last updated
A related on-chain exchange is selling (absurdly overpriced) collectibles called “DVNFT”, now at 999 ETH each.
This price is fetched from an on-chain oracle, based on 3 trusted reporters: 0xA732...A105
,0xe924...9D15
and 0x81A5...850c
.
Starting with just 0.1 ETH in balance, pass the challenge by obtaining all ETH available in the exchange.
While poking around a web service of one of the most popular DeFi projects in the space, you get a somewhat strange response from their server. Here’s a snippet:
On the server response: convert the hex strings to UTF8:
MHhjNjc4ZWYxYWE0NTZkYTY1YzZmYzU4NjFkNDQ4OTJjZGZhYzBjNmM4YzI1NjBiZjBjOWZiY2RhZTJmNDczNWE5
MHgyMDgyNDJjNDBhY2RmYTllZDg4OWU2ODVjMjM1NDdhY2JlZDliZWZjNjAzNzFlOTg3NWZiY2Q3MzYzNDBiYjQ4
Decode via base64:
0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9
0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48
These could be private keys. Let us derive the public keys from them:
They appear to match with two of the trusted reporters for the oracle. This means we can manipulate the oracle and post prices favourable to our attack.
We can use foundry to prank as these explorted oracles. The steps would be as follows:
prank with both oracles calling postPrice
, updating price to be 0
Buy NFT for 0 cost
update price to reflect exchange balances
Sell NFT to exchange, draining it.
Update price to original price.