8. Puppet

https://www.damnvulnerabledefi.xyz/challenges/puppet/

Pricing of Tokens

The price of dvt tokens is determined by the ratio in the uniswap pool. Calculated as follows:

  • ETH in pool / dvt in Pool = price of 1 dvt in wei

  • _computeOraclePrice in PuppetPool.sol does this

However, the pool only allows a user to borrow tokens, if they deposit twice their value in ETH. Essentially, overcollateralized lending.

Hence, the deposit required calculation is as follows:

If user wants to borrow 10 tokens (w/ each token worth 1 ether), he needs to deposit (10*2) ether.

Approach

  1. Attacker to sell all of his tokens into Uniswap pool for ether -> skews pools ratio, thereby discounting token price heavily

  2. Calculate collateral required to borrow 1 token from pool at new token prices

  3. Based on collateral required, calculate how much attacker can borrow given his ether balances

  4. In this case, attacker can borrow much more than the pool has to offer, so we would borrow everything the pool has in dvt tokens.

  5. Calculate how much ether is require for this borrow, to send as msg.value

    1. Alternatively, attacker can just send all his ether balances, since the borrow function does return the excess ether.

Previous7. CompromisedNext9. Puppet V2

Last updated