9. Puppet V2

https://www.damnvulnerabledefi.xyz/challenges/puppet-v2/

Objective

• The developers of the previous pool seem to have learned the lesson. And released a new version!

• Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries.

• You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. Drain it.

Now collateral require is 3x of the token price

Approach

Pricing is obtained from UniswapV2Library.quote

// For amountA, how much B can I get
amountB = amountA (reserveB / reserveA)

// Explanation
(reserveB / reserveA) = Unit Price of A, in terms of B

// Example
assetA : assetB
10 ETH : 10,000 USDC
 1 ETH : (10,000 USDC/10 ETH) = 1000 USDC
 
 (reserveB / reserveA) = (10,000/10) USDC/ETH = 1000 USDC per ETH
 For 2 ETH,
          2 * (10,000/10) = 2000 USDC (amountB)

1. Target pool has 1,000,000 DVT

2. Uniswap Exchange has 100 DVT and 10 ETH -> 10 DVT: 1 ETH

• Cost for 1 MM DVT = 1 MM * (10 / 100) = 100,000 ETH

• requiredCollateral = 100K ETH * 3 = 300K ETH

Attacker needs to devalue DVT, by selling DVT into the Uniswap exchange.

• attacker calls swapExactTokensForTokens() via uniswap router

https://docs.uniswap.org/contracts/v2/reference/smart-contracts/router-02#swapexacttokensfortokens

• amountIn = ATTACKER_INITIAL_TOKEN_BALANCE

• amountOutMin = 0 (arbitrary)

• path = An array of token addresses.

  • path is a dynamic array of addresses

• to = attacker address

• deadline = Unix timestamp after which the transaction will revert. (arbitrary)

on path: dynamic array of addresses

Uniswap Exchange

• started: 100 DVT and 10 ETH

• attacker sold 1000 DVT

• ended:

uniswap swap formula

Draining the lending pool

• lending pool has 1 MM dvt token.

• Currently valued at 1 MM *