9. Puppet V2

https://www.damnvulnerabledefi.xyz/challenges/puppet-v2/

Objective

  • The developers of the previous pool seem to have learned the lesson. And released a new version!

  • Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries.

  • You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. Drain it.

Now collateral require is 3x of the token price

Approach

Pricing is obtained from UniswapV2Library.quote 

// For amountA, how much B can I get
amountB = amountA (reserveB / reserveA)

// Explanation
(reserveB / reserveA) = Unit Price of A, in terms of B

// Example
assetA : assetB
10 ETH : 10,000 USDC
 1 ETH : (10,000 USDC/10 ETH) = 1000 USDC
 
 (reserveB / reserveA) = (10,000/10) USDC/ETH = 1000 USDC per ETH
 For 2 ETH,
          2 * (10,000/10) = 2000 USDC (amountB)

  1. Target pool has 1,000,000 DVT

  2. Uniswap Exchange has 100 DVT and 10 ETH -> 10 DVT: 1 ETH

  • Cost for 1 MM DVT = 1 MM * (10 / 100) = 100,000 ETH

  • requiredCollateral = 100K ETH * 3 = 300K ETH

Attacker needs to devalue DVT, by selling DVT into the Uniswap exchange.

  • attacker calls swapExactTokensForTokens() via uniswap router

https://docs.uniswap.org/contracts/v2/reference/smart-contracts/router-02#swapexacttokensfortokens

  • amountIn = ATTACKER_INITIAL_TOKEN_BALANCE

  • amountOutMin = 0 (arbitrary)

  • path = An array of token addresses.

    • path is a dynamic array of addresses

  • to = attacker address

  • deadline = Unix timestamp after which the transaction will revert. (arbitrary)

on path: dynamic array of addresses

Uniswap Exchange

  • started: 100 DVT and 10 ETH

  • attacker sold 1000 DVT

  • ended:

Draining the lending pool

  • lending pool has 1 MM dvt token.

  • Currently valued at 1 MM *

Previous8. PuppetNext10 - Free Rider

Last updated