9. Puppet V2
https://www.damnvulnerabledefi.xyz/challenges/puppet-v2/
Objective
The developers of the previous pool seem to have learned the lesson. And released a new version!
Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries.
You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. Drain it.
Approach
Pricing is obtained from UniswapV2Library.quote

// For amountA, how much B can I get
amountB = amountA (reserveB / reserveA)
// Explanation
(reserveB / reserveA) = Unit Price of A, in terms of B
// Example
assetA : assetB
10 ETH : 10,000 USDC
1 ETH : (10,000 USDC/10 ETH) = 1000 USDC
(reserveB / reserveA) = (10,000/10) USDC/ETH = 1000 USDC per ETH
For 2 ETH,
2 * (10,000/10) = 2000 USDC (amountB)
Target pool has 1,000,000 DVT
Uniswap Exchange has 100 DVT and 10 ETH -> 10 DVT: 1 ETH
Cost for 1 MM DVT = 1 MM * (10 / 100) = 100,000 ETH
requiredCollateral = 100K ETH * 3 = 300K ETH
Attacker needs to devalue DVT, by selling DVT into the Uniswap exchange.
attacker calls
swapExactTokensForTokens()
via uniswap router


amountIn = ATTACKER_INITIAL_TOKEN_BALANCE
amountOutMin = 0 (arbitrary)
path = An array of token addresses.
path is a dynamic array of addresses
to = attacker address
deadline = Unix timestamp after which the transaction will revert. (arbitrary)
on path
: dynamic array of addresses
path
: dynamic array of addresses
Uniswap Exchange
started: 100 DVT and 10 ETH
attacker sold 1000 DVT
ended:


Draining the lending pool
lending pool has 1 MM dvt token.
Currently valued at 1 MM *
Last updated