9. Puppet V2
https://www.damnvulnerabledefi.xyz/challenges/puppet-v2/
Last updated
https://www.damnvulnerabledefi.xyz/challenges/puppet-v2/
Last updated
The developers of the previous pool seem to have learned the lesson. And released a new version!
Now they’re using a Uniswap v2 exchange as a price oracle, along with the recommended utility libraries.
You start with 20 ETH and 10000 DVT tokens in balance. The pool has a million DVT tokens in balance. Drain it.
Pricing is obtained from UniswapV2Library.quote
Target pool has 1,000,000 DVT
Uniswap Exchange has 100 DVT and 10 ETH -> 10 DVT: 1 ETH
Cost for 1 MM DVT = 1 MM * (10 / 100) = 100,000 ETH
requiredCollateral = 100K ETH * 3 = 300K ETH
attacker calls swapExactTokensForTokens()
via uniswap router
amountIn = ATTACKER_INITIAL_TOKEN_BALANCE
amountOutMin = 0 (arbitrary)
path = An array of token addresses.
path is a dynamic array of addresses
to = attacker address
deadline = Unix timestamp after which the transaction will revert. (arbitrary)
path
: dynamic array of addressesstarted: 100 DVT and 10 ETH
attacker sold 1000 DVT
ended:
lending pool has 1 MM dvt token.
Currently valued at 1 MM *