openzeppelin / damn-vulnerable-defi Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://damnvulnerabledefi.xyz/
License: MIT License
Home Page: https://damnvulnerabledefi.xyz/
License: MIT License
The implementation
damn-vulnerable-defi/contracts/the-rewarder/FlashLoanerPool.sol
Lines 28 to 33 in 6797353
it is highly recommended to be replaced with this:
interface IFlashLoanReceiver {
function receiveFlashLoan(uint256) external returns(bool);
}
and then
bool success = IFlashLoanReceiver(msg.sender).receiveFlashLoan(amount);
Hi (@tinchoabbate ),
Apologies if I'm not supposed to post here; there is no issue tab on the author's V3.
In puppet V3
, the player is supposed to succeed executing only a single transaction
. I don't think this is possible. Even if one was to deploy a contract to handle all necessary steps, that's still contract deployment + contract call (+ token approval to attack contract).
Am I missing something here or is it a mistake ?
Thank you for your help,
Cheers ๐
This is what I got by running "npm run the-rewarder" with the original "the-rewarder.challenge.js" file.
No problem with all other challenges.
All contracts have already been compiled, skipping compilation.
[Challenge] The rewarder
1) "before all" hook for "Exploit"
2) "after all" hook for "Exploit"
0 passing (433ms)
2 failing
1) [Challenge] The rewarder
"before all" hook for "Exploit":
Error: Contract error: contract binary not set. Can't deploy new instance.
This contract may be abstract, not implement an abstract parent's methods completely
or not invoke an inherited contract's constructor correctly
at Function.new (node_modules/@truffle/contract/lib/contract/constructorMethods.js:47:13)
at Context.<anonymous> (test/the-rewarder/the-rewarder.challenge.js:23:55)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
2) [Challenge] The rewarder
"after all" hook for "Exploit":
TypeError: Cannot read property 'roundNumber' of undefined
at Context.<anonymous> (test/the-rewarder/the-rewarder.challenge.js:76:37)
at processImmediate (internal/timers.js:456:21)
npm ERR! code ELIFECYCLE
npm ERR! errno 2
npm ERR! @ the-rewarder: `npm run compile && npx mocha --timeout 50000 --exit test/the-rewarder/the-rewarder.challenge.js`
npm ERR! Exit status 2
npm ERR!
npm ERR! Failed at the @ the-rewarder script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
6828 verbose stack Error: exited with error code: null
6828 verbose stack at ChildProcess. (/Users/bereket/.nvm/versions/node/v12.22.9/lib/node_modules/npm/node_modules/pacote/lib/util/finished.js:12:19)
6828 verbose stack at ChildProcess.emit (events.js:314:20)
6828 verbose stack at maybeClose (internal/child_process.js:1022:16)
6828 verbose stack at Socket. (internal/child_process.js:444:11)
6828 verbose stack at Socket.emit (events.js:314:20)
6828 verbose stack at Pipe. (net.js:675:12)
6829 verbose cwd /Volumes/secondary_drive/blockChain-learning/damn-vulnerable-defi
6830 verbose Darwin 21.0.1
6831 verbose argv "/Users/bereket/.nvm/versions/node/v12.22.9/bin/node" "/Users/bereket/.nvm/versions/node/v12.22.9/bin/npm" "i" "--verbose"
6832 verbose node v12.22.9
6833 verbose npm v6.14.15
6834 error Error while executing:
6834 error /usr/bin/git ls-remote -h -t https://github.com/ethereumjs/ethereumjs-abi.git
6834 error
6834 error rosetta error: /var/db/oah/279281322164224_279281322164224/ea50d481d6c5a2b4c424ed9865d6cb39b67491f7198ae2d9ee0ae1d0efe8aa26/libxcrun.dylib.aot: attachment of code signature supplement failed: 1
6834 error
Running the tests in node v14 throws errors in before/after hooks: Error: Callback was already called.
Might be worth:
Let me know your thoughts. I can send a PR but just wanted to get your thoughts first.
PS: thanks for this great work
Edit: forgot to mention, but everything works as expected with v12.11.1
I'm trying to exploit it with:
await this.token.transfer(this.pool.address, INITIAL_ATTACKER_BALANCE, {from: attacker});
Which doesn't work.
But if I use it w/o from:attacker it works:
`await this.token.transfer(this.pool.address, INITIAL_ATTACKER_TOKEN_BALANCE);`
Why is that?
Is the test for this accurate? Why would we expect the attacker to have more than the original pool amount considering the setup code?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.