Damn Vulnerable DeFi Challenge #5 Solution — The rewarder

Challenge #5 — The rewarder

The attacker end goal

Study the contracts

  • check if the amount is > 0
  • mint the AccountingToken 1:1 with DVT
  • call distributeRewards
  • transfer from msg.sender to this the deposited amount of DVT tokens and check the transfer result
  • burn the amount from AccountingToken (it’s an ERC20 contract, so it will fail if the msg.sender has not enough balance deposited)
  • transfer back the withdrawn DVT to msg.sender checking the result of the operation
  • Check if it’s a new reward round calling isNewRewardsRound() (has passed 5 days). If so, call _recordSnapshot()
  • Get the total amount of DVT token deposited in the pool on the last snapshot
  • Get the amount of DVT token deposited by the user on the pool
  • Calculate the amount of reward token to be rewarded to the user based on the percentage of contribution rewards = (amountDeposited * 100 * 10 ** 18) / totalDeposits;
  • If he gets some rewards and those rewards are not yet distributed to the user, the contract mint those rewards and send them to the msg.sender

Solution code

  • Wait for the amount of time needed to start a new round and be able to make the Rewarder Pool trigger the _recordSnapshot at deposit time
  • Check the amount of DVT token we can borrow with a flashloan from the Flashloan Pool
  • Flashloan the max amount (we are not paying any fees)
  • Deposit all the DVT token we just loaned. The deposit function will trigger distributeRewards function that will take a snapshot before distributing tokens to our account. Because we are the bigger staker in the pool, we are going to get the vast majority of reward tokens.
  • Withdraw all the deposited DVT from the pool. We don’t need them anymore because we already got all the rewards needed, and we also need to repay back the loan!
  • Repay back the loan to the Lending Pool
  • Transfer all the rewards to the attacker

Disclaimer

--

--

--

#web3 dev + auditor | @SpearbitDAO security researcher, @yAcademyDAO resident auditor, @developer_dao #459, @TheSecureum bootcamp-0, @code4rena warden

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Persistence with Windows Services

How To Buy Climate Token

How to become safer on the internet — Backups

{UPDATE} مدرسة تعليم العد و المقارنة Hack Free Resources Generator

How to mint $TEST tokens on Connext Testnet

Calling for All Youtubers! Influencer Airdrops!

Sharing personal data online: Risks and Protection

Confusion matrix and Cyber security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
StErMi

StErMi

#web3 dev + auditor | @SpearbitDAO security researcher, @yAcademyDAO resident auditor, @developer_dao #459, @TheSecureum bootcamp-0, @code4rena warden

More from Medium

Damn Vulnerable DeFi Challenge #6 Solution — Selfie

Handling events of a smart contract part 2/2

How to Code a PayNow Function with Solidity: The 3 Must-Know Smart Contract Methods

Detecting Re-Entrancy Attack in Smart Contracts