Oracles play a critical role in many DeFi applications where they are used to correctly report asset prices and other data. As evident by many incidents such as Cheese Bank and Warp Finance, any oracle price manipulations can lead to multi-million losses. The next Damn Vulnerable DeFi challenge offers a plausible scenario where a price Oracle platform appears to leak potentially sensitive data:
While poking around a web service of one of the most popular DeFi projects in the space, you get a somewhat strange response from their server. This is a snippet:HTTP/2 200 OK
content-type: text/html
content-language: en
vary: Accept-Encoding
server: cloudflare
4d 48 68 6a 4e 6a 63 34 5a 57 59 78 59 57 45 30 4e 54 5a 6b 59 54 59 31 59 7a 5a 6d 59 7a 55 34 4e 6a 46 6b 4e 44 51 34 4f 54 4a 6a 5a 47 5a 68 59 7a 42 6a 4e 6d 4d 34 59 7a 49 31 4e 6a 42 69 5a 6a 42 6a 4f 57 5a 69 59 32 52 68 5a 54 4a 6d 4e 44 63 7a 4e 57 45 35
4d 48 67 79 4d 44 67 79 4e 44 4a 6a 4e 44 42 68 59 32 52 6d 59 54 6c 6c 5a 44 67 34 4f 57 55 32 4f 44 56 6a 4d 6a 4d 31 4e 44 64 68 59 32 4a 6c 5a 44 6c 69 5a 57 5a 6a 4e 6a 41 7a 4e 7a 46 6c 4f 54 67 33 4e 57 5a 69 59 32 51 33 4d 7a 59 7a 4e 44 42 69 59 6a 51…
Last month, ETHworks put together a really fun smart contract contest where players competed to solve all the clues and unlock a 7 ETH reward. While I did not win, I had an absolute blast participating in it and wanted to share my notes in case you want to learn about password cracking and smart contract hacking techniques. If that sounds interesting to you, let’s dive right in.
On November 17th, 2020, while preparing for the next edition of the Blockchain Threat Intelligence newsletter, I ran across an interesting tweet advertising some kind of a smart contract contest:
The address contained a simple smart contract which challenged anyone to guess a plaintext for a stored hash which was hashed twice with…
The next challenge in the series teaches us about dangers of mixing flash loans and governance systems:
A new cool lending pool has launched! It's now offering flash loans of DVT tokens.Wow, and it even includes a really fancy governance mechanism to control it.What could go wrong, right ?You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: steal them all.
The governance contract described in the challenge implements two functions to queue and execute action proposals. Action queue mechanism verifies that an actor has sufficient votes as follows:
Notice that _hasEnoughVotes obtains token balance using the same vulnerable ERC20Snapshot mechanism described in the previous challenge. This means that as long as the last recorded token snapshot has sufficient balance, one could successfully queue any action. …
Let’s continue our journey of learning about vulnerable DeFi applications. The next exercise, the-rewarder, challenges us to cheat at getting all of the rewards in a stripped down liquidity pool app:
There's a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it.Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards!You don't have any DVT tokens. Luckily, these are really popular nowadays, so there's another pool offering them in free flash loans.In the upcoming round, you must claim all rewards for yourself.
The challenge consists of four different contracts with the following…
The next puzzle in the series continues challenging players to empty DeFi lending pool through any means necessary. Here is the challenge:
A surprisingly simple lending pool allows anyone to deposit ETH, and withdraw it at any point in time.This very simple lending pool has 1000 ETH in balance already, and is offering free flash loans using the deposited ETH to promote their system.You must steal all ETH from the lending pool.
The challenge.js file performs basic setup on the vulnerable pool contract and deposits some initial balance:
Let’s take a look at the SideEntranceLenderPool contract to see if we can spot any…
Let’s dive into the next challenge called Truster in the OpenZeppelin’s fun wargame:
More and more lending pools are offering flash loans. In this case, a new pool has launched that is offering flash loans of DVT tokens for free.Currently the pool has 1 million DVT tokens in balance. And you have nothing.But don't worry, you might be able to steal them all from the pool.
The challenge sets up a lending pool instance of TrusterLenderPool and deposits 1M ETH:
The TrusterLenderPool has a single function called flashLoan which can lend any requested amount to the borrower address as long as that amount is returned by the end of the…
Continuing our exploration of the Damn Vulnerable DeFi wargame, the next puzzle is called Naive receiver. It challenges players to drain a DeFi user’s account:
There's a lending pool offering quite expensive flash loans of Ether, which has 1000 ETH in balance.You also see that a user has deployed a contract with 10 ETH in balance, capable of interacting with the lending pool and receiveing flash loans of ETH.Drain all ETH funds from the user's contract. Doing it in a single transaction is a big plus ;)
The challenge file sets up a lending pool and a user receiver contracts. The receiver contract is configured with the lending pool address so that it could interact with…
Damn Vulnerable DeFi is an Ethereum smart contract wargame developed by @tinchoabbate from OpenZeppelin. The competition includes 8 unique challenges educating players about various DeFi vulnerabilities.
In this article, I will share basic set up steps to get you started on the challenges and go over the first challenge.
To begin playing the wargame, you have to set up your local environment first. Start by cloning the challenges repository from Github and installing Node dependencies:
% git clone https://github.com/OpenZeppelin/damn-vulnerable-defi.git
% cd damn-vulnerable-defi
% npm install
Once you install all of the dependencies you can test the environment by listing available challenges as…
Last week I had a lot of fun with the latest blockchain investigation competition put together by folks at Anchain. The competition spanned two weeks and included a number of questions challenging players to dig through Ethereum blockchain transaction and smart contract data. In addition to many freely available tools, participants were also offered a free license of Anchain’s CISO blockchain analytics platform which made the analysis a lot easier.
In this writeup I will discuss blockchain analytics tools, techniques, and lessons learned while solving challenges. I will only focus on solving the last (and hardest) challenge investigating the infamous exit scam and the eventual return of funds by SushiSwap’s Chef Nomi back in September, 2020. My goal is to share the investigation steps so that you, the reader, would also be inspired to participate in future contests or may be even make this your future career. Check out my Blockchain Threat Intelligence newsletter for ideas on how to contribute to this field. …
On November 5th, 2019 I had a great experience attending a new conference in the Bay Area called Disclosure. Even though this was its first year, Disclosure gathered an amazing speaker line up including Katie Moussouris, Dan Kaminsky, Jennifer Granick, Juan Andres Guerrero-Saade and many others.
The conference reserved a beautiful venue at Westin St. Francis hotel with a single large ballroom for the talks. The hallways leading to the event were lit up in a futuristic purple light with a number of posters with various ciphers for the scavenger hunt competition:
About