Damn Vulnerable DeFi — Challenge #3 Walkthrough

Peter Kacherginsky
2 min readNov 23, 2020

Let’s dive into the next challenge called Truster in the OpenZeppelin’s fun wargame:

More and more lending pools are offering flash loans. In this case, a new pool has launched that is offering flash loans of DVT tokens for free.Currently the pool has 1 million DVT tokens in balance. And you have nothing.But don't worry, you might be able to steal them all from the pool.

The challenge sets up a lending pool instance of TrusterLenderPool and deposits 1M ETH:

The TrusterLenderPool has a single function called flashLoan which can lend any requested amount to the borrower address as long as that amount is returned by the end of the transaction:

What’s really interesting about the above function is that it also executes an arbitrary smart contract with user supplied data. We can’t abuse the function in a way that would result in an immediate monetary loss since balances before and…

--

--

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net