Damn Vulnerable DeFi — Challenge #3 Walkthrough

Peter Kacherginsky
2 min readNov 23, 2020

Let’s dive into the next challenge called Truster in the OpenZeppelin’s fun wargame:

More and more lending pools are offering flash loans. In this case, a new pool has launched that is offering flash loans of DVT tokens for free.Currently the pool has 1 million DVT tokens in balance. And you have nothing.But don't worry, you might be able to steal them all from the pool.

The challenge sets up a lending pool instance of TrusterLenderPool and deposits 1M ETH:

The TrusterLenderPool has a single function called flashLoan which can lend any requested amount to the borrower address as long as that amount is returned by the end of the transaction:

What’s really interesting about the above function is that it also executes an arbitrary smart contract with user supplied data. We can’t abuse the function in a way that would result in an immediate monetary loss since balances before and after must be equal. However, we can abuse the ERC-20 approval mechanism to create a transfer allowance for the damnValuableToken which we will use in a later transaction. To execute an attack, let’s craft a custom transaction payload and pass it to the vulnerable flashLoan function:

The above payload will cause the TrusterLenderPool contract to create an allowance for all of the tokens held in the pool. On line 16, we transfer that entire allowance to the attacker’s address. Let’s confirm the challenge is now solved where the pool gets completely emptied:

Success! We have successfully emptied the pool.

Unfortunately, allowance abuse vulnerabilities are common and get exploited in the real world such as the Bancor hack from 2018.

References

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net