Damn Vulnerable DeFi — Challenge #4 Walkthrough

Peter Kacherginsky
2 min readNov 25, 2020

The next puzzle in the series continues challenging players to empty DeFi lending pool through any means necessary. Here is the challenge:

A surprisingly simple lending pool allows anyone to deposit ETH, and withdraw it at any point in time.This very simple lending pool has 1000 ETH in balance already, and is offering free flash loans using the deposited ETH to promote their system.You must steal all ETH from the lending pool.

The challenge.js file performs basic setup on the vulnerable pool contract and deposits some initial balance:

Let’s take a look at the SideEntranceLenderPool contract to see if we can spot any vulnerabilities:

The contract implements a simple flashLoan() function which issues arbitrary amount to whoever triggers it and makes sure that the total contract balance remains the same or greater after it completes. Just like other lending functions, it also…

--

--

Peter Kacherginsky
Peter Kacherginsky

Written by Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net

No responses yet