Damn Vulnerable DeFi — Challenge #5 Walkthrough

Peter Kacherginsky
4 min readDec 18, 2020

Let’s continue our journey of learning about vulnerable DeFi applications. The next exercise, the-rewarder, challenges us to cheat at getting all of the rewards in a stripped down liquidity pool app:

There's a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it.Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards!You don't have any DVT tokens. Luckily, these are really popular nowadays, so there's another pool offering them in free flash loans.In the upcoming round, you must claim all rewards for yourself.

The challenge consists of four different contracts with the following functionality:

  • TheRewarderPool.sol accepts DamnValuableToken deposits and awards RewardTokens every 5 days. The contract uses AccountingToken for record keeping of deposited tokens.
  • RewardToken.sol is a simple ERC-20 token with basic minting functionality. It is used as a reward for keeping DamnValuableToken deposited in TheRewarderPool.
  • AccountingToken.sol is an ERC20Snapshot token. It is used to keep historical balances of DamnValuableToken deposited into TheRewarderPool and to calculate the amount of RewardToken to award users.
  • DamnValuableToken.sol, also referred to as a Liquidity Token, is a simple ERC-20 token. It is used as a liquidity token which can be deposited into TheRewarderPool in order to earn RewardToken. It can be borrowed from the FlashLoanerPool.
  • FlashLoanerPool.sol is a simple contract with a single method to supply flash loans of DamnValuableToken.

The interactions between all of the different contracts can be complex so it’s best to diagram all of the contract calls:

In the graph above, users can deposit Liquidity Tokens (DamnValuableToken) into the Rewarder Pool which in turn creates a balance snapshot and mints Reward Tokens each reward round. Users are awarded Reward Tokens based on the percentage of user owned vs. total deposited tokens. Below is the TheRewarderPool.sol source with some additional comments to help us better understand how the reward logic works:

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net