Damn Vulnerable DeFi — Challenge #6 Walkthrough

The next challenge in the series teaches us about dangers of mixing flash loans and governance systems:

A new cool lending pool has launched! It's now offering flash loans of DVT tokens.
Wow, and it even includes a really fancy governance mechanism to control it.
What could go wrong, right ?
You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: steal them all.

The governance contract described in the challenge implements two functions to queue and execute action proposals. Action queue mechanism verifies that an actor has sufficient votes as follows:

Notice that _hasEnoughVotes obtains token balance using the same vulnerable ERC20Snapshot mechanism described in the previous challenge. This means that as long as the last recorded token snapshot has sufficient balance, one could successfully queue any action.

Before we hop into the exploit, let’s quickly look at how actions are actually executed:

Queued actions are executed using the executeAction call which simply checks that 2 days have elapsed since an action was queued and directly calls arbitrary address on behalf of the governance contract.

Our goal is to drain the balance belonging to the lending pool and not the governance contract. Conveniently the SelfiePool contract includes just the function we need which can only be called by the SimpleGovernance contract:

Let’s craft an attacker contract to help us queue a new governance action using a flash loan: