Damn Vulnerable DeFi — Challenge #6 Walkthrough

The next challenge in the series teaches us about dangers of mixing flash loans and governance systems:

A new cool lending pool has launched! It's now offering flash loans of DVT tokens.
Wow, and it even includes a really fancy governance mechanism to control it.
What could go wrong, right ?
You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: steal them all.

The governance contract described in the challenge implements two functions to queue and execute action proposals. Action queue mechanism verifies that an actor has sufficient votes as follows:

Notice that _hasEnoughVotes obtains token balance using the same vulnerable ERC20Snapshot mechanism described in the previous challenge. This means that as long as the last recorded token snapshot has sufficient balance, one could successfully queue any action.

Before we hop into the exploit, let’s quickly look at how actions are actually executed: