The next challenge in the series teaches us about dangers of mixing flash loans and governance systems:
A new cool lending pool has launched! It's now offering flash loans of DVT tokens.Wow, and it even includes a really fancy governance mechanism to control it.What could go wrong, right ?You start with no DVT tokens in balance, and the pool has 1.5 million. Your objective: steal them all.
The governance contract described in the challenge implements two functions to queue and execute action proposals. Action queue mechanism verifies that an actor has sufficient votes as follows:
Notice that _hasEnoughVotes obtains token balance using the same vulnerable ERC20Snapshot mechanism described in the previous challenge. This means that as long as the last recorded token snapshot has sufficient balance, one could successfully queue any action.
Before we hop into the exploit, let’s quickly look at how actions are actually executed:
Queued actions are executed using the executeAction call which simply checks that 2 days have elapsed since an action was queued and directly calls arbitrary address on behalf of the governance contract.
Our goal is to drain the balance belonging to the lending pool and not the governance contract. Conveniently the SelfiePool contract includes just the function we need which can only be called by the SimpleGovernance contract:
Let’s craft an attacker contract to help us queue a new governance action using a flash loan:
The above attack contract will borrow specified amount of funds (need at least 50% of the total governance token supply), record a snapshot and queue a new governance action in a single transaction. The key element in that sequence is to take governance token snapshot in order to pass _hasEnoughVotes verification. Let’s populate the exploit portion of the selfie.challenge.js in order to execute the attack:
Executing the above script allows us to successfully drain the entire pool balance:
Exploitation of governance systems using flash loans happen in live projects. In fact, on October 26, 2020 someone was able to successfully pass a MakerDAO proposal using a flash loan obtained from dYdX.