Links

Unstoppable

Description

There's a lending pool with a million DVT tokens in balance, offering flash loans for free.
If only there was a way to attack and stop the pool from offering flash loans ...
You start with 100 DVT tokens in balance.

Code Audit

In function flashLoan(), there is a suspicious assert statement:
flashLoan() assert statement
Recall that the objective of this challenge is to stop the pool (kind of like DoS attack), so if we break this assert statement we will pass this level.

Solution

The function depositTokens() can update poolBalance, and the developer assumed that this function is the only way to update poolBalance.
However, we can simply transfer some DVT tokens to pool (here pool = UnstoppableLender(poolAddress) was set in the constructor) to increase uint256 balanceBefore = damnValuableToken.balanceOf(address(this)), and this will break the assert statement.
Implement exploit() in test_unstoppable.py:
def exploit(pool, attacker, token):
"""Send some tokens to the pool to increase balanceBefore."""
token.transfer(pool.address, '0.1 ether', {'from':attacker})
Here is the Brownie syntax reference: