Unstoppable
There's a lending pool with a million DVT tokens in balance, offering flash loans for free.
If only there was a way to attack and stop the pool from offering flash loans ...
You start with 100 DVT tokens in balance.
In function
flashLoan(), there is a suspicious assert statement:%20assert%20statement.png?alt=media&token=533f160e-46f7-462c-a1f1-8e7ca709b0f9)
flashLoan() assert statement
Recall that the objective of this challenge is to stop the pool (kind of like DoS attack), so if we break this
assert statement we will pass this level.The function
depositTokens() can update poolBalance, and the developer assumed that this function is the only way to update poolBalance.However, we can simply transfer some DVT tokens to
pool (here pool = UnstoppableLender(poolAddress) was set in the constructor) to increase uint256 balanceBefore = damnValuableToken.balanceOf(address(this)), and this will break the assert statement.Implement
exploit() in test_unstoppable.py:def exploit(pool, attacker, token):
"""Send some tokens to the pool to increase balanceBefore."""
token.transfer(pool.address, '0.1 ether', {'from':attacker})
Here is the Brownie syntax reference:
Quickstart — Brownie 1.19.1 documentation
Quickstart - Brownie doc
Last modified 4mo ago