Damn Vulnerable Defi — Challenge #1 — Unstoppable

This introductory challenge introduces you to the Damn Vulnerable Defi platform. Let’s get into it!

1. Go to the main website here and follow the How to Play instructions.
2. On your PC, after you have cloned the repo and can see the folders, head to contracts → unstoppable → UnstoppableLender.sol.
3. On UnstoppableLender.sol, we see that this contract has 2 public variables - damnValuableToken, poolBalance. poolBalance is being modified only in depositTokens. We can use this info to exploit the contract. Let’s check the flashLoan() function.
4. This function has a strange assert statement. First, let’s look at this variable called balanceBefore. balanceBefore shows how many tokens this contract has. Naturally, the balanceBefore needs to be higher than the amount being borrowed. The assert statement says that the poolBalance and balanceBefore must be equal. But as we saw earlier, if we use the depositTokens, only then does the poolBalance changes. So, if we don't use it and instead increase the balanceBefore, we can break the assert statement and hence make the contract not give out more DVT tokens.
5. We can achieve this by just sending some tokens to the contract from our address. This is the code exploit that will be written under test → unstoppable at the it(“Exploit” line on line 52, write this command

await this.token.connect(attacker).transfer(this.pool.address, INITIAL_ATTACKER_TOKEN_BALANCE);

6. That’s it, we are sending the contract some tokens with this command and breaking the flashLoans contract; now open the terminal and type in npm run unstoppable. Congrats on taking the first step to hacking solidity smart contracts.

Look out for more content explaining other Damn Vulnerable Defi challenges. Now, you are UNSTOPPABLE :) Happy hacking!