Damn Vulnerable DeFi Challenges : #6 Selfie

By akohad Feb1,2023

[ad_1]

  • SelfiePool.sol
    This pool is like the other ones, it gives flashloans to users (loans that must be returned at the end of the transaction, if not returned it trigger a revert). The particularity if this pool compared to the others is that it is controlled by a governance (next contract). The governance has the ability to drain all funds (if you see a protocol like this one, run !)
  • SimpleGovernance.sol
    This is the governance contract, the one that control SelfiePool funds. To be part of this governance, users need to hold governance tokens, which are CVT tokens here, with snapshot capabilities added. Users can propose an action, and depending on some conditions the action will be executed.
  • DamnValuableTokenSnapshot.sol
    The governance token used by the governance contract. An ERC20 token with snapshotting capabilities (capable of screening balances of each users at a particular time)

Selfie Pool

SimpleGovernance

  1. L41 — attackRewardPool() which call the flashLoan function, requesting a loan equal to the whole balance of the pool.
  2. L47 — receiveTokens which is called by the pool during the flashloan.
    This function trigger a snapshot of the governance token, as this is what is accounted by the governance to check if a user has the right to queue an action.
    L56–60 — Then after making sure the snapshot allow me to queue the action, I queue the drainAllFunds(address)function to the governance list of actions, where the address is myself, the owner of the contract
    L62 — Finally, I pay back the loan as it is requested by the lending pool to not revert
  3. After the 2 day-period I can call the finalAttack() function of my contract, which will execute the action, and send my all the funds !

Recommended Mitigation Steps

New to trading? Try crypto trading bots or copy trading on best crypto exchanges

[ad_2]

Source link

By akohad

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *