Setup level 3

Clone the challenge repository (branch v3.0.0):

git clone https://github.com/tinchoabbate/damn-vulnerable-defi.git --branch v3.0.0

Open the damn-vulnerable-defi folder as a VSCode project and locate the following files:

├── contracts
│   ├── truster
│   │   ├── TrusterLenderPool.sol        // The contract
├── test
│   ├── truster
│   │   └── truster.challenge.js

Install dependencies and run the challenge to verify it works:

yarn install
yarn truster

A correct output at this part would be:

  [Challenge] Truster
    1) "after all" hook for "Execution"

  1 passing (2s)
  1 failing

  1) [Challenge] Truster
       "after all" hook for "Execution":

      AssertionError: expected 0 to equal 1000000000000000000000000. The numerical values of the given "ethers.BigNumber" and "bigint" inputs were compared, and they differed.
      + expected - actual

Understanding the challenge objective

In our truster.challenge.js we can inspect the conditions to complete the challenge:

after(async function () {

    // Player has taken all tokens from the pool
        await token.balanceOf(player.address)
        await token.balanceOf(pool.address)

At least the objective is simple on this one - steal all the tokens from the Truster Lender Pool.

Fake Product Landing Page / Info

In a proper audit, rather than a challenge, you'd have some marketing data / protocol RFC / whitepapers to research about before diving into the code.

Imagine the following as public information found about the solution.

Most Trusted Lending Pool in DeFi! 💫

💫 Explore the pinnacle of DeFi lending with TrusterLenderPool!

Our Ethereum-based lending pool redefines secure and efficient borrowing, with 1 million DVT tokens !!

Where else will you find an innovative fee-free borrowing solution??

You were called for a quick scoped audit on the NaiveReceiver protocol.

The scope is as follows:

In the scoping call, the client had described the product is especially reliant on these token contracts standards:

The client mentioned that since the pool contains 1 million tokens, they are the most afraid from an attacker being able to steal the money from the pool.

Please review the code and let us know if you discover any risks!

Last updated