Damn Vulnerable DeFi V3 Challenge 9 Solution - Puppet V2 Walkthrough

Damn Vulnerable DeFi V3 Challenge 9 Solution - Puppet V2 Walkthrough

Welcome to another Damn Vulnerable DeFi V3 walkthrough! In today's video, we're going to crack the code on Damn Vulnerable DeFi V3 Challenge 9, better known as "Puppet V2" 🕵️‍♂️

But before we begin, if you're seriously committed to becoming a certified smart contract hacker, you need to check out the ultimate training program – the Smart Contract Hacking Course: https://johnnytime.xyz/smart-contract-hacker

Looking for all the Damn Vulnerable DeFi V3 challenges and solutions in one place? I've got you covered! Check out my dedicated YouTube playlist for a complete learning experience: https://www.youtube.com/watch?v=CfR1CcO8lEI&list=PLKXasCp8iWpiKdsSR18XdAyDeYlYzMG00&index=1

We've got the Damn Vulnerable DeFi Repository with Solutions on GitHub. Don't forget to show some love by leaving a star! ⭐ https://github.com/RealJohnnyTime/damn-vulnerable-defi-v3-solutions-johnnytime

🚀 Challenge Overview 🚀 In the Puppet V2 challenge, we start with 20 ETH and 10,000 DVD tokens in our balance, while the smart contract guards a million DVD tokens. Our mission? To make off with the entire DVT tokens stash from the smart contract. 💰

📚 Smart Contracts Overview 📚

📝 Constructor 📝 We initialize Wrapped Ether (WETH), the DVT token (_token), the Uniswap pair with liquidity (_uniswapPair), and the Uniswap factory (_uniswapFactory).

💸 Borrowing Functionality 💸 The contract's primary role is to allow users to borrow the DVT token, but there's a twist – they must deposit three times the borrowed token's value in WETH as collateral. The "borrow" function calculates the required WETH, handles approvals, and transfers tokens.

📈 Calculation Function 📈 A function called calculateDepositOfWETHRequired(uint256 tokenAmount) calculates the exact amount of WETH required to borrow a specified amount of the token.

🏦 Price Oracle 🏦 The contract relies on the Uniswap V2 library to fetch price quotes from the Uniswap V2 pair liquidity, and that's where the problem begins.

🕵️‍♂️ The Vulnerability🕵️‍♂️ The Puppet V2 challenge's vulnerability, similar to its predecessor, revolves around how the contract obtains the price of the DamnValuableToken (DVT) token. Calculating the token's price using the liquidity pair contract reserves is a big no no.

The reserves can't be manipulated through flashSwap, but they can be influenced through external capital owned by the attacker or obtained via a FlashLoan from another protocol. This vulnerability opens doors to creative exploits.

🎓 If this concept seems complex, building a strong foundation in smart contract security is crucial. Consider enrolling in the Smart Contract Hacking Course. You'll gain access to an exclusive community and a certification to kickstart your career as a Web3 Security Researcher: https://johnnytime.xyz/smart-contract-hacker

🚀 Planning Our Exploit 🚀 Our journey begins with a liquidity pool boasting 100 DVT tokens and 10 WETH. The plan? Dump all 10,000 DVT tokens into the pool and receive around 9 ETH in return. Let's manipulate that DVT price! 💰

🛡️ The Exploitation 🛡️ We deploy the AttackPuppetV2 contract to execute our exploit. First, we swap 10,000 DVT tokens for WETH using Uniswap, setting the stage for our exploit.

Next, we convert any received ETH to WETH, ensuring all our collateral is in WETH form. Calculating the required WETH to borrow all DVT tokens, we approve the "PuppetV2Pool" contract to spend our WETH, and then we borrow a significant amount of DVT tokens. Victory is sweet! 🏆

If you enjoyed this challenge and want more similar content:

Connect with me on LinkedIn: https://www.linkedin.com/in/johnnytime/

Follow me on Twitter. https://twitter.com/RealJohnnyTime

#smartcontracts artContractHacking #Web3Security ... https://www.youtube.com/watch?v=F4kqItXHDb0