Damn Vulnerable DeFi Solutions

Damn Vulnerable DeFi is a collection of smart contract security challengers for developers, security researchers and educators.

I am working through the Damn Vulnerable DeFi V4 series to solve each challenge. This repo contains the path to my solutions. For a full walk through of each challenge, check out my blog posts at: https://medium.com/@jessonchain

Challenge 1: https://medium.com/@jessonchain/its-so-damn-vulnerable-defi-v4-a-guide-to-solve-challenge-1-7fccf9d148ba

Challenge 2: https://medium.com/@jessonchain/its-so-damn-vulnerable-defi-v4-a-guide-to-solve-challenge-2-40591b3271a9

Damn Vulnerable DeFi Challenges

Damn Vulnerable DeFi is the smart contract security playground for developers, security researchers and educators.

Perhaps the most sophisticated vulnerable set of Solidity smart contracts ever witnessed, it features flashloans, price oracles, governance, NFTs, DEXs, lending pools, smart contract wallets, timelocks, vaults, meta-transactions, token distributions, upgradeability and more.

Use Damn Vulnerable DeFi to:

• Sharpen your auditing and bug-hunting skills.
• Learn how to detect, test and fix flaws in realistic scenarios to become a security-minded developer.
• Benchmark smart contract security tooling.
• Create educational content on smart contract security with articles, tutorials, talks, courses, workshops, trainings, CTFs, etc.

Install

1. Clone the repository.
2. Checkout the latest release (for example, git checkout v4.0.1)
3. Rename the .env.sample file to .env and add a valid RPC URL. This is only needed for the challenges that fork mainnet state.
4. Either install Foundry, or use the provided devcontainer (In VSCode, open the repository as a devcontainer with the command "Devcontainer: Open Folder in Container...")
5. Run forge build to initialize the project.

Usage

Each challenge is made up of:

• A prompt located in src/<challenge-name>/README.md.
• A set of contracts located in src/<challenge-name>/.
• A Foundry test located in test/<challenge-name>/<ChallengeName>.t.sol.

To solve a challenge:

1. Read the challenge's prompt.
2. Uncover the flaw(s) in the challenge's smart contracts.
3. Code your solution in the corresponding test file.
4. Try your solution with forge test --mp test/<challenge-name>/<ChallengeName>.t.sol.

In challenges that restrict the number of transactions, you might need to run the test with the --isolate flag.

If the test passes, you've solved the challenge!

Challenges may have more than one possible solution.

Rules

• You must always use the player account.
• You must not modify the challenges' initial nor final conditions.
• You can code and deploy your own smart contracts.
• You can use Foundry's cheatcodes to advance time when necessary.
• You can import external libraries that aren't installed, although it shouldn't be necessary.

Troubleshooting

You can ask the community for help in the discussions section.

Disclaimer

All code, practices and patterns in this repository are DAMN VULNERABLE and for educational purposes only.

DO NOT USE IN PRODUCTION.