Solution for puppet-v2 added #6
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a solution for
puppet-v2challenge of Damn Vulnerable Defi.The solution works this way:
deploy.jsfile for initialization instead of importing source files and instantiating classesdeploy.jsare used inPuppetV2PoolEchidnaPuppetV2PoolEchidnacontains several helper functions used to interact withUniswap,WETH, etc.PuppetV2PoolEchidnacontract is treated as the attacker in the challengeShort justification:
deploy.jsis used, since otherwise, it would be necessary to import bothUniswap,DamnValuableToken,WETHandPuppetV2Pool, but they use several different versions ofsolidity. In fact, evenUniswapitself uses different versions forcoreand forperiphery. So if I wanted to import all the files in a classic way, it would require migrating the entireUniswapto a commonsolidityversion (which is not only fixing imports in each file), which doesn't have too much sense in my opinion.PuppetV2PoolEchidnais used as the attacker, because some functions require, for instance, approving some tokens that are not available at the contract deployment.puppet-v2.yamluses thebalanceContractoption to supply the contract with the initial attacker's balance.However, there are two issues:
echidnais provided just with 3 functions that it can call, if I allowed it to choose theamountin borrow, it wasn't capable of finding the solution. While manually setting the amount ingetWethfunction is not a big deal (it's logical to convert as muchETHtoWETHas possible, since we cannot use plainETHto borrow tokens), if we do the same inborow, it is almost like solving the challenge ourselves (that is, we cannot anymore treatechidnalike a black box that will just find a solution if we didn't know it already).ETHto pay for the transactions). But, I do not think that it's a big deal - I just want to state it here for informational purposes.Even, if you think that it doesn't make sense to create an exercise out of it, I still think the solution has its value, and might be even presented as an example in some new exercise in the
building-secure-contractsrepository as it shows how to handle more complex cases when we are unable to import source files for some reason.But, if you think that it's suitable for an exercise, I will be happy to add relevant description and tips in
building-secure-contracts. I may also add a solution forpuppetchallenge if you wish (similar approach will probably be needed, since we don't haveUniswap V1sources).I would be very grateful for any advice regarding the solution itself and the issues I have written about.