Awesome
Secureum A-MAZE-X Stanford
A Smart Contract Security Capture the Flag Workshop
hosted by the Stanford University as part of Defi Security 101
built by eugenioclrc and luksgrin
special thanks to patrickd, StErMi, tinchoabbate and Rajeev for reviewing, commenting and helping during the elaboration and design of this CTF Workshop
Instructions ๐น๏ธ
This Workshop consists in a series of challenges, of increasing difficulty, targetting different concepts and common vulnerabilities found in DeFi. The CTF is designed in different flavors for all kinds of users.
How to play
This workshop provides different flavors. Feel free to use the one you feel more comfortable with:
- Option 1: Online through our interactive website
- Option 2: Online through
TenderlySandbox
- Option 3: Locally with
Foundry
- Option 4: Locally with
Hardhat
- Option 5: Online through Gitpod, either using
Foundry
- Option 6: Online through Gitpod, using
Hardhat
Important note
This set of challenges aren't set for competitive purposes. Their main objective is to showcase scenarios involving DeFi, Solidity
concepts and common vulnerabilities.
Focus on learning and having fun! ๐
Challenges ๐ฎ
Challenge 0: VitaToken seems safe, right?
Let's begin with a simple warm up. Our beloved Vitalik is the proud owner of 100 $VTLK, which is a token that follows the ERC20 token standard. Or at least that is what it seems... ๐๐๐
๐ Upon deployment, the VToken
contract mints 100 $VTLK to Vitalik's address.
Is there a way for you to steal those tokens from him? ๐๐๐
<details> <summary>๐๏ธ <i>Concepts you should be familiar with (spoilers!)</i></summary> <ul> <li><i><a href=https://ethereum.org/en/developers/docs/standards/tokens/erc-20>The ERC20 token standard</a>, especially the meaning of approving funds.</i></li> </ul> </details>The contracts that you will hack are:
Challenge 1: What a nice Lender Pool!
Secureum has raised a lot of Ether and decided to buy a bunch of
InSecureumToken
s ($ISEC) in order to make them available to the community
via flash loans. This is made possible by means of the InSecureumLenderPool
contract.
๐ Upon deployment, the InSecureumToken
contract mints an initial supply of 10 $ISEC to the contract deployer.
๐ The InSecureumLenderPool
contract operates with $ISEC.
๐ The contract deployer transfers all of their $ISEC to the InSecureumLenderPool
contract.
๐ The idea is that anyone can deposit $ISECs to enlarge the pool's resources.
Will you be able to steal the $ISECs from the InSecureumLenderPool
? ๐๐๐
The contracts that you will hack are:
Which have interactions with the following contracts:
Challenge 2: it's always sunny in decentralized exchanges
I bet you are familiar with decentralized exchanges: a magical place where one can exchange different tokens.
InsecureDexLP
is exactly that: a <s>very insecure</s> Uniswap-kind-of decentralized exchange.
Recently, the $ISEC token got listed in this dex and can be traded against a not-so-popular token called $SET.
๐ Upon deployment, the InSecureumToken
and SimpleERC223Token
contracts mint an initial supply of tokens 10 $ISEC and 10 $SET to the contract deployer.
๐ The InsecureDexLP
operates with $ISEC and $SET.
๐ The dex has an initial liquidity of 9 $ISEC and 9 $SET, provided by the contract deployer. This quantity can be increased by anyone through token deposits.
๐ Adding liquidity to the dex rewards liquidity pool tokens (LP tokens), which can be redeemed in any moment for the original funds.
๐ In the foundry
implementation, the deployer graciously airdrops the challenger (you!) 1 $ISEC and 1 $SET. In the TenderlySandbox
implementation, the challenger must call the exclusive claimAirdrop()
functions of each of the token contracts, obtaining this way 1 $ISEC and 1 $SET.
Will you be able to drain most of InsecureDexLP
's $ISEC/$SET liquidity? ๐๐๐
The contracts that you will hack are:
Which have interactions with the following contracts:
Challenge 3: borrow, hide and seek
Finally, as a conclusion to this <s>not-so-secure</s> ecosystem, the Secureum team built the BorrowSystemInsecureOracle
lending platform where one can borrow and loan $ISEC and BoringToken
($BOR). Both tokens can be borrowed by either providing themselves or the other token as collateral.
๐ Upon deployment, the InSecureumToken
and BoringToken
contracts mint an initial supply of 30000 $ISEC and 20000 $BOR to the contract deployer.
๐ BorrowSystemInsecureOracle
uses the InsecureDexLP
to compute the $ISEC/$BOR price.
๐ The deployer adds an initial liquidity of 100 $ISEC and 100 $BOR to the InsecureDexLP
.
๐ Similarly, InSecureumLenderPool
contract is funded with 10000 $ISEC by the deployer.
๐ The BorrowSystemInsecureOracle
contract has an initial amount of 10000 $ISEC and 10000 $BOR provided by the deployer.
๐ Users can add collateral and take loans from BorrowSystemInsecureOracle
.
๐ Users may also get liquidated.
Will you be able to drain all the $ISEC from BorrowSystemInsecureOracle
? ๐๐๐
The contracts that you will hack are:
Which have interactions with the following contracts:
- InSecureumLenderPool (this contract should be used by the attacker as part of the attack)
- InsecureDexLP
- InSecureumToken
- BoringToken
CTF Writeup ๐๏ธ๐๏ธ๐๏ธ
Follow this link to access this CTF's writeup by patrickd.
Follow this link for a more detailed walk-through for each challenge by Matรญas Aereal Aeรณn.
Follow this link for another writeup using contracts in hardhat by faucet0x9a54.