How to Solve the First Damn Vulnerable DeFi V4 Challenge: Unstoppable

Welcome to the first challenge in Damn Vulnerable DeFi V4! If you’re here, it means you want to start your journey into smart contract security, and this challenge is the perfect place to begin.?

By the end of this walkthrough, you’ll understand how to think like an attacker, break a smart contract, and ultimately gain the mindset of a Web3 security researcher.

I’ve also prepared a complete step-by-step video tutorial which you can watch here:

The Challenge: Unstoppable

The goal is simple: halt the UnstoppableVault contract. This vault allows users to take out flash loans, but there’s a hidden vulnerability that lets us break the system and stop it from functioning. Let’s walk through it step by step.

Understanding the Vulnerability

The UnstoppableVault contract has a flash loan function that checks an invariant before allowing a loan. That check ensures that:

totalAssets == totalSupply        

• totalAssets represents the balance of the vault’s token.
• totalSupply represents the total minted shares of the vault.

As long as these two numbers match, the vault works fine. But what if we could make them unequal?

That’s exactly the vulnerability we can exploit! If we find a way to change the totalAssets without changing totalSupply, the vault will break.

And guess what? We can do that with a simple token transfer.

This is exactly the type of vulnerability real hackers exploit in DeFi. But here’s the thing: there’s a lot more to learn! That’s why I built the Smart Contract Hacking Course - to help you become a top-tier security expert.?

Here’s what you’ll get:

• Practical Hands-On Learning - Solve real-world smart contract vulnerabilities step by step.?
• Curated, Aggregated Knowledge - Save months of research with high-quality, structured content.?
• Private Discord Community - Get support from me and other students as you learn.?
• Certificate of Completion - Prove your skills with a professional certificate.

If this challenge felt a bit too high for you, or if you find yourself having to gather bits and pieces of information all over the internet, the Smart Contract Hacking Course is exactly what you need. It will guide you step by step, all in one place, so you don’t have to waste time figuring everything out by yourself.

Get your FREE trial here: https://smartcontractshacking.com/

Exploiting the?Contract

We don’t need to call any special function or exploit any reentrancy. All we have to do is send a single token directly to the vault.

Why Does This?Work?

• When we transfer tokens directly to the vault, the balance (totalAssets) increases.
• But since we didn’t mint new shares, totalSupply stays the same.
• Now, totalAssets?!= totalSupply, and the vault’s check fails.
• The requirement fails and no one can use the contract to take flash loans!

That’s it. We just stopped the vault with a single small toke transfer?:)

Let’s see this in action.

Writing the?Exploit

The attack is ridiculously simple. In the test file Unstoppable.t.sol, we will add the following code inside the test_unstoppable() function:

function test_unstoppable() public checkSolvedByPlayer {
    token.transfer(address(vault), 1);
}        

This function transfers 1 wei to the vault and breaks the system.

Running the?Exploit

Simple run the following command form you terminal:

forge test --mp test/unstoppable/Unstoppable.t.sol        

And viola! The contract was exploited and we completed the first challenge!?

Key Takeaways from this Challenge

1. Invariant checks are critical?—?If a contract relies on a condition staying true, breaking it can cause failures.
2. Direct token transfers can break logic?—?Even if you can’t call a function, you might still be able to change state.
3. Small actions can have huge consequences?—?A single token transfer completely stops the vault.

If you enjoyed this challenge, keep going! There are plenty more vulnerabilities to find and exploit. And if you want to fast-track your learning, check out the Smart Contract Hacking Course and join our security community.

Happy hacking!