/damn-vulnerable-defi

The smart contract security training ground for developers, security researchers and educators.

Primary LanguageSolidityMIT LicenseMIT

Damn Vulnerable DeFi

Damn Vulnerable DeFi is the smart contract security playground for developers, security researchers and educators.

Perhaps the most sophisticated vulnerable set of Solidity smart contracts ever witnessed, it features flashloans, price oracles, governance, NFTs, DEXs, lending pools, smart contract wallets, timelocks, vaults, meta-transactions, token distributions, upgradeability and more.

Use Damn Vulnerable DeFi to:

  • Sharpen your auditing and bug-hunting skills.
  • Learn how to detect, test and fix flaws in realistic scenarios to become a security-minded developer.
  • Benchmark smart contract security tooling.
  • Create educational content on smart contract security with articles, tutorials, talks, courses, workshops, trainings, CTFs, etc.

Install

  1. Clone the repository.
  2. Checkout the latest release (for example, git checkout v4.0.1)
  3. Rename the .env.sample file to .env and add a valid RPC URL. This is only needed for the challenges that fork mainnet state.
  4. Either install Foundry, or use the provided devcontainer (In VSCode, open the repository as a devcontainer with the command "Devcontainer: Open Folder in Container...")
  5. Run forge build to initialize the project.

Usage

Each challenge is made up of:

  • A prompt located in src/<challenge-name>/README.md.
  • A set of contracts located in src/<challenge-name>/.
  • A Foundry test located in test/<challenge-name>/<ChallengeName>.t.sol.

To solve a challenge:

  1. Read the challenge's prompt.
  2. Uncover the flaw(s) in the challenge's smart contracts.
  3. Code your solution in the corresponding test file.
  4. Try your solution with forge test --mp test/<challenge-name>/<ChallengeName>.t.sol.

In challenges that restrict the number of transactions, you might need to run the test with the --isolate flag.

If the test passes, you've solved the challenge!

Challenges may have more than one possible solution.

Rules

  • You must always use the player account.
  • You must not modify the challenges' initial nor final conditions.
  • You can code and deploy your own smart contracts.
  • You can use Foundry's cheatcodes to advance time when necessary.
  • You can import external libraries that aren't installed, although it shouldn't be necessary.

Troubleshooting

You can ask the community for help in the discussions section.

Disclaimer

All code, practices and patterns in this repository are DAMN VULNERABLE and for educational purposes only.

DO NOT USE IN PRODUCTION.