✅Invest Pool

Idea

Part 1: initialize the pool with the password

A hint for password:

        // Password could be found in Goerli contract
        // 0xA45aC53E355161f33fB00d3c9485C77be3c808ae
        // Hint: Password length is more than 30 chars

This address does not expose password in any state variable, but we can find something in its metadata. Use this site to extract metadata:

Sourcify metadata playgroundsourcifyeth

Here we can find an ipfs address. Click that "View on IPFS" button:

Password is:

j5kvj49djym590dcjbm7034uv09jih094gjcmjg90cjm58bnginxxx

Part 2: exploit first depositor inflation attack

Note that we can pass the assertion by stealing just a little bit of tokens:

assertGt(token.balanceOf(hacker), hackerBalanceBeforeHack);

Also there is a helper function in the provided PoC template:

    function userDeposit(uint amount) public {
        vm.prank(user);
        pool.deposit(amount);
        vm.stopPrank();
    }

It should be crystal clear that the intended attack is the "first depositor inflation attack". The idea of that attack is:

• attacker deposits 1 wei to get 1 share as the first depositor

• attacker send a lot of tokens to the pool to inflate the share (I think of this as "sacrifice" some tokens to inflate the share)

• victim user deposits some money into the pool

• attacker withdraws that one share. It worths more than expected because the share was inflated. A portion of victim user's deposit will become attacker's profit.

PoC

QuillCTF-PoC/InvestPool/test/PoC.t.sol at main · ret2basic/QuillCTF-PoCGitHub