Flash Loan, Re-Entrancy Attack, and DEX Oracle Manipulation Exploit on Ethereum (Trojan Coin Bricks Project Instructions)
These are the instructions for simulating Ethereum-based DeFi hacks. You can learn more about how Bricks simulation kits and manuals work here on Github.
In this Bricks project, we are going to simulate a few Ethereum-based platforms, such as decentralized exchanges, a flash loan provider, a margin platform, and a few ERC-20 tokens.
We will embed a backdoor attack inside a token, then place that token on an exchange similar to the functionality of Uniswap. Further, we will activate that attack to produce a Re-Entrancy attack to generate double the funds of what we should receive for a trade. We will also create a very simple flash loan provider that provides us with capital to execute an oracle manipulation attack that allows us to manipulate the pricing data on a DEX, allowing us to know the future movement of a set of assets and benefit from that knowledge on a platform with leverage (like dYdX in real life).
1. Create A New Ganache Project
Open your terminal , navigate to a folder you would like to create this project in (ideally something like Desktop/apps/), and run:
git clone https://github.com/BricksSandbox/hack TrojanBricksProject
cd TrojanBricksProject
Open the Ganache Desktop app. (Get it: https://www.trufflesuite.com/ganache)
Click “New Workspace (Ethereum)” button on the desktop application’s main entry menu.
Navigate to your TrojanBricksProject’s folders truffle-config.js file and click open.
Name the project whatever you’d like, but we’ll refer to the parent directory as TrojanBricksProject.
Using the default Ganache settings, click “Save Workspace”.
You should see this:
2. Setup the Hacks with the Help of BrickHints
Drag the TrojanBricksProject folder to your Atom editor and open it as a project for future text editing.
Make sure you have Truffle. In your terminal, type:
truffle version
and you should see you truffle version, which should be at least 5.0.
In your Atom editor, navigate to TrojanBricksProject/contracts/kits/TrojanCoinAndExchangeManipulation/before/TrojanCoinBefore.sol
Copy the malicious code located at the bottom of the contract (commented out).
Take the content located between the /* and */ symbols and paste it before the last bracket like this:
Save.
You have now added backdoor hacks to your smart contract. Please take a look at the code to get an idea of what its doing. If you’re not a coder, don’t worry, just read the best you can. Some of it will be used later in this Bricks project, and others you can use in simulations in the future to try out interesting things.
Navigate to TrojanBricksProject/contracts/kits/TrojanCoinAndExchangeManipulation/before/FlashLoanProvider1Before.sol
Move the BrickHint code from the commented section to the actual smart contract, like you previously did.
This is an insecure (but for our simulation), easy-to-use flash loan provider that will offer a flash loan to us of a desired token, allowing us to borrow a million dollars (via an example token eDAI), which is also built into this smart contract for simulation and simplicity purposes. Note: Usually a token and a flash loan platform will be sperate, but for our purposes, as they are linked in functionality for this simulation, we’ll represent them as one contract with dual ffunctionality.
Navigate to TrojanBricksProject/contracts/kits/TrojanCoinAndExchangeManipulation/before/HackableExchange1Before.sol
Read the BrickHint at the bottom. This will be used later when we migrate the contracts to the blockchain.
Navigate to /Desktop/apps/TrojanBricksProject/contracts/kits/TrojanCoinAndExchangeManipulation/before/HackableExchange2Before.sol
Read the BrickHint again for this file at the bottom. This will be used later when we migrate the contract to the blockchain, as well.
Step 3. Deploy The Contracts On-Chain
Navigate to TrojanBricksProject/migrations/1_initial_migration.js. This deploys all your contracts to the blockchain. This includes your contracts as they are correctly created, as well as working versions, correctly setup in case you did something wrong. The /after sister folder of your /before folder that you’ve been editing inside of with BrickHints offers mirrored versions of your contracts, but as previously mentioned… working, just in case.
In your terminal, type:
truffle migrate
OR, if you’ve already migrated or have more than 0 blocks in your Ganache Desktop application explorer in the upper left -hand corner (a.k.a. you’ve run this before):
truffle migrate --resetThis has deployed all of the contract. This should result, when you click Transactions at the top, something like this:
Go back to the terminal.
4. Call The Contracts
Change branches. In order to do this let’s commit our changes:
git add -A; git commit -m “my edits”
Then to switch branches, type in your terminal
git checkout -b answers
Then type:
git pull origin sandbox
This changes to a similar set of code in another branch that has the code you need to use. Navigate back to TrojanBricksProject/migrations/1_initial_migration.js. Copy the new code that has appeared in that file.
Back in your terminal, switch back to your master branch:
git checkout master
if you run into any issue, make sure to commit your changes as you did previously to move back to the master branch.
The file should return to its original form. Overwrite the migration file we copied code from in the other branch with the answer (code you’ve copied).
Two paths from here:
Option A (Skip to option B if you feel lazy): To run your own code that you’ve worked on: Comment out or delete lines 1 -4 in the migration JS file.
Replace all of the the following:
TrojanCoinAfter -> TrojanCoinBefore
FlashLoanProvider1After -> FlashLoanProvider1Before
HackableExchange1After-> HackableExchange1Before
HackableExchange2After -> HackableExchange2After
Option B. Continue.
Read the code. Here’s what you’re doing here:
Creating the Trojan coin with the backdoors we’ve added, creating a flash loan platform, and two kinds of exchanges (that would in this case already exist, but we have to create them in Ganache as this is a simulation and the only things that exists on this whole personal simulation blockchain). Next we are deploying them, and then after deploying our first backdoor contract, we are activating the re-entrancy attack on the TrojanCoin by calling the activatereentry function, which allows us to hack the first exchange later, in that when that exchange called our transfer function from the exchange to move it from one account to another, that same trade function has expected behavior that allows us to reenter the exchange contract and get more funds out than we otherwise would. If the re-entrancy hack is not activated, then we just get back the typical rate that is default for this example coin.
Then in the second portion that we’re uncommenting out (between the /* and */ at the bottom) , we are going to create a massive position in a margin platform, borrowing money to bet that the price of our desired coin will go way up, we are going to take the flash loan to jack up the price of our TrojanCoin. Then, we’re going to to close the position on the margin platform, having pocketed quite a bit of funds and successfully have executed an oracle manipulation attack.
Uncomment out the second portion of the the hacks as mentioned above.
In your terminal, type
truffle migrate --resetYou’ve executed the hacks! Congrats!
Step 5. Test Your Work
Create a new Ganache project with a different name but pointing to the same project (truffle-config.js)
You are now on a fresh blockchain with not much data.in your terminal on the master branch type:
Ensure you are on the master branch, with
git status
Navigate to and read: TrojanBricksProject/test/TrojanCoinAndExchangeManipulation.js
You will notice many test cases, started with
it(“shoul…”)
what you are testing for in plain text. You can use this to test what you’ve done on a new blockchain .
make sure, current block in the Ganache desktop app is zero. Then, run:
truffle test
All projects should pass their tests. You can now add new ideas, in addition to these hacks, and possible future hacks and test them out.
