Damn Vulnerable DeFi is the wargame to learn offensive security of DeFi smart contracts.
Throughout numerous challenges you will build the skills to become a bug hunter or security auditor in the space.
Challenges
Each challenge can be considered standalone. Depending on the challenge, you should either stop the system from working, take as much funds as possible, or do some other unexpected things.
Notice: this is the latest version of Damn Vulnerable DeFi (read the announcement and changes). If you're looking for the old version, go to the v1 page.
| # | Name | |
|---|---|---|
| 1 | Unstoppable | |
| 2 | Naive receiver | |
| 3 | Truster | |
| 4 | Side entrance | |
| 5 | The rewarder | |
| 6 | Selfie | |
| 7 | Compromised | |
| 8 | Puppet | |
| 9 | Puppet v2 | |
| 10 | Free rider | |
| 11 | Backdoor | |
| 12 | Climber |
How to play
- Clone the repository
- Checkout the latest version with
git checkout v2.0.0 - Install dependencies with
yarn - Code your solutions in the provided
*.challenge.jsfiles (inside each challenge's folder in thetestfolder) - Run your exploit for a challenge with
yarn run challenge-name. If the challenge is executed successfully, you've passed!
Tips and tricks
- In all challenges you must use the account called
attacker. In Ethers, that should translate to using.connect(attacker). - To code the solutions, you may need to refer to Ethers and Hardhat docs.
- In some cases, you may need to code and deploy custom smart contracts.
Community
Were you able to solve all challenges ? Did you get stuck ?
Join the Discord server.