diff --git a/test/EthernautCTF/DoubleEntryExploit.t.sol b/test/EthernautCTF/DoubleEntryExploit.t.sol
new file mode 100644
index 0000000..aa1ee72
--- /dev/null
+++ b/test/EthernautCTF/DoubleEntryExploit.t.sol
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity ^0.8.0;
+
+import '../../src/EthernautCTF/DoubleEntry.sol';
+import '@forge-std/Test.sol';
+import '@forge-std/console.sol';
+
+contract DoubleEntryExploit is Test {
+  CryptoVault target;
+  DoubleEntryPoint doubleEntryToken;
+  LegacyToken legacyToken;
+  Forta forta;
+
+  address deployerAddress = makeAddr('deployer');
+  address sweptTokenRecipientAddress = makeAddr('sweptTokenRecipient');
+  address exploiterAddress = makeAddr('exploiter');
+
+  function setUp() public {
+    vm.startPrank(deployerAddress);
+    target = new CryptoVault(sweptTokenRecipientAddress);
+    console.log('Target contract deployed');
+
+    legacyToken = new LegacyToken();
+    legacyToken.mint(address(target), 100 ether);
+    console.log('Legacy token contract deployed');
+
+    forta = new Forta();
+    console.log('Forta contract deployed');
+
+    doubleEntryToken = new DoubleEntryPoint(
+      address(legacyToken),
+      address(target),
+      address(forta),
+      exploiterAddress
+    );
+    console.log('DoubleEntry token contract deployed');
+
+    legacyToken.delegateToNewContract(doubleEntryToken);
+    console.log('Legacy token delegate to DoubleEntry token');
+
+    target.setUnderlying(address(doubleEntryToken));
+    console.log('CryptoVault underlying  token set to the DoubleEntry token');
+
+    vm.stopPrank();
+  }
+
+  function testExploit() public {
+    console.log(); // break line
+
+    uint256 vaultDoubleEntryTokenBalance = doubleEntryToken.balanceOf(
+      address(target)
+    );
+    console.log(
+      'Vault DoubleEntryToken balance: %d units',
+      vaultDoubleEntryTokenBalance / 1 ether
+    );
+    assertEq(vaultDoubleEntryTokenBalance, 100 ether);
+
+    uint256 vaultLegacyTokenBalance = legacyToken.balanceOf(address(target));
+    console.log(
+      'Vault LegacyToken balance: %d units',
+      vaultLegacyTokenBalance / 1 ether
+    );
+    assertEq(vaultLegacyTokenBalance, 100 ether);
+
+    vm.startPrank(exploiterAddress);
+
+    // CryptoVault contract
+    // - Anyone can transfer any token T balance of the vault to the sweptTokenRecipient address.
+
+    vm.stopPrank();
+  }
+}