init

.devcontainer/devcontainer.json

@@ -0,0 +1,11 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/go
+{
+	"name": "Go",
+	"image": "mcr.microsoft.com/devcontainers/go:1-1.22-bookworm",
+	"features": {
+		"ghcr.io/devcontainers/features/hugo:1": {
+			"version": "latest"
+		}
+	}
+}

.github/dependabot.yml

@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for more information:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://containers.dev/guide/dependabot
+
+version: 2
+updates:
+ - package-ecosystem: "devcontainers"
+   directory: "/"
+   schedule:
+     interval: weekly

.gitignore

@@ -0,0 +1,3 @@
+public
+.hugo_build.lock
+.env

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "data/prompts"]
+	path = data/prompts
+	url = https://github.com/theredguild/damn-vulnerable-defi.git

README.md

@@ -0,0 +1,13 @@
+# Landing page for Damn Vulnerable DeFi
+
+### Build
+
+`hugo`
+
+### Local development
+
+`hugo server`
+
+### Add a new challenge
+
+`hugo new challenges/<your-challenge-name>.md`

archetypes/challenges.md

@@ -0,0 +1,13 @@
+---
+{{ $amount := len (os.ReadDir "content/challenges") }}
+{{ $title := replace .Name "-" " " | title }}
+id: {{ $amount }}
+title: "{{ $title }}"
+contractsDir: "{{ .Name }}"
+challengeFile: "{{ replace $title " " "" }}.t.sol"
+draft: true
+aliases:
+    - /challenges/{{ $amount }}.html
+---
+
+{{< readprompt challenge="{{.Name}}" >}}

archetypes/default.md

@@ -0,0 +1,4 @@
+---
+id:
+title:
+---

config.yaml

@@ -0,0 +1,16 @@
+baseURL: https://damnvulnerabledefi.xyz/
+languageCode: en-us
+title: 'Damn Vulnerable DeFi'
+defaultContentLanguage: en
+contentDir: content
+staticDir: static
+relativeURLs: true
+disableKinds: ["sitemap","section","RSS"]
+
+params:
+  githubRepository: https://github.com/theredguild/damn-vulnerable-defi
+  xHandle: "theredguild"
+  support: https://github.com/theredguild/damn-vulnerable-defi/discussions
+  description: Learn smart contract security with the most vulnerable set of Solidity smart contracts ever witnessed.
+  keywords: ethereum, solidity, security, smart contracts, defi, ctf, challenges, education
+  currentVersion: v4.0.0

content/challenges/abi-smuggling.md

@@ -0,0 +1,9 @@
+---
+id: 15
+title: "ABI Smuggling"
+contractsDir: "abi-smuggling"
+challengeFile: "ABISmuggling.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="abi-smuggling" >}}

content/challenges/backdoor.md

@@ -0,0 +1,9 @@
+---
+id: 11
+title: "Backdoor"
+contractsDir: "backdoor"
+challengeFile: "Backdoor.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="backdoor" >}}

content/challenges/climber.md

@@ -0,0 +1,9 @@
+---
+id: 12
+title: "Climber"
+contractsDir: "climber"
+challengeFile: "Climber.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="climber" >}}

content/challenges/compromised.md

@@ -0,0 +1,9 @@
+---
+id: 7
+title: "Compromised"
+contractsDir: "compromised"
+challengeFile: "Compromised.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="compromised" >}}

content/challenges/curvy-puppet.md

@@ -0,0 +1,11 @@
+---
+id: 17
+title: "Curvy Puppet"
+contractsDir: "curvy-puppet"
+challengeFile: "CurvyPuppet.t.sol"
+draft: false
+aliases:
+    - /challenges/17.html
+---
+
+{{< readprompt challenge="curvy-puppet" >}}

content/challenges/free-rider.md

@@ -0,0 +1,9 @@
+---
+id: 10
+title: "Free Rider"
+contractsDir: "free-rider"
+challengeFile: "FreeRider.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="free-rider" >}}

content/challenges/naive-receiver.md

@@ -0,0 +1,9 @@
+---
+id: 2
+title: "Naive receiver"
+contractsDir: naive-receiver
+challengeFile: NaiveReceiver.t.sol
+draft: false
+---
+
+{{< readprompt challenge="naive-receiver" >}}

content/challenges/puppet-v2.md

@@ -0,0 +1,9 @@
+---
+id: 9
+title: "Puppet V2"
+contractsDir: "puppet-v2"
+challengeFile: "PuppetV2.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="puppet-v2" >}}

content/challenges/puppet-v3.md

@@ -0,0 +1,9 @@
+---
+id: 14
+title: "Puppet V3"
+contractsDir: "puppet-v3"
+challengeFile: "PuppetV3.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="puppet-v3" >}}

content/challenges/puppet.md

@@ -0,0 +1,9 @@
+---
+id: 8
+title: "Puppet"
+contractsDir: "puppet"
+challengeFile: "Puppet.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="puppet" >}}

content/challenges/selfie.md

@@ -0,0 +1,9 @@
+---
+id: 6
+title: "Selfie"
+contractsDir: "selfie"
+challengeFile: "Selfie.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="selfie" >}}

content/challenges/shards.md

@@ -0,0 +1,11 @@
+---
+id: 16
+title: "Shards"
+contractsDir: "shards"
+challengeFile: "Shards.t.sol"
+draft: false
+aliases:
+    - /challenges/16.html
+---
+
+{{< readprompt challenge="shards" >}}

content/challenges/side-entrance.md

@@ -0,0 +1,9 @@
+---
+id: 4
+title: "Side Entrance"
+contractsDir: "side-entrance"
+challengeFile: "SideEntrance.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="side-entrance" >}}

content/challenges/the-rewarder.md

@@ -0,0 +1,9 @@
+---
+id: 5
+title: "The Rewarder"
+contractsDir: "the-rewarder"
+challengeFile: "TheRewarder.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="the-rewarder" >}}

content/challenges/truster.md

@@ -0,0 +1,9 @@
+---
+id: 3
+title: "Truster"
+contractsDir: "truster"
+challengeFile: "Truster.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="truster" >}}

content/challenges/unstoppable.md

@@ -0,0 +1,9 @@
+---
+id: 1
+title: "Unstoppable"
+contractsDir: "unstoppable"
+challengeFile: "Unstoppable.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="unstoppable" >}}

content/challenges/wallet-mining.md

@@ -0,0 +1,9 @@
+---
+id: 13
+title: "Wallet Mining"
+contractsDir: "wallet-mining"
+challengeFile: "WalletMining.t.sol"
+draft: false
+---
+
+{{< readprompt challenge="wallet-mining" >}}

content/challenges/withdrawal.md

@@ -0,0 +1,11 @@
+---
+id: 18
+title: "Withdrawal"
+contractsDir: "withdrawal"
+challengeFile: "Withdrawal.t.sol"
+draft: false
+aliases:
+    - /challenges/18.html
+---
+
+{{< readprompt challenge="withdrawal" >}}

content/v2-release.md

@@ -0,0 +1,27 @@
+---
+title: "V2 Release"
+draft: false
+---
+
+// November 02, 2021
+
+Dear breakers of DeFi, today is a good day. Today a new version of Damn Vulnerable DeFi is out!
+
+**Featuring:**
+
+- Fully refactored testing environment, now using [Hardhat](https://hardhat.org) + [Ethers](https://docs.ethers.io/v5/single-page/).
+- Most contracts upgraded to Solidity 0.8.
+- Four brand new levels: Puppet v2, Free Rider, Backdoor and Climber.
+- New (flawed?) integrations with Uniswap v2, Gnosis Safe wallets, timelocks, NFTs and upgradeability patterns.
+- A few tweaks here and there in previous challenges after community feedback.
+- Dependecy management with yarn.
+
+The biggest and breaking change is obviously the new testing environment, on top of the switch to Solidity 0.8. I hope these changes enhance your experience playing Damn Vulnerable DeFi. Particularly the debugging capabilities of Hardhat should make your life easier.
+
+Prompts and solutions for challenges 1 to 8 should remain the same, but given the refactor your existing code for them won't work anymore. In any case, I recommend just playing their most up-to-date versions. The new testing environment with Hardhat and Ethers is really worth it.
+
+As of the new four challenges, as usual, they're somewhat simplified versions of issues that were (or could have been) exploited in mainnet. So hopefully they serve as learning examples.
+
+Final note: remember Damn Vulnerable DeFi is an educational resource. Throughout these challenges you may learn how to exploit vulnerabilities in smart contracts, and you might run into similar stuff during your own research of real-life deployed contracts. If that's the case, **always** follow each project's responsible disclosure guidelines, usually via bug bounty programs.
+
+Happy hacking :)

content/v3-release.md

@@ -0,0 +1,44 @@
+---
+title: "V3 release of Damn Vulnerable DeFi"
+draft: false
+summary: Damn Vulnerable DeFi v3 is out! Here are the details.
+images:
+    - /img/v3-release-cover.png
+---
+
+// January 13, 2023
+
+Dear breakers of DeFi, today is a good day. Today a new version of Damn Vulnerable DeFi is out!
+
+![Cover of the article](/img/v3-release-cover.png)
+
+**Featuring:**
+
+- Two and a half fresh new challenges: [Puppet v3]({{< ref "challenges/puppet-v3" >}}), [ABI Smuggling]({{< ref "challenges/abi-smuggling" >}}) and [Wallet Mining]({{< ref "challenges/wallet-mining" >}}). The last kind of already existed, but it's been reworked from scratch. Good as new!
+- Introduction of [ERC4626](https://eips.ethereum.org/EIPS/eip-4626), [ERC3156](https://eips.ethereum.org/EIPS/eip-3156) and [ERC2612](https://eips.ethereum.org/EIPS/eip-2612).
+- Tokens, authorization schemes and utilities from [Solmate](https://github.com/transmissions11/) and [Solady](https://github.com/Vectorized/solady), bringing new flavors on top of the usual [OpenZeppelin Contracts](https://github.com/OpenZeppelin/openzeppelin-contracts/) stuff. Welcome aboard!
+- Tweaks, niceties and cool tricks all around the existing challenges to make them more interesting and (slightly?) increase complexity.
+- An absurd amount of QoL changes in tests, dependencies, custom errors, error messages, naming, docs, code organization and gas optimizations (assembly, yay!). 
+
+See the full set of changes [here](https://github.com/theredguild/damn-vulnerable-defi/compare/v2.2.0...v3.0.0).
+
+---
+
+Overall, the testing environment hasn't changed. Solidity 0.8, Ethers and Hardhat. Before you ask, yes, I did consider moving to Foundry. Though it wasn't the right time. I couldn't afford refactoring everything from scratch _and_ adding new features and challenges. If you're a Foundry maxi, remember there're forks ported to Foundry. I expect them to quickly catch up with this new release.
+
+So what's changed ?
+
+Well, all existing challenges have been refactored - from the ground up. I reviewed and updated all Solidity and Javascript code. To the extent probably none of your existing solutions will work anymore. Although the goals for each challenge _mostly_ remain the same, interfaces may have changed, and the code's average complexity has increased. This is due to the introduction of ERC implementations (tokenized vaults, flash loans, permit, etc.), gas optimizations and assembly. Hope these updates make challenges even more fun, as well as reflect part of the evolution that real DeFi contracts have undergone in the past year.
+
+Speaking of introductions, v3 also welcomes new cool building blocks to Damn Vulnerable DeFi. Whereas v2 was solely using OpenZeppelin Contracts, in v3 we have Solmate and Solady bringing new flavors to the game. This should expose you to a broader set of new-ish libraries that have gone into the mainstream.
+
+As of the new challenges, they're simplified versions of issues that were (or could have been) exploited in mainnet. To solve them, you will need to dive into TWAPs, ABI encoding, smart contract wallets, predictable deployments, upgrades, and more. Really looking forward to seeing you tearing them apart.
+
+
+I've been amazed at the amount of writeups, discussions, videos, threads, around this wargame. I've seen it organically recommended everywhere. I've overheard people at conferences discussing challenges. Even auditing firms are using it for trainings. It's impact has grown well beyond my original expectations. I cannot be more grateful for your love, support and feedback.
+
+A brief reminder before I leave you. Damn Vulnerable DeFi is, and forever will be, an educational resource for the community. It is intended to be a safe playground to train security researchers that will help protect Ethereum applications. In solving these challenges, you may learn how to exploit vulnerabilities in smart contracts. They might resemble the ones you'll uncover during your own research of contracts in production. If that's the case, **always** follow each project's responsible disclosure processes, usually via bug bounty programs or security contacts.
+
+Damn Vulnerable DeFi v3 is waiting for you [here]({{< ref "/" >}}).
+
+Happy hacking :)