Exercise 5

Table of contents:

Join the team on Slack at: https://slack.empirehacking.nyc/ #ethereum


  1. Clone the repo: git clone https://github.com/crytic/damn-vulnerable-defi-echidna
  2. Install the dependencies by running yarn install.


The challenge is described here: https://www.damnvulnerabledefi.xyz/challenges/2.html. It is assumed that the reader is familiar with the challenge.


  • Set up the testing environment with the correct contracts and necessary balances.
  • Analyze the "before" function in test/naive-receiver/naive-receiver.challenge.js to identify the required initial setup.
  • Add a property to check if the balance of the FlashLoanReceiver contract can change.
  • Create a config.yaml with the necessary configuration option(s).
  • Once Echidna finds the bug, fix the issue and re-test your property with Echidna.

The following contracts are relevant:

  • contracts/naive-receiver/FlashLoanReceiver.sol
  • contracts/naive-receiver/NaiveReceiverLenderPool.sol


It is recommended to first attempt without reading the hints. The hints can be found in the hints branch.


The solution can be found in the solutions branch.

Solution Explained (spoilers ahead)

The goal of the naive receiver challenge is to realize that any user can request a flash loan for FlashLoanReceiver, even if the user has no Ether.

Echidna discovers this by calling NaiveReceiverLenderPool.flashLoan() with the address of FlashLoanReceiver and any arbitrary amount.

See the example output from Echidna below:

echidna . --contract NaiveReceiverEchidna --config naivereceiver.yaml

echidna_test_contract_balance: failed!💥
  Call sequence: