Simplified vault where users can deposit and withdraw their tokens which will be internally accounted.
The vault's owner
can perform arbitrary actions through the OwnerAction
entry point.
In addition, a two step address transfer is implemented for the owner
role.
pub enum ExecuteMsg {
Deposit {},
Withdraw { amount: Uint128 },
OwnerAction { msg: CosmosMsg },
ProposeNewOwner { new_owner: String },
AcceptOwnership {},
DropOwnershipProposal {},
}
Please check the challenge's integration_tests for expected usage examples. You can use these tests as a base to create your exploit Proof of Concept.
🏠 Base scenario:
- The contract has been instantiated with zero funds.
USER1
andUSER2
deposit10_000
tokens each.- The owner role is assigned to the
ADMIN
address.
⭐ Goal for the challenge:
- Demonstrate how an unprivileged user can drain all the funds inside the contract.