Bonus Challenges
Last updated
Last updated
Now that we’ve covered the basics of Glider, it’s time to put your knowledge to the test with a series of bonus challenges. These challenges are designed to reinforce what you’ve learned by asking you to create queries that identify specific vulnerabilities, code patterns, or statistics.
Curve pools have a get_virtual_price() function that returns the price of the Curve pool’s LP token. However, due to a in Curve pools, the get_virtual_price() function can be manipulated by attackers.
If a third-party contract relies on get_virtual_price() to determine the LP token price, that contract can also be vulnerable to exploitation.
In this challenge, your task is to identify functions that have more than 55 characters in it's function name.
In the next two challenges, we will aim to write a query to identify this vulnerability type.
In this challenge, your goal is to:
1. Find calls to the ERC20 approve() function.
2. Identify the spender argument passed to the approve() function.
3. Print the spender argument to the Glider IDE Output panel to confirm your results.
In the second part of this challenge, your goal is to determine if the spender argument passed to the approve() function comes from a function argument. If the spender originates from a function argument, it likely means that the user can arbitrarily set the spender, which could be a potential security risk.
To reduce noise and focus just on public/external functions, update your query to filter out approve() calls made within private or internal functions.
By limiting your results to public or external functions, you can better identify potential vulnerabilities that external users could exploit.
Contracts that approve tokens to other addresses must ensure that the spender address is properly whitelisted. Failing to do so can lead to serious security risks. For example, in December 2024, where hackers were able to arbitrarily set the spender address for the approve() function, leading to significant losses.
– To retrieve the different parts of an instruction.
– To find the spender argument in a call.
- Checks if a variable belongs to a specific class.
To check if a variable comes from a function argument, call on the variable and verify if it is an instance of .