Add v4 (#55)

.devcontainer/Dockerfile

@@ -0,0 +1,34 @@
+# Base debian build (latest).
+FROM mcr.microsoft.com/vscode/devcontainers/base:debian
+
+# Update packages.
+RUN apt-get update
+
+# Install pipx
+RUN apt-get install -y pipx
+
+# Set the default shell to zsh
+ENV SHELL=/usr/bin/zsh
+
+# Running everything under zsh
+SHELL ["/usr/bin/zsh", "-c"]
+
+# Dropping privileges
+USER vscode
+
+# Install rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && source $HOME/.cargo/env
+
+# Install nvm, yarn, npm, pnpm
+RUN curl -o- https://raw.githubusercontent.com/devcontainers/features/main/src/node/install.sh | sudo bash
+
+# Install solc-select
+RUN pipx install solc-select
+
+# Foundry at specific version
+RUN curl -L https://foundry.paradigm.xyz | zsh
+RUN foundryup --version nightly-cafc2606a2187a42b236df4aa65f4e8cdfcea970
+
+# Clean up
+RUN sudo apt-get autoremove -y && sudo apt-get clean -y
+

.devcontainer/devcontainer.json

@@ -0,0 +1,24 @@
+{
+  "name": "Damn Vulnerable DeFi Devcontainer",
+
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
+  "features": {
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "NomicFoundation.hardhat-solidity",
+        "tintinweb.solidity-visual-auditor"
+      ],
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "zsh",
+        "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } }
+      }
+    }
+  },
+
+  "postCreateCommand": "zsh"
+}
+

.env.sample

@@ -0,0 +1 @@
+MAINNET_FORKING_URL=

.gitignore

@@ -1,10 +1,14 @@
-node_modules
-build
-contracts/player-contracts/*.sol
-*.solved.js
-*.solved.json
-cache
-.openzeppelin
-.vscode
-artifacts
-cache
+# Compiler files
+cache/
+out/
+
+# Ignores development broadcast logs
+!/broadcast
+/broadcast/*/31337/
+/broadcast/**/dry-run/
+
+# Docs
+docs/
+
+# Dotenv file
+.env

.gitmodules

@@ -0,0 +1,51 @@
+[submodule "lib/forge-std"]
+	path = lib/forge-std
+	url = https://github.com/foundry-rs/forge-std
+	ignore = dirty
+[submodule "lib/openzeppelin-contracts"]
+	path = lib/openzeppelin-contracts
+	url = https://github.com/openzeppelin/openzeppelin-contracts
+	ignore = dirty
+[submodule "lib/solmate"]
+	path = lib/solmate
+	url = https://github.com/transmissions11/solmate
+	ignore = dirty
+[submodule "lib/solady"]
+	path = lib/solady
+	url = https://github.com/vectorized/solady
+	ignore = dirty
+[submodule "lib/openzeppelin-contracts-upgradeable"]
+	path = lib/openzeppelin-contracts-upgradeable
+	url = https://github.com/openzeppelin/openzeppelin-contracts-upgradeable
+	ignore = dirty
+[submodule "lib/v2-periphery"]
+	path = lib/v2-periphery
+	url = https://github.com/uniswap/v2-periphery
+	ignore = dirty
+[submodule "lib/v2-core"]
+	path = lib/v2-core
+	url = https://github.com/uniswap/v2-core
+	ignore = dirty
+[submodule "lib/multicall"]
+	path = lib/multicall
+	url = https://github.com/mds1/multicall
+	ignore = dirty
+[submodule "lib/safe-smart-account"]
+	path = lib/safe-smart-account
+	url = https://github.com/safe-global/safe-smart-account
+	ignore = dirty
+[submodule "lib/murky"]
+	path = lib/murky
+	url = https://github.com/dmfxyz/murky
+	ignore = dirty
+[submodule "lib/v3-periphery"]
+	path = lib/v3-periphery
+	url = https://github.com/Uniswap/v3-periphery
+[submodule "lib/v3-core"]
+	path = lib/v3-core
+	url = https://github.com/Uniswap/v3-core
+	ignore = dirty
+[submodule "lib/permit2"]
+	path = lib/permit2
+	url = https://github.com/Uniswap/permit2
+	ignore = dirty

CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## v4.0.0
+
+- Full migration from Hardhat to Foundry.
+- Updated all contracts to solc 0.8.25.
+- Say goodbye to selfdestruct stuff.
+- Dependencies
+    - Upgrade all dependencies to latest versions (e.g., OpenZeppelin Contracts v5)
+    - Welcome [murky](https://github.com/dmfxyz/murky). Just in case you need to work with Merkle trees in Foundry.
+    - Also welcome [Permit2](https://github.com/Uniswap/permit2) and [Multicall](https://github.com/mds1/multicall/). Have fun with them.
+- New challenges:
+    - Withdrawal
+    - Curvy Puppet
+    - Shards
+- Major changes in challenges:
+    - All challenges now require depositing rescued funds into designated recovery accounts.
+    - Wallet Mining: new mechanics after upgrading to latest Safe contracts.
+    - The Rewarder: changed completely. Could count as new. Now it's about a token distribution based on Merkle proofs.
+    - Unstoppable: new monitor contract and pausing-related features.
+    - Naive Receiver: changed ETH for WETH. The pool now supports (flawed?) meta-transactions.
+- Minor changes in challenges: 
+    - All challenges' prompts are available in local README files.
+    - Removed boring contract-level docstrings.
+    - Removed gas optimizations that are not cool anymore.
+    - Generally using named function parameters.
+- New building blocks used in challenges
+    - `DamnValuableStaking` for bulletproof staking of DVT
+    - `DamnValuableVotes`, because the old `DamnValuableTokenSnapshot` didn't work anymore.
+- The repository now includes a devcontainer.
+
 ## v3.0.0
 
 - Two new levels: Puppet v3 and ABI Smuggling

README.md

@@ -1,19 +1,56 @@
-![](cover.png)
+# Damn Vulnerable DeFi
 
-**A set of challenges to learn offensive security of smart contracts in Ethereum.**
+Damn Vulnerable DeFi is _the_ smart contract security playground for developers, security researchers and educators.
 
-Featuring flash loans, price oracles, governance, NFTs, lending pools, smart contract wallets, timelocks, and more!
+Perhaps the most sophisticated vulnerable set of Solidity smart contracts ever witnessed, it features flashloans, price oracles, governance, NFTs, DEXs, lending pools, smart contract wallets, timelocks, vaults, meta-transactions, token distributions, upgradeability and more.
 
-## Play
+Use Damn Vulnerable DeFi to:
 
-Visit [damnvulnerabledefi.xyz](https://damnvulnerabledefi.xyz)
+- Sharpen your auditing and bug-hunting skills.
+- Learn how to detect, test and fix flaws in realistic scenarios to become a security-minded developer.
+- Benchmark smart contract security tooling.
+- Create educational content on smart contract security with articles, tutorials, talks, courses, workshops, trainings, CTFs, etc. 
 
-## Help
+## Install
 
-For Q&A and troubleshooting running Damn Vulnerable DeFi, go [here](https://github.com/tinchoabbate/damn-vulnerable-defi/discussions/categories/support-q-a-troubleshooting).
+1. Clone the repository.
+2. Checkout the latest release (for example, `git checkout v4.0.0`)
+3. Rename the `.env.sample` file to `.env` and add a valid RPC URL. This is only needed for the challenges that fork mainnet state.
+4. Either install [Foundry](https://book.getfoundry.sh/getting-started/installation), or use the [provided devcontainer](./.devcontainer/) (In VSCode, open the repository as a devcontainer with the command "Devcontainer: Open Folder in Container...")
+5. Run `forge build` to initialize the project.
+
+## Usage
+
+Each challenge is made up of:
+
+- A prompt located in `src/<challenge-name>/README.md`.
+- A set of contracts located in `src/<challenge-name>/`.
+- A [Foundry test](https://book.getfoundry.sh/forge/tests) located in `test/<challenge-name>/<ChallengeName>.t.sol`.
+
+To solve a challenge:
+
+1. Read the challenge's prompt.
+2. Uncover the flaw(s) in the challenge's smart contracts.
+3. Code your solution in the corresponding test file.
+4. Try your solution with `forge test --mp test/<challenge-name>/<ChallengeName>.t.sol`.
+If the test passes, you've solved the challenge!
+
+Challenges may have more than one possible solution.
+
+### Rules
+
+- You must always use the `player` account.
+- You must not modify the challenges' initial nor final conditions.
+- You can code and deploy your own smart contracts.
+- You can use Foundry's cheatcodes to advance time when necessary.
+- You can import external libraries that aren't installed, although it shouldn't be necessary.
+
+## Troubleshooting
+
+You can ask the community for help in [the discussions section](https://github.com/theredguild/damn-vulnerable-defi/discussions).
 
 ## Disclaimer
 
-All Solidity code, practices and patterns in this repository are DAMN VULNERABLE and for educational purposes only.
+All code, practices and patterns in this repository are DAMN VULNERABLE and for educational purposes only.
 
 DO NOT USE IN PRODUCTION.