learn-evm-attacks icon indicating copy to clipboard operation
learn-evm-attacks copied to clipboard
verified publisher icon coinspect

Reverse engineer attacker or vulnerable logic

Open joaquinlpereyra opened this issue 3 years ago • 1 comments

Aim

There should be no need to use prank(attacker) in most scenarios, and there should be no need to hardcode payloads. We should be able to reproduce everything in the actual test.

Status

Bridges

  • Nomad Bridge: getPayload reproduces payload for any address
  • Roning Bridge: uses prank but OK, no interesting on-chain interactions, meat is offchain
  • Polynetwork: uses hardcoded bytecode from traces, no prank but attacker address needs to be hardcoded due to bytecode
  • Arbitrum Inbox: report, so no actual attacker address, attack is fully reproduced from scratch

Data Validation

  • Superfluid: implemented encode functions, nothing hardcoded
  • Bad Guys NFT: hardcoded attacker and merkle proof, needs logic to build merkle proof for any addr and set merkle root
  • Bond Olympus: OK, no hardcoding
  • Multichain Permit: OK, no hardcoding

Access Control

  • ⚠️ Sandbox: attacker/victim hardcoded, should work with any pair as long as victim has an NFT, could give it to them so test always works
  • ✅ ️ DAO Maker: OK, no hardcoding
  • 😞 Rikkeii: OK, but code could use some love so attack is more clear.
  • MBC Token: OK, address(this) is the attacker contract, could change it to anything
  • Temple DAO: OK, address(this) is the attacker contract, could change it to anything
  • Punk Protocol: OK, address(this) is the attacker contract, could change it to anything

Reentrancy

  • ✅ ️ Paraluni: OK, no hardcoding
  • ⚠️ ️ DFXFinance: Strong dependance on balance on an attacker address that is not in the test.
  • 😞 ️️ Fei Protocol: Needs love and work so assertGe asserts more things
  • ✅ ️️ Cream Finance: OK
  • ✅ ️️ Revest Finance: OK, uses attacker address but no prank, only to transfer loot
  • 😞 ️️ Hundred Finance: No hardcoding, but code is hard to understand. Missing asserts as token interactions are not clear.
  • 😞 Read only reeentrancy: totally theoretical so no hardcoding needed, but is missing asserts

joaquinlpereyra avatar Dec 13 '22 15:12 joaquinlpereyra

This list is missing the Business Logic contracts, I can continue with it later. Meanwhile, I have done a PR which adds asserts to most of the contracts. Only those mentioned in the issue are missing (plus the business logic ones probably)

https://github.com/coinspect/learn-evm-attacks/pull/41

joaquinlpereyra avatar Dec 13 '22 15:12 joaquinlpereyra