On Feb 24, 2022 an attacker stole ~80MM of COMP tokens were mistakenly distributed from Compound.

Attack Overview
Total Lost: ~80MM of COM

Key Info Sources
Writeup: https://rekt.news/compound-rekt/
Reproduction: https://github.com/SunWeb3Sec/DeFiHackLabs#20220322-compoundtusdsweeptokenbypass
Writeup: https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2

Principle: Access Control - Non controlled drip function, double entry point

After executing:

$ git clone https://github.com/coinspect/learn-evm-attacks
$ forge install
$ forge test --match-contract Exploit_MBCToken -vvv

I recieved a lot of errors and was unable to complie the contract:

...
Discovered incompatible solidity versions in following
: test\Reentrancy\RevestFinance\RevestFinance.attack.sol (^0.8.17) imports:
    lib/forge-std/src\Test.sol (>=0.6.2 <0.9.0)
    test\TestHarness.sol (^0.8.17)
    test\interfaces\IERC20.sol (^0.8.0)
...

I've added solc="0.8.17" to foundry.toml, contracts compiled, and I received new error (the same as other 2 people):

forge test --match-contract Exploit_MBCToken
[⠢] Compiling...
No files changed, compilation skipped
The application panicked (crashed).
Message:  Failed to get account for 0x55d3…7955
(code: -32002, message: the resource eth_getCode is not available., data: None)
Location: evm/src/executor/fork/backend.rs:271

This is a bug. Consider reporting it at https://github.com/foundry-rs/foundry

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
Aborted

This looks loke the problem with the rpc, could you please check that?

On Nov 2, 2021 an attacker stole 1.1MM in NEAR tokens from Skyward Finance.

Attack Overview
Total Lost: 3.2MM USD (1.1MM NEAR)

// Key Info Sources
Writeup: https://rekt.news/skyward-rekt/

Principle: Business Logic - Multiple deposits on single withdraws

Feature: Pool and Pair creation under utils folder

Overview: This utility has to allow users to quickly instantiate and create DEX pairs to enable broader test scenarios that depend on custom token pairs.

On Apr 28, 2022 an attacker stole ~13MM from Deus DAO.

Attack Overview
Total Lost: ~13MM

Key Info Sources
Writeup: https://rekt.news/deus-dao-rekt-2/
Twitter: https://twitter.com/peckshield/status/1519533378529562624

Principle: Business Logic - Flashloan, on-chain and off-chain oracle manipulation

Reference: https://twitter.com/danielvf/status/1626340324103663617

There is mentioning that the read-only reentrancy is theoretical and there aren't cases out there where this was exploited. This is not true, as we published this class of vulnerability based on an actual bug with 100m+ at risk back when it was active. The technical details are here: https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/ and a description of the vulnerable projects here: https://chainsecurity.com/heartbreaks-curve-lp-oracles/ (including how it was fixed by e.g. MakerDAO)

Till today, incorrect use of the stETH/ETH pool on Curve will allow attackers to exploit projects with this read-only reentrancy.

On Aug 10, 2021 an attacker stole ~5MM from Punk Protocol.

Attack Overview
Total Lost: ~5MM

Key Info Sources
Writeup: https://rekt.news/punkprotocol-rekt/

Principle: Access Control - Public Initializer. Whitehat frontrunning that safeguarded half of the funds.

On Apr 28, 2021 an attacker stole ~$57MM from Uranium V2.

Attack Overview
Total Lost: ~$57MM

Key Info Sources
Writeup: https://rekt.news/uranium-rekt/
Twitter: https://twitter.com/FrankResearcher/status/1387347025742557186
Reproduction: https://github.com/SunWeb3Sec/DeFiHackLabs#20210428-uranium---miscalculation

Principle: Business Logic - Mistakenly calculated deposit/Withdraw amounts

On Sept 20, 2022 an attacker stole 160MM USD in OP tokens from Wintermute.

Attack Overview
Total Lost: 160MM USD (20 MM OP)

Key Info Sources
Writeup: https://rekt.news/wintermute-rekt-2/
Reproduction: https://github.com/SunWeb3Sec/DeFiHackLabs#20220608-optimism---wintermute

Principle: Business Logic - Vanity Address Generator Vuln?

On Feb 8, 2022 an attacker stole ~6.2MM in various tokens from Superfluid.

Attack Overview
Total Lost: ~6.2MM

Key Info Sources
Writeup: https://rekt.news/superfluid-rekt/

Principle: Access Control / Input Validation - Calldata crafting to impersonate an access controlled account

Reference: https://medium.com/sperax/usds-feb-3-exploit-report-from-engineering-team-9f0fd3cef00c

On Apr 16, 2022 an attacker stole $76MM from Skyward Finance.

Attack Overview
Total Lost: $76MM

Key Info Sources
Writeup: https://rekt.news/beanstalk-rekt/
Twitter: https://twitter.com/kelvinfichter/status/1515735717305008138
Twitter: https://twitter.com/peckshield/status/1515692144190648322

Principle: Business Logic - Governance Malicious Proposal with Flashloan

When I am running this command
forge test --match-contract Exploit_MBCToken -vvv

I am getting this error:
2023-03-24T08:42:22.475520Z ERROR sharedbackend: Failed to send/recv basicerr=GetAccount(0x55d398326f99059ff775485246999027b3197955, (code: -32002, message: the resource eth_getBalance is not available., data: None)) address=0x55d398326f99059ff775485246999027b3197955 2023-03-24T08:42:22.601997Z ERROR sharedbackend: Failed to send/recvbasicerr=GetAccount(0x9f8ccdafcc39f3c7d6ebf637c9151673cbc36b88, (code: -32002, message: the resource eth_getTransactionCount is not available., data: None)) address=0x9f8ccdafcc39f3c7d6ebf637c9151673cbc36b88 The application panicked (crashed). Message: calledOption::unwrap()on aNone value

Does anybody faced this issue before?

The Polynetwork Bridge Test has a Exploit_PolyNetwork_Deserializer that is not used anywhere.

Can it be removed?

Aim

There should be no need to use prank(attacker) in most scenarios, and there should be no need to hardcode payloads. We should be able to reproduce everything in the actual test.

Status

Bridges

• ✅ Nomad Bridge: getPayload reproduces payload for any address
• ✅ Roning Bridge: uses prank but OK, no interesting on-chain interactions, meat is offchain
• ✅ Polynetwork: uses hardcoded bytecode from traces, no prank but attacker address needs to be hardcoded due to bytecode
• ✅ Arbitrum Inbox: report, so no actual attacker address, attack is fully reproduced from scratch

Data Validation

• ✅ Superfluid: implemented encode functions, nothing hardcoded
• ✅ Bad Guys NFT: hardcoded attacker and merkle proof, needs logic to build merkle proof for any addr and set merkle root
• ✅ Bond Olympus: OK, no hardcoding
• ✅ Multichain Permit: OK, no hardcoding

Access Control

• ⚠️ Sandbox: attacker/victim hardcoded, should work with any pair as long as victim has an NFT, could give it to them so test always works
• ✅ ️ DAO Maker: OK, no hardcoding
• 😞 Rikkeii: OK, but code could use some love so attack is more clear.
• ✅ MBC Token: OK, address(this) is the attacker contract, could change it to anything
• ✅ Temple DAO: OK, address(this) is the attacker contract, could change it to anything
• ✅ Punk Protocol: OK, address(this) is the attacker contract, could change it to anything

Reentrancy

• ✅ ️ Paraluni: OK, no hardcoding
• ⚠️ ️ DFXFinance: Strong dependance on balance on an attacker address that is not in the test.
• 😞 ️️ Fei Protocol: Needs love and work so assertGe asserts more things
• ✅ ️️ Cream Finance: OK
• ✅ ️️ Revest Finance: OK, uses attacker address but no prank, only to transfer loot
• 😞 ️️ Hundred Finance: No hardcoding, but code is hard to understand. Missing asserts as token interactions are not clear.
• 😞 Read only reeentrancy: totally theoretical so no hardcoding needed, but is missing asserts

For instance a delta of 100 wei is shown as one tenth of ether (0.1)

When possible (ie: when the vulnerable code is verified, or we know its github, or we somehow have access to its sourcecode...) we should strive to add it to the repository, possibly to the test itself.

By itself, this would be a win, as it is easier to read: instead of going to etherscan and finding my way through their serviceable but not great code viewer, I can just inspect it here right next to the attack.

And with a bit of tinkering I think this would allow us to go even further and use Foundry's step-by-step debugger on attacks, which would be amazing to understand all the details of each exploit.

References:
https://twitter.com/peckshield/status/1635229594596036608
https://twitter.com/1nf0s3cpt/status/1635212906555117568

What I did

npx hardhat test

What I expected: tests to run
What happened:

Error HH8: There's one or more errors in your config file:

  * Invalid account: #0 for network: mainnet - private key too short, expected 32 bytes
  * Invalid account: #0 for network: bsc - private key too short, expected 32 bytes
  * Invalid account: #0 for network: fantom - private key too short, expected 32 bytes
  * Invalid account: #0 for network: gnosis - private key too short, expected 32 bytes
  * Invalid account: #0 for network: polygon - private key too short, expected 32 bytes
  * 

To learn more about Hardhat's configuration, please go to https://hardhat.org/config/

For more info go to https://hardhat.org/HH8 or run Hardhat with --show-stack-traces```

I tried to fix it by removing the accounts in the configuration, but then test simply don't run.

$ npx hardhat test                                             
No need to generate any newer typings.


  0 passing (0ms)

I think we should deprecate hardhat support for now and focus on making it work nicely with Foundry, then we can add Hardhat support. It would also easy documentation.

If adding attacker to an allowlist is necessary then is better to spoof the owner's address and add our random attacker address to the allow list. This way the exploit code will be more real and more valuable for future research projects based on this repository.

On October 27, 2022 an attacker $15.8 M in tokens from Team Finance.

Attack Overview

• $11.5M CAW
• $1.7M TSUKA
• $0.7M KNDX
• $1.9M FEG

Total Lost: $15.8M USD

Key Info Sources
Writeup: https://rekt.news/teamfinance-rekt/

Principle: Business Logic - Faulty migrate function

On Aug 30, 2021 an attacker stole ~$18MM Cream Finance.

Attack Overview
Total Lost: ~$18MM

Key Info Sources
Writeup: https://rekt.news/cream-rekt/
Twitter: https://twitter.com/peckshield/status/1432249600002478081
Twitter: https://twitter.com/creamdotfinance/status/1432249773575208964
Reproduction: https://github.com/SunWeb3Sec/DeFiHackLabs#20210830-cream-finance---flashloan-attack--reentrancy

Principle: Reentrancy - Flashloan + Reentrancy

Following tests are failing. If they are not needed, delete them

Encountered 1 failing test in test/Bad_Data_Validation/Superfluid/Superfluid.attack.sol:Exploit_Superfluid
[FAIL. Reason: Setup failed: Failed to get account for 0x1804c8ab1f12e6bbf3894d4083f33e07309d1f38: 0x1804c8ab1f12e6bbf3894d4083f33e07309d1f38] setUp() (gas: 0)

Encountered 1 failing test in test/Bad_Data_Validation/TransitSwap/TransitSwap.attack.sol:Exploit_TransitSwap
[FAIL. Reason: XswapApprove:Access restricted] test_attack_reproduced() (gas: 21784)

Encountered 1 failing test in test/Bridges/Wintermute/Wintermute.attack.sol:Exploit_Wintermute
[FAIL. Reason: EvmError: Revert] test_attack() (gas: 48996)

Encountered 1 failing test in test/Business_Logic/Beanstalk/Beanstalk.attack.sol:Exploit_Beanstalk
[FAIL. Reason: EvmError: Revert] test_attack() (gas: 5180199)

This passes, but throws errors

Running 1 test for test/Reentrancy/ReadOnlyReentrancy/ReadOnlyReentrancy.attack.sol:Exploit_ReadOnly
[PASS] test_attack() (gas: 423818)
Test result: ok. 1 passed; 0 failed; finished in 15.17s
2022-12-07T15:55:35.198195Z ERROR sharedbackend: Failed to send/recv `basic` err=GetAccount(0x1804c8ab1f12e6bbf3894d4083f33e07309d1f38,
(code: -32000, message: missing trie node eed22da7bf5ca4462adb3a5f34fb65fe538fd808b89f05187c540913ca9d130f (path ), data: None)) address=0x1804c8ab1f12e6bbf3894d4083f33e07309d1f38
2022-12-07T15:55:35.198363Z ERROR forge::runner: setUp failed reason="Failed to get account for 0x1804c8ab1f12e6bbf3894d4083f33e07309d1f38: 0x1804c8ab1f12e6bbf3894d4083f33e07309d1f38" contract=0x7fa9385be102ac3eac297483dd6233d62b3e1496

On Feb 27, 2021 an attacker stole ~18MM from Furucombo.

Attack Overview
Total Lost: ~18MM

// Key Info Sources
Writeup: https://rekt.news/furucombo-rekt/

Principle: Business Logic - Deceiving Furucombo making it think that Aave V2 changed its implementation.

Reference: https://twitter.com/trailofbits/status/1724344137065886183