Reverse engineer attacker or vulnerable logic #40
Description
Aim
There should be no need to use prank(attacker) in most scenarios, and there should be no need to hardcode payloads. We should be able to reproduce everything in the actual test.
Status
Bridges
- ✅ Nomad Bridge:
getPayloadreproduces payload for any address - ✅ Roning Bridge: uses
prankbut OK, no interesting on-chain interactions, meat is offchain - ✅ Polynetwork: uses hardcoded bytecode from traces, no
prankbut attacker address needs to be hardcoded due to bytecode - ✅ Arbitrum Inbox: report, so no actual
attackeraddress, attack is fully reproduced from scratch
Data Validation
- ✅ Superfluid: implemented
encodefunctions, nothing hardcoded - ✅ Bad Guys NFT: hardcoded attacker and merkle proof, needs logic to build merkle proof for any addr and set merkle root
- ✅ Bond Olympus: OK, no hardcoding
- ✅ Multichain Permit: OK, no hardcoding
Access Control
⚠️ Sandbox: attacker/victim hardcoded, should work with any pair as long as victim has an NFT, could give it to them so test always works- ✅ ️ DAO Maker: OK, no hardcoding
- 😞 Rikkeii: OK, but code could use some love so attack is more clear.
- ✅ MBC Token: OK,
address(this)is the attacker contract, could change it to anything - ✅ Temple DAO: OK,
address(this)is the attacker contract, could change it to anything - ✅ Punk Protocol: OK,
address(this)is the attacker contract, could change it to anything
Reentrancy
- ✅ ️ Paraluni: OK, no hardcoding
⚠️ ️ DFXFinance: Strong dependance on balance on an attacker address that is not in the test.- 😞 ️️ Fei Protocol: Needs love and work so
assertGeasserts more things - ✅ ️️ Cream Finance: OK
- ✅ ️️ Revest Finance: OK, uses
attackeraddress but noprank, only to transfer loot - 😞 ️️ Hundred Finance: No hardcoding, but code is hard to understand. Missing
assertsas token interactions are not clear. - 😞 Read only reeentrancy: totally theoretical so no hardcoding needed, but is missing asserts