Introduction: As the world of blockchain and smart contracts continues to grow, so does the potential for vulnerabilities and attacks. If you've ever wanted to learn about EVM attacks, we've got just the thing for you! We've stumbled upon a fantastic resource - a collection of Foundry tests that reproduce exploits, bug bounty reports, and theoretical vulnerabilities on EVM chains. In this article, we'll introduce you to this treasure trove, and in future posts, we'll dive deeper into each vulnerability, helping you understand the intricacies of smart contract security.
Meet "Learn EVM Attacks": This incredible GitHub repository, called "Learn EVM Attacks," provides detailed information on various vulnerabilities found in smart contract systems. It includes diagrams and context links, making it an excellent reference or study material for anyone eager to explore the world of smart contract vulnerabilities.
Getting Started: If you're itching to take a peek, all you need to do is head to a vulnerability folder (e.g., MBCToken) within the repository. You can read the README or proceed to run the reproduction on your computer. Just make sure you have Foundry installed, and you're good to go!
A Glimpse of Vulnerabilities: The repository currently features 35 reproduced exploits, with some of the most fascinating ones highlighted for your convenience. Examples include the Furucombo, which showcases the dangers of DELEGATECALL, the MBC Token with its intriguing backstory on sandwich attacks, and Uranium, which lets you study the actual code protecting the famous AMM constant product x*y=k.
Running a Specific Exploit: To run a specific exploit, simply use the command:
forge test --match-contract Exploit_MBCToken -vvv
You can adjust the verbosity level (-v, -vv, etc.) based on how much data you want. The highest verbosity level (-vvvv) even includes traces!
Categories and Examples: The vulnerabilities are grouped into categories, such as Access Control, Bad Data Validation, Business Logic, Reentrancy, and Bridges. Some noteworthy examples include:
TempleDAO ($2.3MM) - Unchecked ownership on token migration
Olympus DAO Bond ($300,000) - Arbitrary Tokens / Unchecked transfers
Furucombo ($15MM) - DELEGATECALL to proxy
Qi Dao / Curve Pool ($156K) - Read Only Reentrancy
Ronin Bridge ($624MM) - Compromised Keys
Contributing and Troubleshooting: You can contribute by creating new files within appropriate categories and using the template provided in the test folder. If you encounter issues with tests or reproductions, the repository offers troubleshooting tips to help you resolve them.
Stay Tuned for More: We hope this introduction has piqued your interest! In upcoming articles, we'll delve into these vulnerabilities one by one, helping you grasp the complexities of smart contract security. Stay tuned for our in-depth analysis and learn how to protect your smart contracts from potential attacks!
Github Repo: