DeFi Exploit Reference Index

Curated quick-reference table of major DeFi exploit reproductions from DeFiHackLabs.

Exploit Table

| Exploit | Primary Pattern | Foundry PoC | |--------|------------------|-------------| | The DAO (2016) | Reentrancy | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/TheDAO_exp.sol | | Parity Wallet (2017) | Access Control | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Parity_exp.sol | | bZx (2020) | Flash Loan + Oracle Manipulation | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/bZx_exp.sol | | Harvest Finance (2020) | Flash Loan + Oracle Manipulation | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Harvest_exp.sol | | Compound (2021) | Logic Error | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Compound_exp.sol | | Cream Finance (2021) | Reentrancy | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Cream_exp.sol | | Poly Network (2021) | Access Control / Cross-chain Validation | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/PolyNetwork_exp.sol | | Wormhole (2022) | Signature Verification | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Wormhole_exp.sol | | Ronin Bridge (2022) | Access Control | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Ronin_exp.sol | | Beanstalk (2022) | Flash Loan + Governance | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Beanstalk_exp.sol | | Nomad Bridge (2022) | Logic Error | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Nomad_exp.sol | | Mango Markets (2022) | Flash Loan + Oracle Manipulation | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/MangoMarkets_exp.sol | | Euler Finance (2023) | Flash Loan + Logic Error | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Euler_exp.sol | | Wintermute (2022) | Access Control / Key Compromise | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Wintermute_exp.sol | | BadgerDAO (2021) | Access Control / Frontend Compromise | https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/BadgerDAO_exp.sol |

Usage

Pair this reference with references/how-to-reproduce/SKILL.md for reproducible local exploit testing.
Use these PoCs as regression templates when validating fixes for similar vulnerability classes.

Reproduction Workflow

Step-by-step guide for setting up DeFiHackLabs and running Foundry proof-of-concept exploit reproductions locally.

Prerequisites

Before cloning, ensure you have the following installed:

1. Foundry

# Install Foundry (includes forge, cast, anvil)
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Verify installation
forge --version

2. RPC URL for Mainnet Fork

Most exploits require forking Ethereum mainnet at a specific block. You need an RPC endpoint:

Alchemy: https://www.alchemy.com (free tier available)
Infura: https://infura.io (free tier available)
Ankr: https://www.ankr.com/rpc (public endpoints available)

Set your RPC URL as an environment variable:

export ETH_RPC_URL="https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY"

For BSC exploits:

export BSC_RPC_URL="https://bsc-dataseed.binance.org"

Step 1: Clone DeFiHackLabs

git clone https://github.com/SunWeb3Sec/DeFiHackLabs
cd DeFiHackLabs

Install Dependencies

# Install Foundry dependencies (forge-std, etc.)
forge install

Step 2: Configure the Environment

Create a .env file in the project root (or export variables directly):

# .env
ETH_RPC_URL=https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
BSC_RPC_URL=https://bsc-dataseed.binance.org

Note: DeFiHackLabs uses vm.createSelectFork() inside each test to fork at the exact exploit block. The RPC URL is read from the environment.

Step 3: Run a Specific Exploit

Basic Command

forge test --match-contract TheDAO_exp -vvv --fork-url $ETH_RPC_URL

Verbosity Levels

| Flag | Output | |------|--------| | -v | Test pass/fail only | | -vv | Logs and events | | -vvv | Call traces (recommended) | | -vvvv | Full traces including reverts | | -vvvvv | Maximum detail (very verbose) |

Examples for Each Exploit

# The DAO (2016) — Reentrancy
forge test --match-contract TheDAO_exp -vvv --fork-url $ETH_RPC_URL

# Euler Finance (2023) — Flash Loan + Logic
forge test --match-contract Euler_exp -vvv --fork-url $ETH_RPC_URL

# Beanstalk (2022) — Flash Loan + Governance
forge test --match-contract Beanstalk_exp -vvv --fork-url $ETH_RPC_URL

# Ronin Bridge (2022) — Access Control
forge test --match-contract Ronin_exp -vvv --fork-url $ETH_RPC_URL

# Nomad Bridge (2022) — Logic Error
forge test --match-contract Nomad_exp -vvv --fork-url $ETH_RPC_URL

Step 4: Reading the Output

Understanding Forge Traces

A typical trace looks like:

[PASS] testExploit() (gas: 1234567)
Traces:
  [1234567] TheDAO_exp::testExploit()
    ├─ [0] VM::createSelectFork(...)
    ├─ [50000] TheDAO::withdraw(1 ether)
    │   ├─ [40000] Attacker::receive()  ← REENTRANCY HERE
    │   │   └─ [30000] TheDAO::withdraw(1 ether)
    │   └─ ← ()
    └─ ← ()

Key Things to Look For

The setup block — vm.createSelectFork() pins the fork to the exploit block
Flash loan acquisition — look for flashLoan() or borrow() calls early in the trace
The vulnerable call — the call that triggers the exploit (often marked with comments in the PoC)
State manipulation — watch for unexpected balance changes or storage writes
Profit extraction — the final transfer of stolen funds

Checking Profit

Most PoCs log the attacker's profit:

[console.log] Attacker profit: 197,000,000 USDC

If you see this, the exploit reproduced successfully.

Step 5: Adapting PoCs to Test New Contracts

Use DeFiHackLabs PoCs as templates when auditing similar protocols.

Pattern: Adapting a Reentrancy PoC

Copy the relevant PoC (e.g., TheDAO_exp.sol) to your audit project
Replace the target contract address with the contract under audit
Adjust the fork block to a recent block where the contract is deployed
Modify the attack steps to match the new contract's interface
Run and observe — if the test passes, the vulnerability exists

// Template structure of a DeFiHackLabs PoC
contract MyAudit_exp is Test {
    // Target contract interface
    IVulnerableProtocol target;
    
    function setUp() public {
        // Fork at a specific block
        vm.createSelectFork("mainnet", BLOCK_NUMBER);
        target = IVulnerableProtocol(TARGET_ADDRESS);
    }
    
    function testExploit() public {
        uint256 balanceBefore = address(this).balance;
        
        // Step 1: Acquire flash loan or initial capital
        // Step 2: Execute the attack
        // Step 3: Repay flash loan
        
        uint256 profit = address(this).balance - balanceBefore;
        console.log("Profit:", profit);
        assertGt(profit, 0, "Exploit failed");
    }
    
    // Callback for reentrancy or flash loan repayment
    receive() external payable {
        // Re-enter if conditions met
    }
}

Tips for Effective PoC Adaptation

Match the block number — use cast block --rpc-url $ETH_RPC_URL latest to get the current block
Use vm.label() — label addresses for readable traces: vm.label(address(target), "VulnerableProtocol")
Add console.log checkpoints — log balances before/after each step to trace the attack flow
Test the happy path first — ensure the protocol works normally before testing the exploit
Use vm.expectRevert() — verify that the fix (if applied) causes the exploit to revert

Troubleshooting

| Problem | Solution | |---------|----------| | RPC rate limit exceeded | Use a paid RPC tier or add --slow flag | | Block not found | The fork block may be too old for your RPC provider; try Alchemy Archive | | Contract not deployed at block | Adjust the fork block to after the contract deployment | | Out of gas | Increase gas limit: --gas-limit 30000000 | | Compilation error | Run forge build first to check for syntax errors | | Test not found | Verify the contract name matches exactly with --match-contract |

Additional Resources

DeFiHackLabs Repository: https://github.com/SunWeb3Sec/DeFiHackLabs
Foundry Book: https://book.getfoundry.sh
Foundry Cheatcodes: https://book.getfoundry.sh/cheatcodes/
Exploit Reference Table: See exploit-reference skill for the full list of 15 exploits with GitHub URLs

DeFi Exploit Reference Index

Curated quick-reference table of major DeFi exploit reproductions from DeFiHackLabs.

Exploit Table

Usage

Pair this reference with references/how-to-reproduce/SKILL.md for reproducible local exploit testing.
Use these PoCs as regression templates when validating fixes for similar vulnerability classes.

Reproduction Workflow

Step-by-step guide for setting up DeFiHackLabs and running Foundry proof-of-concept exploit reproductions locally.

Prerequisites

Before cloning, ensure you have the following installed:

1. Foundry

# Install Foundry (includes forge, cast, anvil)
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Verify installation
forge --version

2. RPC URL for Mainnet Fork

Most exploits require forking Ethereum mainnet at a specific block. You need an RPC endpoint:

Alchemy: https://www.alchemy.com (free tier available)
Infura: https://infura.io (free tier available)
Ankr: https://www.ankr.com/rpc (public endpoints available)

Set your RPC URL as an environment variable:

export ETH_RPC_URL="https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY"

For BSC exploits:

export BSC_RPC_URL="https://bsc-dataseed.binance.org"

Step 1: Clone DeFiHackLabs

git clone https://github.com/SunWeb3Sec/DeFiHackLabs
cd DeFiHackLabs

Install Dependencies

# Install Foundry dependencies (forge-std, etc.)
forge install

Step 2: Configure the Environment

Create a .env file in the project root (or export variables directly):

# .env
ETH_RPC_URL=https://eth-mainnet.g.alchemy.com/v2/YOUR_API_KEY
BSC_RPC_URL=https://bsc-dataseed.binance.org

Note: DeFiHackLabs uses vm.createSelectFork() inside each test to fork at the exact exploit block. The RPC URL is read from the environment.

Step 3: Run a Specific Exploit

Basic Command

forge test --match-contract TheDAO_exp -vvv --fork-url $ETH_RPC_URL

Verbosity Levels

Examples for Each Exploit

# The DAO (2016) — Reentrancy
forge test --match-contract TheDAO_exp -vvv --fork-url $ETH_RPC_URL

# Euler Finance (2023) — Flash Loan + Logic
forge test --match-contract Euler_exp -vvv --fork-url $ETH_RPC_URL

# Beanstalk (2022) — Flash Loan + Governance
forge test --match-contract Beanstalk_exp -vvv --fork-url $ETH_RPC_URL

# Ronin Bridge (2022) — Access Control
forge test --match-contract Ronin_exp -vvv --fork-url $ETH_RPC_URL

# Nomad Bridge (2022) — Logic Error
forge test --match-contract Nomad_exp -vvv --fork-url $ETH_RPC_URL

Step 4: Reading the Output

Understanding Forge Traces

A typical trace looks like:

[PASS] testExploit() (gas: 1234567)
Traces:
  [1234567] TheDAO_exp::testExploit()
    ├─ [0] VM::createSelectFork(...)
    ├─ [50000] TheDAO::withdraw(1 ether)
    │   ├─ [40000] Attacker::receive()  ← REENTRANCY HERE
    │   │   └─ [30000] TheDAO::withdraw(1 ether)
    │   └─ ← ()
    └─ ← ()

Key Things to Look For

The setup block — vm.createSelectFork() pins the fork to the exploit block
Flash loan acquisition — look for flashLoan() or borrow() calls early in the trace
The vulnerable call — the call that triggers the exploit (often marked with comments in the PoC)
State manipulation — watch for unexpected balance changes or storage writes
Profit extraction — the final transfer of stolen funds

Checking Profit

Most PoCs log the attacker's profit:

[console.log] Attacker profit: 197,000,000 USDC

If you see this, the exploit reproduced successfully.

Step 5: Adapting PoCs to Test New Contracts

Use DeFiHackLabs PoCs as templates when auditing similar protocols.

Pattern: Adapting a Reentrancy PoC

Copy the relevant PoC (e.g., TheDAO_exp.sol) to your audit project
Replace the target contract address with the contract under audit
Adjust the fork block to a recent block where the contract is deployed
Modify the attack steps to match the new contract's interface
Run and observe — if the test passes, the vulnerability exists

// Template structure of a DeFiHackLabs PoC
contract MyAudit_exp is Test {
    // Target contract interface
    IVulnerableProtocol target;
    
    function setUp() public {
        // Fork at a specific block
        vm.createSelectFork("mainnet", BLOCK_NUMBER);
        target = IVulnerableProtocol(TARGET_ADDRESS);
    }
    
    function testExploit() public {
        uint256 balanceBefore = address(this).balance;
        
        // Step 1: Acquire flash loan or initial capital
        // Step 2: Execute the attack
        // Step 3: Repay flash loan
        
        uint256 profit = address(this).balance - balanceBefore;
        console.log("Profit:", profit);
        assertGt(profit, 0, "Exploit failed");
    }
    
    // Callback for reentrancy or flash loan repayment
    receive() external payable {
        // Re-enter if conditions met
    }
}

Tips for Effective PoC Adaptation

Match the block number — use cast block --rpc-url $ETH_RPC_URL latest to get the current block
Use vm.label() — label addresses for readable traces: vm.label(address(target), "VulnerableProtocol")
Add console.log checkpoints — log balances before/after each step to trace the attack flow
Test the happy path first — ensure the protocol works normally before testing the exploit
Use vm.expectRevert() — verify that the fix (if applied) causes the exploit to revert

Troubleshooting

Additional Resources

DeFiHackLabs Repository: https://github.com/SunWeb3Sec/DeFiHackLabs
Foundry Book: https://book.getfoundry.sh
Foundry Cheatcodes: https://book.getfoundry.sh/cheatcodes/
Exploit Reference Table: See exploit-reference skill for the full list of 15 exploits with GitHub URLs

Adoption

apegurus/exploit-reference

$ install --global

Security Scan Results

SKILL.md

DeFi Exploit Reference Index

Exploit Table

Usage

Reproduction Workflow

Prerequisites

1. Foundry

2. RPC URL for Mainnet Fork

Step 1: Clone DeFiHackLabs

Install Dependencies

Step 2: Configure the Environment

Step 3: Run a Specific Exploit

Basic Command

Verbosity Levels

Examples for Each Exploit

Step 4: Reading the Output

Understanding Forge Traces

Key Things to Look For

Checking Profit

Step 5: Adapting PoCs to Test New Contracts

Pattern: Adapting a Reentrancy PoC

Tips for Effective PoC Adaptation

Troubleshooting

Additional Resources

Related Skills

apegurus/vector-scan

apegurus/periphery

apegurus/math-precision

apegurus/invariant

apegurus/exploit-reference

$ install --global

Security Scan Results

SKILL.md

DeFi Exploit Reference Index

Exploit Table

Usage

Reproduction Workflow

Prerequisites

1. Foundry

2. RPC URL for Mainnet Fork

Step 1: Clone DeFiHackLabs

Install Dependencies

Step 2: Configure the Environment

Step 3: Run a Specific Exploit

Basic Command

Verbosity Levels

Examples for Each Exploit

Step 4: Reading the Output

Understanding Forge Traces

Key Things to Look For

Checking Profit

Step 5: Adapting PoCs to Test New Contracts

Pattern: Adapting a Reentrancy PoC

Tips for Effective PoC Adaptation

Troubleshooting

Additional Resources

Related Skills

apegurus/vector-scan

apegurus/periphery

apegurus/math-precision

apegurus/invariant