npm - uups-checker - Versions diffs - 1.0.0 - Mend

uups-checker 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (670) hide show

package/.gitmodules +6 -0
package/AIFI_AUDIT.md +220 -0
package/ALL_AUDITS_SUMMARY.md +366 -0
package/ALPHA_PROXY_CRITICAL_FINDING.md +136 -0
package/ALPHA_PROXY_FINAL_ANALYSIS.md +213 -0
package/ALPHA_PROXY_FINAL_VERDICT.md +233 -0
package/ALPHA_PROXY_SELFDESTRUCT_EXPLOIT.md +161 -0
package/ARIA-foundry-test.txt +9 -0
package/ARIA-mythril-analysis.txt +20 -0
package/ARIA-slither-analysis.txt +38 -0
package/ARIA_AI_SECURITY_AUDIT.md +290 -0
package/ARIA_VERIFIED_AUDIT.md +259 -0
package/ARIA_VERIFIED_slither.txt +76 -0
package/ARIVA_source.txt +1 -0
package/ARK_AUDIT.md +349 -0
package/BANANA_AUDIT.md +365 -0
package/BAS_AUDIT.md +451 -0
package/BAS_TOKEN_AUDIT.md +235 -0
package/BCE_EXPLOIT_ANALYSIS.md +165 -0
package/BEEFY_BNB_CHAIN_ANALYSIS.md +488 -0
package/BEEFY_MONAD_ANALYSIS.md +239 -0
package/BEEFY_STAKING_ANALYSIS.md +136 -0
package/BEEFY_XVS_WBNB_ACTUAL_FINDINGS.md +223 -0
package/BEEFY_XVS_WBNB_CRITICAL_FINDINGS.md +269 -0
package/BLOCKSEC_ATTACK_KNOWLEDGE_BASE.md +771 -0
package/BRISE_ANALYSIS.txt +31 -0
package/BRISE_BSC_DAPPS.txt +68 -0
package/BRISE_EXPLOITS_FOUND.md +98 -0
package/BRISE_REAL_EXPLOITS.md +115 -0
package/BRISE_WHITEHAT_REPORT.md +162 -0
package/BRISEstake_Analysis.txt +95 -0
package/BSCSLOCKTOKEN_CRITICAL_FINDING.md +240 -0
package/BSW_BISWAP_SECURITY_AUDIT.md +330 -0
package/BTCST_FINAL_VERDICT.md +319 -0
package/BTCST_MINING_REBASE_ANALYSIS.md +229 -0
package/BTCST_ROUNDING_DEEP_DIVE.md +293 -0
package/BTCST_ROUNDING_FINAL_VERDICT.md +9 -0
package/BTCST_SECURITY_ANALYSIS.md +391 -0
package/BTR_AUDIT.md +210 -0
package/BeamBridge-analysis.md +226 -0
package/BeamToken-analysis.md +201 -0
package/BitgertSwap_Investigation.txt +107 -0
package/CEEK_STAKING_ANALYSIS.md +0 -0
package/CHAINBASE_AUDIT.md +422 -0
package/COMPLETE_AUDIT_SUMMARY.md +342 -0
package/CORRECTED_ANALYSIS.txt +115 -0
package/DBXEN_COMPARISON_SUMMARY.md +232 -0
package/DBXEN_EXPLOIT_ANALYSIS.md +530 -0
package/DOPFairLaunch_raw.json +29 -0
package/DOPFairLaunch_source.txt +0 -0
package/DOP_BRIDGE_FINAL_ANALYSIS.txt +86 -0
package/DOP_BUSD_LP_ANALYSIS.txt +44 -0
package/DOP_FAIRLAUNCH_ANALYSIS.txt +61 -0
package/DOP_FAIRLAUNCH_FINAL_VERDICT.txt +113 -0
package/DOP_STAKING_CONTRACT_ANALYSIS.txt +67 -0
package/DSYNC_ECOSYSTEM_ANALYSIS.md +221 -0
package/DSyncStaking-exploit-analysis.md +153 -0
package/DSyncVault-analysis.md +120 -0
package/DUSD_PROXY_AUDIT.md +407 -0
package/DXSALE_LOCK_AUDIT.md +0 -0
package/DXSaleLock_bytecode.txt +1 -0
package/ECHIDNA_QUICK_START.md +101 -0
package/ELEPHANT_ECOSYSTEM_AUDIT_PLAN.md +159 -0
package/ELEPHANT_ECOSYSTEM_COMPREHENSIVE_AUDIT.md +427 -0
package/ELEPHANT_SECURITY_ANALYSIS.md +209 -0
package/ELEPHANT_VULNERABILITIES_EXPLAINED.md +455 -0
package/EXPLOIT_FIX.md +300 -0
package/EXPLOIT_INSTRUCTIONS.md +273 -0
package/EXPLOIT_SUMMARY.md +285 -0
package/EXPLOIT_SUMMARY.txt +175 -0
package/FALCON_FINANCE_AUDIT.md +258 -0
package/FANDOM_AUDIT.md +359 -0
package/FEE_ON_TRANSFER_ANALYSIS.md +228 -0
package/FINAL_AUDIT_REPORT.md +0 -0
package/FOLIO_PROXY_AUDIT.md +299 -0
package/FOT_EXPLOIT_RESULTS.txt +110 -0
package/FOT_TOKENS_AUDITED.md +103 -0
package/HEGIC-mythril-analysis.txt +39 -0
package/HEGIC_COMPLETE_ANALYSIS.md +343 -0
package/HOTCROSS_SWAP_EXPLOIT_ANALYSIS.md +123 -0
package/ICECREAMSWAP_EXPLOITS.md +259 -0
package/IMMUNEFI_REPORT.md +314 -0
package/KCCPAD_EXPLOIT_GUIDE.md +285 -0
package/KEL_CEL_EXPLOIT_ANALYSIS.md +0 -0
package/KOGE_AUDIT.md +328 -0
package/LENDFLARE_ANALYSIS.md +239 -0
package/LENDFLARE_ECHIDNA_GUIDE.md +356 -0
package/LENDFLARE_EXPLOIT_INSTRUCTIONS.md +297 -0
package/LENDFLARE_EXPLOIT_SUMMARY.md +292 -0
package/LENDFLARE_FLASHLOAN_GUIDE.md +383 -0
package/LENDFLARE_FUZZING_RESULTS.md +252 -0
package/LENDFLARE_HONEYPOT_BYPASS_ANALYSIS.md +420 -0
package/LENDFLARE_MANUAL_FUZZING.md +324 -0
package/LENDFLARE_MYTHRIL_ANALYSIS.md +339 -0
package/LENDFLARE_V3_BYPASS.md +296 -0
package/LFTDECOMPILE.txt +14478 -0
package/LFT_ACCOUNTING_ANALYSIS.md +0 -0
package/LFT_ACCOUNTING_BUG_ANALYSIS.md +426 -0
package/LFT_BACKDOOR_DEEP_DIVE.md +0 -0
package/LFT_CRITICAL_EXPLOIT_CONFIRMED.md +428 -0
package/LFT_EXPLOIT_VISUAL.md +253 -0
package/LFT_QUICK_SUMMARY.md +124 -0
package/LFT_REVERSE_EXPLOIT_ANALYSIS.md +521 -0
package/MGO_AUDIT_REPORT.md +420 -0
package/MYTHRIL_FINAL_REPORT.md +306 -0
package/MYTHRIL_SLITHER_SUMMARY.md +244 -0
package/NETX_MIGRATION_AUDIT.md +0 -0
package/NPM_PUBLISH_GUIDE.md +0 -0
package/NRV_CRITICAL_EXPLOIT.txt +143 -0
package/NetX_Analysis.txt +76 -0
package/NetX_Migration_bytecode.txt +1 -0
package/NetX_Migration_source.txt +0 -0
package/NetX_Token_source.txt +0 -0
package/NetxWhitehatRescue +22 -0
package/OILER_ATTACK_VISUAL.md +351 -0
package/OILER_BLOCKSEC_TEST_RESULTS.md +421 -0
package/OILER_DEEP_ANALYSIS.md +212 -0
package/OILER_FINAL_EXPLOIT_REPORT.md +241 -0
package/OILER_FINAL_VERDICT.md +339 -0
package/OILER_REENTRANCY_EXPLAINED.md +638 -0
package/OILER_REENTRANCY_FINAL_SUMMARY.md +391 -0
package/OILER_REENTRANCY_REALITY_CHECK.md +393 -0
package/OILER_REENTRANCY_STEP_BY_STEP.md +597 -0
package/OILER_STAKING_MAINNET_ANALYSIS.md +366 -0
package/OILER_STAKING_SECURITY_ANALYSIS.md +409 -0
package/PANCAKESWAP_UNDERFLOW_HUNTING.md +317 -0
package/POLS_MULTICHAIN_AUDIT.md +0 -0
package/POSI_STAKING_AUDIT.md +0 -0
package/PROXY2_SECURITY_ANALYSIS.md +0 -0
package/Proxy2TACS +29748 -0
package/QUICK_START.md +240 -0
package/RAMP_SECURITY_ANALYSIS.md +0 -0
package/README.md +238 -0
package/REAUDIT_MASTER_LIST.txt +15 -0
package/RING_analysis.txt +212 -0
package/RPC +4 -0
package/RULES.txt +20 -0
package/SIREN_AUDIT.md +186 -0
package/SYNC_EXPLOIT_README.md +0 -0
package/SYNC_TOKEN_EXPLOIT_REPORT.md +224 -0
package/TLM_raw.html +0 -0
package/TLM_raw.txt +0 -0
package/TLM_response.json +1 -0
package/TRADOOR_AUDIT.md +253 -0
package/TRUNK_AUDIT.md +285 -0
package/UNIBASE_AUDIT.md +241 -0
package/UNLOCK_ANALYSIS.md +0 -0
package/UNLOCK_EXPLOIT.md +49 -0
package/UNLOCK_EXPLOIT_ANALYSIS.md +0 -0
package/UPS +232 -0
package/UUPSCHECKER +208 -0
package/VAULT_PROXY_AUDIT.md +457 -0
package/VAULT_PROXY_FINAL_VERDICT.md +0 -0
package/VERIFIED_EXPLOITS_FINAL.txt +146 -0
package/WKEYDAO2_AUDIT.md +245 -0
package/WSG_AUDIT.md +0 -0
package/XFI_DEEP_ANALYSIS.md +327 -0
package/YOOSHI_EXPLOIT_GUIDE.md +119 -0
package/YSDAO_EXPLOIT_GUIDE.md +0 -0
package/agent-4-bundle.md +22490 -0
package/alpha-proxy-echidna.txt +1 -0
package/alpha-proxy-fuzz-results.txt +81 -0
package/alpha-proxy-mythril.txt +2 -0
package/analyze-btcst-farm.js +54 -0
package/analyze-dxsale-lock.js +75 -0
package/analyze-elephant.js +69 -0
package/analyze-fara-rewards.js +109 -0
package/analyze-fara-storage.js +83 -0
package/analyze-lft-transaction.js +158 -0
package/analyze-lock-bytecode.js +59 -0
package/analyze-shegic.js +0 -0
package/analyze-staking-abi.js +0 -0
package/analyze-sxp.js +57 -0
package/analyze-tlm.js +76 -0
package/analyze-trumpet.js +98 -0
package/analyze-unlimited-nft.js +108 -0
package/analyze_elephant.sh +27 -0
package/analyze_vault.sh +32 -0
package/aria-bytecode.txt +1 -0
package/aria_response.json +1 -0
package/ark_temp/README.md +66 -0
package/ark_temp/lib/forge-std/.gitattributes +1 -0
package/ark_temp/lib/forge-std/.github/CODEOWNERS +1 -0
package/ark_temp/lib/forge-std/.github/dependabot.yml +6 -0
package/ark_temp/lib/forge-std/.github/workflows/ci.yml +125 -0
package/ark_temp/lib/forge-std/.github/workflows/sync.yml +36 -0
package/ark_temp/lib/forge-std/CONTRIBUTING.md +193 -0
package/ark_temp/lib/forge-std/LICENSE-APACHE +203 -0
package/ark_temp/lib/forge-std/LICENSE-MIT +25 -0
package/ark_temp/lib/forge-std/README.md +314 -0
package/ark_temp/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/ark_temp/lib/forge-std/package.json +16 -0
package/ark_temp/lib/forge-std/scripts/vm.py +636 -0
package/audits/AiFi-security-audit-20260326.md +499 -0
package/audits/BasedAI-Brains-security-audit-20260324.md +651 -0
package/audits/BinanceAlphaWallet-pashov-ai-audit-report-20260324-170000.md +362 -0
package/audits/DGToken-security-audit-20260324.md +376 -0
package/audits/DSyncStaking-audit-part1.md +161 -0
package/audits/DSyncStaking-security-audit-20260324.md +547 -0
package/audits/DecompiledERC20-security-audit-20260325.md +397 -0
package/audits/DegenVC-security-audit-20260324.md +585 -0
package/audits/DelreyInu-security-audit-20260324.md +463 -0
package/audits/DestraNetwork-security-audit-20260324.md +705 -0
package/audits/DomiToken-security-audit-20260324.md +514 -0
package/audits/LendFlareToken-security-audit-20260325.md +197 -0
package/audits/LockReleaseTokenPool-security-audit-20260324.md +482 -0
package/audits/MOG-pashov-ai-audit-report-20260324-164900.md +229 -0
package/audits/PAALAI-security-audit-20260324.md +475 -0
package/audits/PAR-security-audit-20260325.md +311 -0
package/audits/PepeCoinStaking-security-audit-20260324.md +358 -0
package/audits/StakingPool-security-audit-20260324.md +517 -0
package/audits/SyncToken-security-audit-20260324.md +778 -0
package/audits/UndeadToken-decompiled-security-audit-20260324.md +485 -0
package/audits/UnknownToken-decompiled-security-audit-20260324.md +647 -0
package/audits/XFIStaking-security-audit-20260324.md +682 -0
package/audits/Xfinance-security-audit-20260324.md +463 -0
package/audits/basedAIFarm-security-audit-20260324.md +330 -0
package/audits/pepeCoin-security-audit-20260324.md +462 -0
package/bin/ups +232 -0
package/binance-wallet-exploit/.env.example +2 -0
package/binance-wallet-exploit/EXECUTIVE_SUMMARY.md +272 -0
package/binance-wallet-exploit/EXPLOIT_SUMMARY.md +104 -0
package/binance-wallet-exploit/FINAL_ANALYSIS.md +326 -0
package/binance-wallet-exploit/FLASHLOAN_ATTACK.md +292 -0
package/binance-wallet-exploit/HONEYPOT_REPORT.md +526 -0
package/binance-wallet-exploit/INVESTIGATION_COMPLETE.md +362 -0
package/binance-wallet-exploit/LENDFLARE_EXPLOIT.md +219 -0
package/binance-wallet-exploit/LENDFLARE_FINAL_ATTACK.md +307 -0
package/binance-wallet-exploit/LENDFLARE_REAL_EXPLOIT.md +286 -0
package/binance-wallet-exploit/LENDFLARE_RUGPULL.md +269 -0
package/binance-wallet-exploit/LFT_ANALYSIS.md +206 -0
package/binance-wallet-exploit/QUICK_START.md +75 -0
package/binance-wallet-exploit/README.md +195 -0
package/binance-wallet-exploit/REAL_TX_EXPLOIT_ANALYSIS.md +271 -0
package/binance-wallet-exploit/REMIX_INSTRUCTIONS.md +223 -0
package/binance-wallet-exploit/TEST_RESULTS.md +203 -0
package/binance-wallet-exploit/cache/solidity-files-cache.json +1 -0
package/binance-wallet-exploit/cache/test-failures +1 -0
package/binance-wallet-exploit/lib/forge-std/.gitattributes +1 -0
package/binance-wallet-exploit/lib/forge-std/.github/CODEOWNERS +1 -0
package/binance-wallet-exploit/lib/forge-std/.github/dependabot.yml +6 -0
package/binance-wallet-exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
package/binance-wallet-exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
package/binance-wallet-exploit/lib/forge-std/CONTRIBUTING.md +193 -0
package/binance-wallet-exploit/lib/forge-std/LICENSE-APACHE +203 -0
package/binance-wallet-exploit/lib/forge-std/LICENSE-MIT +25 -0
package/binance-wallet-exploit/lib/forge-std/README.md +314 -0
package/binance-wallet-exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/binance-wallet-exploit/lib/forge-std/package.json +16 -0
package/binance-wallet-exploit/lib/forge-std/scripts/vm.py +636 -0
package/binance-wallet-exploit/out/build-info/1e9aa7e86cf56962.json +1 -0
package/binance-wallet-exploit/out/build-info/6f56f10e9d7b56eb.json +1 -0
package/binance-wallet-exploit/out/build-info/7edba961ff697a24.json +1 -0
package/binance-wallet-exploit/out/build-info/8c27fe3efea2f2e7.json +1 -0
package/binance-wallet-exploit/out/build-info/978b680daffec63a.json +1 -0
package/binance-wallet-exploit/out/build-info/9806b900b5672d0c.json +1 -0
package/binance-wallet-exploit/out/build-info/b4b9ff36e9b3fc27.json +1 -0
package/binance-wallet-exploit/out/build-info/b6f4df9ae05c0812.json +1 -0
package/binance-wallet-exploit/out/build-info/c88dbc86551f7b5c.json +1 -0
package/binance-wallet-exploit/out/build-info/e9657504010623db.json +1 -0
package/cache/fuzz/failures/ARIAVerifiedFuzzTest/testFuzz_ApprovalRaceCondition +1 -0
package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_DirectTransferExploit +1 -0
package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_LargeSwapDrain +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_ApprovalExploit +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_BalanceManipulation +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_RateManipulation +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_StorageManipulation +1 -0
package/cache/fuzz/failures/PARFuzzTest/testFuzz_OverflowTransfer +1 -0
package/cache/fuzz/failures/PARFuzzTest/testFuzz_Transfer +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_FrontrunAddfunds +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RewardOverflow +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RoundingExploit +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_WithdrawLimit +1 -0
package/cache/solidity-files-cache.json +1 -0
package/cache/test-failures +1 -0
package/calculate-elephant-flashloan.js +195 -0
package/check-address-approval.js +112 -0
package/check-alpha-proxy.js +42 -0
package/check-arbitrage.js +155 -0
package/check-aria-token.js +47 -0
package/check-ark.sh +20 -0
package/check-btcst-mining.js +75 -0
package/check-btcst-pools.js +163 -0
package/check-btcst.js +88 -0
package/check-caller.js +26 -0
package/check-ceek-lp.js +73 -0
package/check-ceek.js +47 -0
package/check-dxsale-address.js +35 -0
package/check-fara-exploit-timing.js +56 -0
package/check-fara-real-exploit.js +73 -0
package/check-flashloan-limits.js +129 -0
package/check-kel-cel-pool.js +91 -0
package/check-lax-staking.js +41 -0
package/check-lendflare.js +165 -0
package/check-lft-accounting.js +109 -0
package/check-lft-roles.js +165 -0
package/check-lock-time.js +47 -0
package/check-min-stake.js +73 -0
package/check-mystery-contract.js +52 -0
package/check-next-token.js +50 -0
package/check-nora-lock.js +67 -0
package/check-oiler-approvals.js +116 -0
package/check-oiler-proxy.js +73 -0
package/check-oiler-staking.js +117 -0
package/check-proxy-simple.js +71 -0
package/check-recent-stakes.js +54 -0
package/check-shegic-holdings.js +67 -0
package/check-snowcrash-ecosystem.js +83 -0
package/check-sync-lp.js +97 -0
package/check-sync-stake.js +42 -0
package/check-tlm.js +37 -0
package/check-token-pools.js +146 -0
package/check-trunk-depeg.js +181 -0
package/check-tusd-decimals.js +58 -0
package/check-user-storage-deep.js +81 -0
package/check-welephant-pools.js +130 -0
package/check-xfi-pool.js +75 -0
package/check-zypher.js +32 -0
package/check_proxy.sh +36 -0
package/compare-tlm-chains.js +90 -0
package/contract_0x05f2.html +6025 -0
package/contract_0x3720.html +6361 -0
package/contract_0x928e.html +5606 -0
package/contract_0xc42d.html +5304 -0
package/contract_page.html +5789 -0
package/decode-stake-tx.js +50 -0
package/deep-analyze-lock.js +82 -0
package/dune_uups_proxy_query.sql +42 -0
package/dune_uups_vulnerable_query.sql +0 -0
package/echidna/alpha-proxy.yaml +14 -0
package/echidna/elephant.yaml +7 -0
package/echidna/lendflare.yaml +42 -0
package/echidna.config.yaml +12 -0
package/elephant_raw.json +1 -0
package/eps_raw.json +1 -0
package/exploit/.github/workflows/test.yml +38 -0
package/exploit/.gitmodules +3 -0
package/exploit/README.md +66 -0
package/exploit/foundry.lock +8 -0
package/exploit/lib/forge-std/.gitattributes +1 -0
package/exploit/lib/forge-std/.github/CODEOWNERS +1 -0
package/exploit/lib/forge-std/.github/dependabot.yml +6 -0
package/exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
package/exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
package/exploit/lib/forge-std/CONTRIBUTING.md +193 -0
package/exploit/lib/forge-std/LICENSE-APACHE +203 -0
package/exploit/lib/forge-std/LICENSE-MIT +25 -0
package/exploit/lib/forge-std/README.md +314 -0
package/exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/exploit/lib/forge-std/package.json +16 -0
package/exploit/lib/forge-std/scripts/vm.py +636 -0
package/exploit_analysis.txt +51 -0
package/extract_contract.py +21 -0
package/extract_elephant_contracts.py +24 -0
package/fara-staking-bytecode.txt +1 -0
package/fara-staking-raw.txt +1 -0
package/fetch-aria.js +46 -0
package/fetch-contract.js +50 -0
package/fetch-shegic-source.js +86 -0
package/fetch-snowcrash.js +44 -0
package/fetch-staking-source.js +53 -0
package/fetch-tlm.js +60 -0
package/fetch_elephant_source.py +32 -0
package/find-ceek-staking.js +21 -0
package/find-exploit-tx.js +88 -0
package/find-oiler-holders.js +100 -0
package/find-tlm-holder.js +36 -0
package/find-vulnerable-fund.js +94 -0
package/foundry.lock +8 -0
package/fuzz-all.sh +53 -0
package/get-aria-contract.py +40 -0
package/get-lft-holders.js +89 -0
package/get-tlm-source.sh +8 -0
package/harvest_txs.json +1 -0
package/lft-bytecode-raw.txt +1 -0
package/lft-bytecode.json +1 -0
package/lft-impl.bin +1 -0
package/lft-implementation-bytecode.txt +1 -0
package/lib/forge-std/.gitattributes +1 -0
package/lib/forge-std/.github/CODEOWNERS +1 -0
package/lib/forge-std/.github/dependabot.yml +6 -0
package/lib/forge-std/.github/workflows/ci.yml +125 -0
package/lib/forge-std/.github/workflows/sync.yml +36 -0
package/lib/forge-std/CONTRIBUTING.md +193 -0
package/lib/forge-std/LICENSE-APACHE +203 -0
package/lib/forge-std/LICENSE-MIT +25 -0
package/lib/forge-std/README.md +314 -0
package/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/lib/forge-std/package.json +16 -0
package/lib/forge-std/scripts/vm.py +636 -0
package/lib/openzeppelin-contracts/.changeset/config.json +12 -0
package/lib/openzeppelin-contracts/.codecov.yml +12 -0
package/lib/openzeppelin-contracts/.editorconfig +21 -0
package/lib/openzeppelin-contracts/.eslintrc +20 -0
package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/config.yml +4 -0
package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/feature_request.md +14 -0
package/lib/openzeppelin-contracts/.github/PULL_REQUEST_TEMPLATE.md +20 -0
package/lib/openzeppelin-contracts/.github/actions/gas-compare/action.yml +49 -0
package/lib/openzeppelin-contracts/.github/actions/setup/action.yml +21 -0
package/lib/openzeppelin-contracts/.github/actions/storage-layout/action.yml +55 -0
package/lib/openzeppelin-contracts/.github/workflows/actionlint.yml +18 -0
package/lib/openzeppelin-contracts/.github/workflows/changeset.yml +28 -0
package/lib/openzeppelin-contracts/.github/workflows/checks.yml +118 -0
package/lib/openzeppelin-contracts/.github/workflows/docs.yml +19 -0
package/lib/openzeppelin-contracts/.github/workflows/formal-verification.yml +68 -0
package/lib/openzeppelin-contracts/.github/workflows/release-cycle.yml +214 -0
package/lib/openzeppelin-contracts/.github/workflows/upgradeable.yml +34 -0
package/lib/openzeppelin-contracts/.gitmodules +7 -0
package/lib/openzeppelin-contracts/.mocharc.js +4 -0
package/lib/openzeppelin-contracts/.prettierrc +15 -0
package/lib/openzeppelin-contracts/.solcover.js +13 -0
package/lib/openzeppelin-contracts/CHANGELOG.md +972 -0
package/lib/openzeppelin-contracts/CODE_OF_CONDUCT.md +73 -0
package/lib/openzeppelin-contracts/CONTRIBUTING.md +36 -0
package/lib/openzeppelin-contracts/GUIDELINES.md +148 -0
package/lib/openzeppelin-contracts/LICENSE +22 -0
package/lib/openzeppelin-contracts/README.md +107 -0
package/lib/openzeppelin-contracts/RELEASING.md +45 -0
package/lib/openzeppelin-contracts/SECURITY.md +42 -0
package/lib/openzeppelin-contracts/audits/2017-03.md +292 -0
package/lib/openzeppelin-contracts/audits/2018-10.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2022-10-Checkpoints.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2022-10-ERC4626.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2023-05-v4.9.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2023-10-v5.0.pdf +0 -0
package/lib/openzeppelin-contracts/audits/README.md +17 -0
package/lib/openzeppelin-contracts/certora/Makefile +54 -0
package/lib/openzeppelin-contracts/certora/README.md +60 -0
package/lib/openzeppelin-contracts/certora/diff/access_manager_AccessManager.sol.patch +97 -0
package/lib/openzeppelin-contracts/certora/reports/2021-10.pdf +0 -0
package/lib/openzeppelin-contracts/certora/reports/2022-03.pdf +0 -0
package/lib/openzeppelin-contracts/certora/reports/2022-05.pdf +0 -0
package/lib/openzeppelin-contracts/certora/run.js +160 -0
package/lib/openzeppelin-contracts/certora/specs/AccessControl.spec +119 -0
package/lib/openzeppelin-contracts/certora/specs/AccessControlDefaultAdminRules.spec +464 -0
package/lib/openzeppelin-contracts/certora/specs/DoubleEndedQueue.spec +300 -0
package/lib/openzeppelin-contracts/certora/specs/ERC20.spec +352 -0
package/lib/openzeppelin-contracts/certora/specs/ERC20FlashMint.spec +55 -0
package/lib/openzeppelin-contracts/certora/specs/ERC20Wrapper.spec +198 -0
package/lib/openzeppelin-contracts/certora/specs/ERC721.spec +679 -0
package/lib/openzeppelin-contracts/certora/specs/EnumerableMap.spec +333 -0
package/lib/openzeppelin-contracts/certora/specs/EnumerableSet.spec +246 -0
package/lib/openzeppelin-contracts/certora/specs/Initializable.spec +165 -0
package/lib/openzeppelin-contracts/certora/specs/Ownable.spec +77 -0
package/lib/openzeppelin-contracts/certora/specs/Ownable2Step.spec +108 -0
package/lib/openzeppelin-contracts/certora/specs/Pausable.spec +96 -0
package/lib/openzeppelin-contracts/certora/specs/TimelockController.spec +274 -0
package/lib/openzeppelin-contracts/certora/specs/helpers/helpers.spec +7 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControl.spec +8 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControlDefaultAdminRules.spec +36 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC20.spec +11 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC2612.spec +5 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashBorrower.spec +3 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashLender.spec +5 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC5313.spec +3 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC721.spec +17 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC721Receiver.spec +3 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable.spec +5 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable2Step.spec +7 -0
package/lib/openzeppelin-contracts/certora/specs.json +86 -0
package/lib/openzeppelin-contracts/contracts/access/README.adoc +43 -0
package/lib/openzeppelin-contracts/contracts/finance/README.adoc +14 -0
package/lib/openzeppelin-contracts/contracts/governance/README.adoc +167 -0
package/lib/openzeppelin-contracts/contracts/interfaces/README.adoc +82 -0
package/lib/openzeppelin-contracts/contracts/metatx/README.adoc +12 -0
package/lib/openzeppelin-contracts/contracts/package.json +32 -0
package/lib/openzeppelin-contracts/contracts/proxy/README.adoc +87 -0
package/lib/openzeppelin-contracts/contracts/token/ERC1155/README.adoc +41 -0
package/lib/openzeppelin-contracts/contracts/token/ERC20/README.adoc +67 -0
package/lib/openzeppelin-contracts/contracts/token/ERC721/README.adoc +67 -0
package/lib/openzeppelin-contracts/contracts/token/common/README.adoc +10 -0
package/lib/openzeppelin-contracts/contracts/utils/README.adoc +88 -0
package/lib/openzeppelin-contracts/contracts/vendor/compound/LICENSE +11 -0
package/lib/openzeppelin-contracts/docs/README.md +16 -0
package/lib/openzeppelin-contracts/docs/antora.yml +7 -0
package/lib/openzeppelin-contracts/docs/config.js +21 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3a.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3b.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-6.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-deposit.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-mint.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-linear.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglog.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglogext.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-exec.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-vote.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/nav.adoc +23 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/access-control.adoc +204 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/backwards-compatibility.adoc +48 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/crowdsales.adoc +11 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/drafts.adoc +19 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc1155.adoc +145 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20-supply.adoc +71 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20.adoc +77 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc4626.adoc +214 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc721.adoc +79 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/extending-contracts.adoc +77 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/faq.adoc +13 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/governance.adoc +240 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/index.adoc +79 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/tokens.adoc +31 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/upgradeable.adoc +77 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/utilities.adoc +185 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/wizard.adoc +15 -0
package/lib/openzeppelin-contracts/docs/templates/contract.hbs +111 -0
package/lib/openzeppelin-contracts/docs/templates/helpers.js +46 -0
package/lib/openzeppelin-contracts/docs/templates/page.hbs +4 -0
package/lib/openzeppelin-contracts/docs/templates/properties.js +64 -0
package/lib/openzeppelin-contracts/hardhat/env-artifacts.js +24 -0
package/lib/openzeppelin-contracts/hardhat/env-contract.js +25 -0
package/lib/openzeppelin-contracts/hardhat/ignore-unreachable-warnings.js +45 -0
package/lib/openzeppelin-contracts/hardhat/skip-foundry-tests.js +6 -0
package/lib/openzeppelin-contracts/hardhat/task-test-get-files.js +25 -0
package/lib/openzeppelin-contracts/hardhat.config.js +131 -0
package/lib/openzeppelin-contracts/lib/erc4626-tests/LICENSE +661 -0
package/lib/openzeppelin-contracts/lib/erc4626-tests/README.md +116 -0
package/lib/openzeppelin-contracts/lib/forge-std/.github/workflows/ci.yml +92 -0
package/lib/openzeppelin-contracts/lib/forge-std/.gitmodules +3 -0
package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-APACHE +203 -0
package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-MIT +25 -0
package/lib/openzeppelin-contracts/lib/forge-std/README.md +250 -0
package/lib/openzeppelin-contracts/lib/forge-std/package.json +16 -0
package/lib/openzeppelin-contracts/logo.svg +15 -0
package/lib/openzeppelin-contracts/netlify.toml +3 -0
package/lib/openzeppelin-contracts/package-lock.json +16544 -0
package/lib/openzeppelin-contracts/package.json +96 -0
package/lib/openzeppelin-contracts/remappings.txt +1 -0
package/lib/openzeppelin-contracts/renovate.json +4 -0
package/lib/openzeppelin-contracts/requirements.txt +1 -0
package/lib/openzeppelin-contracts/scripts/checks/compare-layout.js +20 -0
package/lib/openzeppelin-contracts/scripts/checks/compareGasReports.js +243 -0
package/lib/openzeppelin-contracts/scripts/checks/extract-layout.js +38 -0
package/lib/openzeppelin-contracts/scripts/checks/generation.sh +6 -0
package/lib/openzeppelin-contracts/scripts/checks/inheritance-ordering.js +54 -0
package/lib/openzeppelin-contracts/scripts/gen-nav.js +41 -0
package/lib/openzeppelin-contracts/scripts/generate/format-lines.js +16 -0
package/lib/openzeppelin-contracts/scripts/generate/run.js +49 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.js +247 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.opts.js +17 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.t.js +146 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableMap.js +283 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableSet.js +250 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/SafeCast.js +126 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/StorageSlot.js +78 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/conversion.js +30 -0
package/lib/openzeppelin-contracts/scripts/git-user-config.sh +6 -0
package/lib/openzeppelin-contracts/scripts/helpers.js +37 -0
package/lib/openzeppelin-contracts/scripts/prepack.sh +23 -0
package/lib/openzeppelin-contracts/scripts/prepare-docs.sh +26 -0
package/lib/openzeppelin-contracts/scripts/release/format-changelog.js +33 -0
package/lib/openzeppelin-contracts/scripts/release/synchronize-versions.js +15 -0
package/lib/openzeppelin-contracts/scripts/release/update-comment.js +34 -0
package/lib/openzeppelin-contracts/scripts/release/version.sh +11 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/exit-prerelease.sh +8 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/github-release.js +48 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/integrity-check.sh +20 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/pack.sh +26 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/publish.sh +26 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/rerun.js +7 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/set-changesets-pr-title.js +17 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/start.sh +35 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/state.js +112 -0
package/lib/openzeppelin-contracts/scripts/remove-ignored-artifacts.js +45 -0
package/lib/openzeppelin-contracts/scripts/solhint-custom/index.js +84 -0
package/lib/openzeppelin-contracts/scripts/solhint-custom/package.json +5 -0
package/lib/openzeppelin-contracts/scripts/update-docs-branch.js +65 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/README.md +21 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/patch-apply.sh +19 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/patch-save.sh +18 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/transpile-onto.sh +54 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/transpile.sh +47 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/upgradeable.patch +360 -0
package/lib/openzeppelin-contracts/slither.config.json +5 -0
package/lib/openzeppelin-contracts/solhint.config.js +20 -0
package/mythril-lft-output.txt +1 -0
package/mythril-lft-symbolic.txt +18 -0
package/mythril-lft.sh +20 -0
package/mythril-symbolic-output.txt +1 -0
package/mythril-symbolic.sh +42 -0
package/out/build-info/0026b78428192979.json +1 -0
package/out/build-info/03c4fc3b88486eba.json +1 -0
package/out/build-info/0540afa9b9a5c5a6.json +1 -0
package/out/build-info/081932f505bc08b9.json +1 -0
package/out/build-info/0da104ba0d6642d5.json +1 -0
package/out/build-info/197281971dbb5f23.json +1 -0
package/out/build-info/197e7e332832a232.json +1 -0
package/out/build-info/1a1cab9136eb5f94.json +1 -0
package/out/build-info/1b320204eb162aa2.json +1 -0
package/out/build-info/1e03f94398052674.json +1 -0
package/out/build-info/22ac085949602937.json +1 -0
package/out/build-info/234ef37453a9fa64.json +1 -0
package/out/build-info/2447db7b1878fa8e.json +1 -0
package/out/build-info/25568daeb484f5ff.json +1 -0
package/out/build-info/27465853244c49ce.json +1 -0
package/out/build-info/2c57a9e0f087453b.json +1 -0
package/out/build-info/3c62ae7de8da68c4.json +1 -0
package/out/build-info/3e771ae109e97bb3.json +1 -0
package/out/build-info/460499bc0a3465c4.json +1 -0
package/out/build-info/47ce37e50a4f115e.json +1 -0
package/out/build-info/4fcce5c63cf427d6.json +1 -0
package/out/build-info/4fd0a53fe63fddbb.json +1 -0
package/out/build-info/50f1247db9d769cc.json +1 -0
package/out/build-info/5317d0181a7a5e02.json +1 -0
package/out/build-info/594df509275ceb5b.json +1 -0
package/out/build-info/61983ac3f6141719.json +1 -0
package/out/build-info/638c4548307122fe.json +1 -0
package/out/build-info/67c2c43bdb7c0ded.json +1 -0
package/out/build-info/777f42643aad37b7.json +1 -0
package/out/build-info/7d7856f19e845354.json +1 -0
package/out/build-info/83976260b6f71e94.json +1 -0
package/out/build-info/83c23882000b963d.json +1 -0
package/out/build-info/84b2cce8f70b36be.json +1 -0
package/out/build-info/8bc13d31d7c3206a.json +1 -0
package/out/build-info/8e183bd4d9d8cf88.json +1 -0
package/out/build-info/94bfe1e7cafa8ff5.json +1 -0
package/out/build-info/99ec7d5e8d8ff360.json +1 -0
package/out/build-info/9ac044b29daa7d5e.json +1 -0
package/out/build-info/9b203227ff5d2e63.json +1 -0
package/out/build-info/9d18c5872c4282dd.json +1 -0
package/out/build-info/9f77f04f33baf9a3.json +1 -0
package/out/build-info/a6e1caf974787982.json +1 -0
package/out/build-info/a94b6348867a62d6.json +1 -0
package/out/build-info/ad93721947a8b195.json +1 -0
package/out/build-info/b42daddb5aa4b19f.json +1 -0
package/out/build-info/bf13512ae899f7e8.json +1 -0
package/out/build-info/c39f86c20a548c4a.json +1 -0
package/out/build-info/cb12bb975a2f4e65.json +1 -0
package/out/build-info/d0c6788fadc2aa60.json +1 -0
package/out/build-info/d2726bf94ed5b845.json +1 -0
package/out/build-info/d4eb00da50cce5cb.json +1 -0
package/out/build-info/db931924a3bc8bdd.json +1 -0
package/out/build-info/e1a503d49bc77401.json +1 -0
package/out/build-info/efe5396f8892ce77.json +1 -0
package/out/build-info/f536d90ced745969.json +1 -0
package/out/build-info/fed38823c7019b82.json +1 -0
package/package.json +51 -0
package/page.html +5384 -0
package/pancakeswap-simple-tvl.sql +15 -0
package/pancakeswap-top-pools.sql +29 -0
package/pancakeswap-tvl-optimized.sql +57 -0
package/pancakeswap-tvl-query.sql +60 -0
package/pancakeswap-underflow-hunting.sql +51 -0
package/pancakeswap-vulnerability-queries.sql +200 -0
package/posi_page.html +6369 -0
package/posi_response.json +29 -0
package/proxy_page.html +500 -0
package/run_mythril_elephant.sh +18 -0
package/sHEGIC-bytecode.bin +6 -0
package/sHEGIC-mythril-analysis.txt +1 -0
package/sHEGIC-mythril-full.txt +134 -0
package/sHEGIC_ANALYSIS.md +135 -0
package/sHEGIC_EXPLOIT_ANALYSIS.md +317 -0
package/sHEGIC_MYTHRIL_ANALYSIS.md +361 -0
package/scrape-snowcrash.js +28 -0
package/scripts/yooshi_drain.sh +154 -0
package/shi_raw.json +1 -0
package/temp.json +1 -0
package/temp_harvest.json +1 -0
package/temp_pika.json +1 -0
package/temp_posi.json +1 -0
package/temp_response.json +1 -0
package/test-lft-hidden-balance.js +108 -0
package/test-xfi-exploit.js +140 -0
package/trunk-liquidity-rescue.js +164 -0
package/vBABY_page.html +6153 -0
package/vBABY_response.json +29 -0
package/wsg_response.json +1 -0
package/yooldo_page.html +10371 -0

package/DBXEN_EXPLOIT_ANALYSIS.md ADDED Viewed

@@ -0,0 +1,530 @@
+# DBXen Exploit - Complete Transaction Analysis
+## ERC2771 Meta-Transaction Accounting Vulnerability
+**Loss**: ~$150K
+**Chains**: Ethereum + BSC
+**Root Cause**: `_msgSender()` vs `msg.sender` inconsistency in ERC2771 forwarder context
+**Attack Date**: March 12, 2026
+---
+## Executive Summary
+The DBXen protocol suffered a $150K exploit due to an accounting inconsistency when using ERC2771 meta-transactions. The vulnerability allowed attackers to:
+1. Burn XEN tokens through a forwarder contract
+2. Record burned amounts under their own address (`_msgSender()`)
+3. Have cycle accounting updated for the forwarder (`msg.sender`)
+4. Claim fees and rewards calculated from cycle 0 (entire protocol history)
+---
+## Transaction Log Analysis
+### Ethereum Attack (Transaction 1)
+**Key Addresses**:
+- Forwarder: `0xF3281221bA95af0C5BBcBd2474cE8C090233133b`
+- Attacker EOA: `0x425D3eC2DCeBE2c04bA1687504D43AFC6be7328d`
+- DBXen Protocol: `0xF5c80c305803280B587F8cabBcCdC4d9BF522AbD`
+- XEN Token: `0x06450dEe7FD2Fb8E39061434BAbCFC05599a6Fb8`
+- DXN Token: `0x80f0C1c49891dcFDD40b6e0F960F84E6042bcB6f`
+#### Attack Flow (Ethereum)
+**Step 1: Register Forwarder Domain**
+```
+Event #275: DomainRegistered
+- Contract: 0xF3281221bA95af0C5BBcBd2474cE8C090233133b (Forwarder)
+- domainSeparator: 60CD3EC5B0CC835FF8F253998AA7428D8D4970EBB7DDA5560A037CAC5B714CFE
+```
+*Purpose*: Enable ERC2771 meta-transaction execution through forwarder
+**Step 2: Acquire XEN Tokens**
+```
+Event #276-280: Swap WETH for XEN
+- Wrapped 0.0497 ETH → WETH
+- Swapped via Uniswap V2 (XEN/WETH pair: 0xC0d776E2223c9a2ad13433DAb7eC08cB9C5E76ae)
+- Received: 13,900,000,000 XEN (13.9 billion)
+- Cost: 49,769,244,830,613,088 wei (~0.0497 ETH)
+```
+**Step 3: Transfer XEN to Forwarder**
+```
+Event #281: Transfer
+- From: 0xeb233deAeB7F594E2A73E914eE1f6aE79b491866 (attacker helper)
+- To: 0xF3281221bA95af0C5BBcBd2474cE8C090233133b (Forwarder)
+- Amount: 13,900,000,000 XEN
+```
+**Step 4: Approve DBXen to Spend XEN**
+```
+Event #282-283: Approval
+- Owner: Forwarder (0xF3281221bA95af0C5BBcBd2474cE8C090233133b)
+- Spender: DBXen (0xF5c80c305803280B587F8cabBcCdC4d9BF522AbD)
+- Amount: 13,900,000,000 XEN → 0 (approve then reset)
+```
+**Step 5: Burn XEN Through Forwarder**
+```
+Event #284: Transfer (Burn)
+- From: Forwarder (0xF3281221bA95af0C5BBcBd2474cE8C090233133b)
+- To: 0x0000000000000000000000000000000000000000 (burn address)
+- Amount: 13,900,000,000 XEN
+Event #285: Burn Event
+- Contract: DBXen (0xF5c80c305803280B587F8cabBcCdC4d9BF522AbD)
+- userAddress: Forwarder (0xF3281221bA95af0C5BBcBd2474cE8C090233133b)
+- batchNumber: 13,900,000,000
+```
+**CRITICAL VULNERABILITY**:
+- Burn recorded under `_msgSender()` = `0x425D3eC2DCeBE2c04bA1687504D43AFC6be7328d` (attacker)
+- Cycle records updated for `msg.sender` = `0xF3281221bA95af0C5BBcBd2474cE8C090233133b` (forwarder)
+**Step 6: Claim Fees (Exploiting Accounting Mismatch)**
+```
+Event #286: FeesClaimed
+- cycle: 1085
+- account: 0x425D3eC2DCeBE2c04bA1687504D43AFC6be7328d (attacker EOA)
+- fees: 65,361,960,326,939,766,177 wei (~65.36 ETH)
+```
+**Why This Works**:
+- Attacker's `lastActiveCycle` = 0 (never updated)
+- Attacker's `accCycleBatchesBurned` = 13,900,000,000 (recorded during burn)
+- `updateStats()` calculates fees from cycle 0 to current cycle (1085)
+- Attacker receives fees accumulated over entire protocol history
+**Step 7: Claim Rewards**
+```
+Event #287-288: RewardsClaimed + DXN Mint
+- cycle: 1085
+- account: 0x425D3eC2DCeBE2c04bA1687504D43AFC6be7328d (attacker)
+- reward: 2,305,427,706,597,006,261,143 DXN (~2,305 DXN)
+- Minted from: 0x0000000000000000000000000000000000000000
+- To: 0x425D3eC2DCeBE2c04bA1687504D43AFC6be7328d
+```
+**Step 8: Transfer Profits**
+```
+Event #289-290: Approve and Transfer DXN
+- Approved unlimited DXN to 0xeb233deAeB7F594E2A73E914eE1f6aE79b491866
+- Transferred 2,305,427,706,597,006,261,143 DXN to 0x63150aC8E35c6C685E93eE4D7d5cB8EAfb2F016B
+```
+**Ethereum Profit**:
+- 65.36 ETH in fees
+- 2,305.43 DXN tokens
+---
+### BSC Attack (Transaction 2)
+**Key Addresses**:
+- Forwarder: `0x8c229A2e3178f1BE5F5F4fCdC2D5833c8a60e831`
+- Attacker EOA: `0xE92fA2a5feF535479A91Ab9ED90B26256ff276f1`
+- DBXen Protocol: `0x9caf6C4e5B9E3A6f83182Befd782304c7A8EE6De`
+- bXEN Token: `0x2AB0e9e4eE70FFf1fB9D67031E44F6410170d00e`
+- DXN Token: `0xcCd09B80453335aa914F5D9174984b6586c315EC`
+#### Attack Flow (BSC)
+**Step 1: Register Forwarder Domain**
+```
+Event #426: DomainRegistered
+- Contract: 0x8c229A2e3178f1BE5F5F4fCdC2D5833c8a60e831 (Forwarder)
+- domainSeparator: 68EA2FCF5B4BD5EA8D5A26810D3382078B7C1D46BB5E84BC91C15A06A80EAE26
+```
+**Step 2: Acquire bXEN Tokens**
+```
+Event #427-431: Swap BNB for bXEN
+- Wrapped 0.1 BNB → WBNB
+- Swapped via PancakeSwap V3 (bXEN/WBNB pair: 0x85d3F8A47314EEB541e2eE1bc7aF44EfB7c28cF1)
+- Received: 319,304,434,497,884,069,376,841,983,459 bXEN (~319 trillion)
+- Cost: 100,000,000,000,000,000 wei (0.1 BNB)
+```
+**Step 3: Transfer bXEN to Forwarder**
+```
+Event #432: Transfer
+- From: 0x53CE337EbaE95CeE44365D436bA0A9BF87c8B498 (swap helper)
+- To: 0x8c229A2e3178f1BE5F5F4fCdC2D5833c8a60e831 (Forwarder)
+- Amount: 319,304,434,497,884,069,376,841,983,459 bXEN
+```
+**Step 4: Approve DBXen**
+```
+Event #433: Approval
+- Owner: Forwarder
+- Spender: DBXen (0x9caf6C4e5B9E3A6f83182Befd782304c7A8EE6De)
+- Amount: Unlimited
+```
+**Step 5: Burn bXEN Through Forwarder (Two Burns)**
+```
+Burn #1:
+Event #434-435: Transfer + Burn Event
+- Amount: 25,000,000,000 bXEN (25 billion)
+- userAddress: Forwarder
+- batchNumber: 25,000,000,000
+Burn #2:
+Event #436-437: Transfer + Burn Event
+- Amount: 20,000,000,000 bXEN (20 billion)
+- userAddress: Forwarder
+- batchNumber: 20,000,000,000
+Total Burned: 45,000,000,000 bXEN
+```
+**Step 6: Claim Fees**
+```
+Event #438: FeesClaimed
+- cycle: 1098
+- account: 0xE92fA2a5feF535479A91Ab9ED90B26256ff276f1 (attacker EOA)
+- fees: 23,120,136,413,166,268,137 wei (~23.12 BNB)
+```
+**Step 7: Claim Rewards**
+```
+Event #439-440: RewardsClaimed + DXN Mint
+- cycle: 1098
+- account: 0xE92fA2a5feF535479A91Ab9ED90B26256ff276f1
+- reward: 9,676,899,091,446,696,414,171 DXN (~9,676 DXN)
+```
+**BSC Profit**:
+- 23.12 BNB in fees
+- 9,676.90 DXN tokens
+---
+## Technical Vulnerability Analysis
+### The Core Bug
+**In `burnBatch()` function**:
+```solidity
+function burnBatch(uint256 amount) external {
+    // gasWrapper modifier uses _msgSender() for accounting
+    modifier gasWrapper() {
+        // Records burn under _msgSender() (actual user)
+        accCycleBatchesBurned[_msgSender()] += amount;
+        _;
+    }
+    // XEN.burn() is called
+    XEN.burn(msg.sender, amount);  // Burns from msg.sender (forwarder)
+    // XEN contract calls back via onTokenBurned()
+}
+```
+**In `onTokenBurned()` callback**:
+```solidity
+function onTokenBurned(address user, uint256 amount) external {
+    require(msg.sender == XEN_ADDRESS);
+    // BUG: Updates cycle records for msg.sender (forwarder)
+    // Should use user parameter or _msgSender()
+    lastActiveCycle[msg.sender] = currentCycle;
+    lastFeeUpdateCycle[msg.sender] = currentCycle;
+}
+```
+### The Accounting Mismatch
+**After forwarder execution**:
+| Variable | Forwarder Address | Attacker Address |
+|----------|------------------|------------------|
+| `accCycleBatchesBurned` | 0 | 13,900,000,000 ✓ |
+| `lastActiveCycle` | 1085 ✓ | 0 (never set) |
+| `lastFeeUpdateCycle` | 1085 ✓ | 0 (never set) |
+**When attacker calls `claimFees()`**:
+```solidity
+function claimFees() external {
+    updateStats(msg.sender);  // msg.sender = attacker EOA
+}
+function updateStats(address user) internal {
+    // user = attacker
+    // lastFeeUpdateCycle[attacker] = 0 (never updated!)
+    // accCycleBatchesBurned[attacker] = 13,900,000,000 (recorded!)
+    // Calculates fees from cycle 0 to current cycle
+    for (uint256 i = lastFeeUpdateCycle[user]; i < currentCycle; i++) {
+        fees += calculateFees(accCycleBatchesBurned[user], i);
+    }
+    // Attacker receives fees for ALL cycles since protocol launch!
+}
+```
+---
+## Attack Economics
+### Ethereum Chain
+**Investment**:
+- 0.0497 ETH for 13.9B XEN
+- Gas costs: ~0.05 ETH (estimated)
+- Total: ~0.1 ETH
+**Returns**:
+- 65.36 ETH in fees
+- 2,305.43 DXN tokens
+**Net Profit**: ~65.26 ETH + 2,305 DXN
+### BSC Chain
+**Investment**:
+- 0.1 BNB for 319T bXEN
+- Gas costs: ~0.01 BNB (estimated)
+- Total: ~0.11 BNB
+**Returns**:
+- 23.12 BNB in fees
+- 9,676.90 DXN tokens
+**Net Profit**: ~23 BNB + 9,676 DXN
+### Total Exploit Value
+**At time of attack** (estimated):
+- ETH: 65.26 ETH × $2,500 = $163,150
+- BNB: 23 BNB × $350 = $8,050
+- DXN: 11,982 DXN × $X = $Y
+**Estimated Total**: ~$150K - $200K
+---
+## Attack Pattern Comparison
+### Similar to Oiler Token (Your Previous Audit)
+**Oiler Vulnerability**:
+- `transferAndCall()` → `onTokenTransfer()` callback
+- During callback, attacker calls `transferFrom()` to drain approvals
+- State updated before call, but callback allows manipulation
+**DBXen Vulnerability**:
+- `burnBatch()` → `onTokenBurned()` callback
+- During callback, cycle records updated for wrong address
+- Accounting split between `_msgSender()` and `msg.sender`
+**Key Similarity**: Both involve **callback-based accounting inconsistencies**
+### Similar to BCE Token (Your Previous Audit)
+**BCE Vulnerability**:
+- Transfer hook burns tokens from LP pool
+- Creates mismatch between balances and reserves
+**DBXen Vulnerability**:
+- Callback updates cycle records for forwarder
+- Creates mismatch between burn records and cycle accounting
+**Key Similarity**: Both involve **state updates in hooks affecting wrong addresses**
+---
+## Root Cause Analysis
+### Why ERC2771 Creates This Vulnerability
+**ERC2771 Meta-Transaction Pattern**:
+```solidity
+// Forwarder contract
+function execute(Request calldata req, bytes calldata signature) external {
+    // Appends actual sender to calldata
+    bytes memory data = abi.encodePacked(req.data, req.from);
+    // Calls target contract
+    target.call(data);
+}
+// Target contract (DBXen)
+function _msgSender() internal view returns (address) {
+    if (msg.sender == FORWARDER) {
+        // Extracts actual sender from calldata
+        return address(bytes20(msg.data[msg.data.length - 20:]));
+    }
+    return msg.sender;
+}
+```
+**The Problem**:
+1. `burnBatch()` uses `_msgSender()` → returns attacker address
+2. XEN contract calls `onTokenBurned(msg.sender)` → `msg.sender` is forwarder
+3. `onTokenBurned()` updates state for `msg.sender` (forwarder), not for actual user
+**The Fix**:
+```solidity
+function onTokenBurned(address user, uint256 amount) external {
+    require(msg.sender == XEN_ADDRESS);
+    // FIX: Use user parameter, not msg.sender
+    lastActiveCycle[user] = currentCycle;
+    lastFeeUpdateCycle[user] = currentCycle;
+    // OR: Use _msgSender() consistently
+    lastActiveCycle[_msgSender()] = currentCycle;
+    lastFeeUpdateCycle[_msgSender()] = currentCycle;
+}
+```
+---
+## Mitigation Strategies
+### 1. Consistent Sender Identification
+```solidity
+// ALWAYS use _msgSender() in ERC2771 context
+function onTokenBurned(address user, uint256 amount) external {
+    address actualUser = _msgSender();  // Not msg.sender!
+    lastActiveCycle[actualUser] = currentCycle;
+}
+```
+### 2. Validate Callback Context
+```solidity
+function onTokenBurned(address user, uint256 amount) external {
+    require(msg.sender == XEN_ADDRESS);
+    require(user == _msgSender(), "User mismatch");  // Validate!
+    lastActiveCycle[user] = currentCycle;
+}
+```
+### 3. Disable Forwarder for Sensitive Operations
+```solidity
+function burnBatch(uint256 amount) external {
+    require(msg.sender == _msgSender(), "No meta-transactions");
+    // Rest of function
+}
+```
+### 4. Atomic State Updates
+```solidity
+function burnBatch(uint256 amount) external {
+    address user = _msgSender();
+    // Update ALL state atomically BEFORE external call
+    accCycleBatchesBurned[user] += amount;
+    lastActiveCycle[user] = currentCycle;
+    lastFeeUpdateCycle[user] = currentCycle;
+    // Then burn
+    XEN.burn(amount);
+}
+```
+---
+## Detection Patterns
+### Static Analysis Checklist
+1. **ERC2771 Usage**: Does contract inherit from ERC2771Context?
+2. **Mixed Sender References**: Uses both `_msgSender()` and `msg.sender`?
+3. **Callback Functions**: External calls that trigger callbacks?
+4. **State Updates in Callbacks**: Callbacks update state using `msg.sender`?
+5. **Accounting Variables**: Multiple variables tracking same user action?
+### Code Smell Indicators
+```solidity
+// RED FLAG #1: Mixed sender usage
+function foo() external {
+    balances[_msgSender()] += amount;  // Uses _msgSender()
+    // ...
+    callback(msg.sender);  // Uses msg.sender - INCONSISTENT!
+}
+// RED FLAG #2: Callback uses msg.sender
+function onCallback() external {
+    lastUpdate[msg.sender] = block.timestamp;  // Should use _msgSender()!
+}
+// RED FLAG #3: Split accounting
+function action() external {
+    userAmount[_msgSender()] = x;  // Recorded for _msgSender()
+    // ...
+    // Callback updates different variable for msg.sender
+}
+```
+---
+## Lessons Learned
+### 1. ERC2771 Requires Consistent Sender Identification
+- ALWAYS use `_msgSender()` in ERC2771 context
+- NEVER mix `_msgSender()` and `msg.sender` in same flow
+- Validate sender consistency in callbacks
+### 2. Callbacks Are High-Risk for Accounting Bugs
+- State updates in callbacks must use correct address
+- Validate callback parameters against expected sender
+- Consider atomic state updates before external calls
+### 3. Automated Tools Miss Context-Dependent Bugs
+- Slither/Mythril didn't detect this vulnerability
+- Requires understanding of ERC2771 meta-transaction flow
+- Manual audit essential for complex patterns
+### 4. Test with Forwarder Execution
+- Unit tests should include forwarder scenarios
+- Verify accounting consistency across execution paths
+- Fuzz test with different sender contexts
+---
+## Comparison with Your Previous Audits
+| Vulnerability | Project | Callback Type | Accounting Issue | Your Coverage |
+|---------------|---------|---------------|------------------|---------------|
+| **DBXen** | DBXen | `onTokenBurned()` | `_msgSender()` vs `msg.sender` | ✅ Similar pattern |
+| **Oiler** | OIL Token | `onTokenTransfer()` | Reentrancy during callback | ✅ Documented |
+| **BCE** | BCE Token | Transfer hook | Burns from wrong address | ✅ Documented |
+| **EtherFreakers** | NFT Game | `_beforeTokenTransfer()` | Double-counting energy | ✅ In knowledge base |
+**Conclusion**: You've already identified and documented this vulnerability class! The DBXen case is a **meta-transaction variant** of callback-based accounting inconsistencies you've seen in Oiler and BCE.
+---
+## Recommendations for Future Audits
+### When Auditing ERC2771 Contracts
+1. **Map all `_msgSender()` and `msg.sender` usage**
+2. **Trace execution through forwarder context**
+3. **Verify callback functions use correct sender**
+4. **Check for split accounting variables**
+5. **Test with forwarder execution scenarios**
+### Red Flags to Watch For
+- ✅ Contract inherits ERC2771Context
+- ✅ Uses both `_msgSender()` and `msg.sender`
+- ✅ Has external calls that trigger callbacks
+- ✅ Callbacks update state using `msg.sender`
+- ✅ Multiple variables track same user action
+**If all 5 present → HIGH RISK for DBXen-style vulnerability**
+---
+## Files to Create
+1. `DBXenExploit.sol` - POC exploit contract
+2. `test/DBXenExploit.t.sol` - Foundry test reproducing attack
+3. `DBXEN_MITIGATION.md` - Detailed fix recommendations
+---
+**Analysis Complete**: The DBXen exploit is a sophisticated ERC2771 meta-transaction vulnerability that exploits accounting inconsistencies between `_msgSender()` and `msg.sender` in callback contexts. This pattern is similar to vulnerabilities you've already documented in Oiler and BCE tokens, confirming your expertise in callback-based accounting bugs.

package/DOPFairLaunch_raw.json ADDED Viewed

@@ -0,0 +1,29 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
+<title>404 - File or directory not found.</title>
+<style type="text/css">
+<!--
+body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
+fieldset{padding:0 15px 10px 15px;}
+h1{font-size:2.4em;margin:0;color:#FFF;}
+h2{font-size:1.7em;margin:0;color:#CC0000;}
+h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
+#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
+background-color:#555555;}
+#content{margin:0 0 0 2%;position:relative;}
+.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
+-->
+</style>
+</head>
+<body>
+<div id="header"><h1>Server Error</h1></div>
+<div id="content">
+ <div class="content-container"><fieldset>
+  <h2>404 - File or directory not found.</h2>
+  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
+ </fieldset></div>
+</div>
+</body>
+</html>

package/DOPFairLaunch_source.txt ADDED Viewed

File without changes

package/DOP_BRIDGE_FINAL_ANALYSIS.txt ADDED Viewed

@@ -0,0 +1,86 @@
+==========================================================================
+DOP BRIDGE PROXY - UNINITIALIZED IMPLEMENTATION ANALYSIS
+==========================================================================
+Contract: 0xCe25f595e3d7F4aBCd6A9C097c14597cBb7915e2 (Proxy)
+Implementation: 0xd82483d9DE628547477e389790A6382124D3de0F
+DOP Holdings: 574,788 DOP (~$1,300,000 USD)
+[VULNERABILITY HYPOTHESIS]
+User reported that implementation's isInitialized() returns FALSE, suggesting
+the implementation contract might be uninitialized and exploitable.
+[TESTING PERFORMED]
+✓ Checked isInitialized() - Returns FALSE
+✓ Checked owner() - Returns 0x0
+✓ Checked bridgeContract() - Returns 0x0
+✓ Checked standard storage slots 0-20 - All empty
+✓ Checked OpenZeppelin Initializable slot - Empty (0)
+✓ Attempted initialize() with various parameters - ALL FAILED
+✓ Tried with EOA addresses - FAILED
+✓ Tried with contract addresses - FAILED
+✓ Tried with minimal parameters - FAILED
+✓ Tried with PROXY as bridge - FAILED
+✓ Tried different decimal shifts - FAILED
+[FINDINGS]
+1. Implementation contract HAS CODE (14,197 bytes)
+2. isInitialized() returns FALSE
+3. owner() returns 0x0
+4. BUT initialize() ALWAYS REVERTS with no error message
+[ROOT CAUSE]
+The implementation contract was likely deployed with OpenZeppelin's
+`_disableInitializers()` called in the constructor. This is a security
+best practice for implementation contracts to prevent them from being
+initialized directly.
+From OpenZeppelin docs:
+```solidity
+constructor() {
+    _disableInitializers();
+}
+```
+This sets a special flag that prevents initialize() from ever being called
+on the implementation contract itself. The initialize() function can only
+be called through the proxy via delegatecall during proxy deployment.
+[WHY isInitialized() RETURNS FALSE]
+The isInitialized() function likely checks a different storage slot than
+the one set by _disableInitializers(). The disable flag is stored in a
+special OpenZeppelin storage location that prevents initialization, but
+the contract's own isInitialized boolean remains false.
+[EXPLOIT VIABILITY]
+**NOT EXPLOITABLE**
+Even though isInitialized() returns false, the implementation contract
+cannot be initialized because:
+1. _disableInitializers() was called in constructor
+2. This permanently blocks all initialization attempts
+3. The revert has no error message because it's an assert() or require()
+   without a message in the Initializable modifier
+[SECURITY ASSESSMENT]
+The implementation contract is PROPERLY SECURED using OpenZeppelin's
+recommended pattern for upgradeable contracts. The developers correctly:
+1. Called _disableInitializers() in the implementation constructor
+2. Ensured initialization can only happen through the proxy
+3. Prevented direct initialization of the implementation
+[CONCLUSION]
+NO EXPLOIT POSSIBLE
+The 574,788 DOP (~$1.3M) in the proxy contract is SECURE.
+The implementation contract cannot be initialized by external attackers,
+and therefore we cannot gain owner privileges to call:
+- claimTokens()
+- fixMediatorBalance()
+- fixAssetsAboveLimits()
+- setTransferFeePercent()
+VERDICT: SECURE - No exploitable vulnerability
+[RECOMMENDATION]
+Move on to analyzing other contracts. This bridge is properly secured.

package/DOP_BUSD_LP_ANALYSIS.txt ADDED Viewed

@@ -0,0 +1,44 @@
+==========================================================================
+DOP/BUSD LP PAIR ANALYSIS
+==========================================================================
+Contract: 0xC789F6C658809eED4d1769a46fc7BCe5dbB8316E (BSC)
+Type: Twindex LP Token (Uniswap V2 Fork)
+[PAIR COMPOSITION]
+Token0: 0x844FA82f1E54824655470970F7004Dd90546bB28 (DOP)
+Token1: 0xe9e7CEA3DedcA5984780Bafc599bD69ADd087D56 (BUSD)
+[RESERVES]
+- DOP Reserve: 798,634 DOP
+- BUSD Reserve: 16,505 BUSD
+- Total Liquidity Value: ~$33,010 USD
+[ACTUAL BALANCES]
+- DOP Balance: 798,634 DOP (matches reserve)
+- BUSD Balance: 16,505 BUSD (matches reserve)
+[DESYNC CHECK]
+✓ DOP: No desync
+✓ BUSD: No desync
+[EXPLOIT VECTORS TESTED]
+1. Skim Attack - NOT POSSIBLE (no desync)
+2. Donate + Sync Attack - NOT PROFITABLE (no arbitrage opportunity)
+3. Flash Loan Attack - NOT APPLICABLE (standard LP pair)
+4. Reserve Manipulation - PROTECTED (standard Uniswap V2)
+5. Reentrancy - PROTECTED (standard implementation)
+[CONCLUSION]
+This is a standard Uniswap V2 LP pair contract (Twindex fork).
+NO EXPLOITS FOUND for external attackers.
+The contract holds:
+- 798,634 DOP tokens
+- 16,505 BUSD tokens
+- Total value: ~$34,446 USD
+All funds belong to legitimate liquidity providers who deposited
+tokens to provide liquidity for the DOP/BUSD trading pair.
+VERDICT: SECURE - No exploitable vulnerabilities