npm - uups-checker - Versions diffs - 1.0.0 - Mend

uups-checker 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (670) hide show

package/.gitmodules +6 -0
package/AIFI_AUDIT.md +220 -0
package/ALL_AUDITS_SUMMARY.md +366 -0
package/ALPHA_PROXY_CRITICAL_FINDING.md +136 -0
package/ALPHA_PROXY_FINAL_ANALYSIS.md +213 -0
package/ALPHA_PROXY_FINAL_VERDICT.md +233 -0
package/ALPHA_PROXY_SELFDESTRUCT_EXPLOIT.md +161 -0
package/ARIA-foundry-test.txt +9 -0
package/ARIA-mythril-analysis.txt +20 -0
package/ARIA-slither-analysis.txt +38 -0
package/ARIA_AI_SECURITY_AUDIT.md +290 -0
package/ARIA_VERIFIED_AUDIT.md +259 -0
package/ARIA_VERIFIED_slither.txt +76 -0
package/ARIVA_source.txt +1 -0
package/ARK_AUDIT.md +349 -0
package/BANANA_AUDIT.md +365 -0
package/BAS_AUDIT.md +451 -0
package/BAS_TOKEN_AUDIT.md +235 -0
package/BCE_EXPLOIT_ANALYSIS.md +165 -0
package/BEEFY_BNB_CHAIN_ANALYSIS.md +488 -0
package/BEEFY_MONAD_ANALYSIS.md +239 -0
package/BEEFY_STAKING_ANALYSIS.md +136 -0
package/BEEFY_XVS_WBNB_ACTUAL_FINDINGS.md +223 -0
package/BEEFY_XVS_WBNB_CRITICAL_FINDINGS.md +269 -0
package/BLOCKSEC_ATTACK_KNOWLEDGE_BASE.md +771 -0
package/BRISE_ANALYSIS.txt +31 -0
package/BRISE_BSC_DAPPS.txt +68 -0
package/BRISE_EXPLOITS_FOUND.md +98 -0
package/BRISE_REAL_EXPLOITS.md +115 -0
package/BRISE_WHITEHAT_REPORT.md +162 -0
package/BRISEstake_Analysis.txt +95 -0
package/BSCSLOCKTOKEN_CRITICAL_FINDING.md +240 -0
package/BSW_BISWAP_SECURITY_AUDIT.md +330 -0
package/BTCST_FINAL_VERDICT.md +319 -0
package/BTCST_MINING_REBASE_ANALYSIS.md +229 -0
package/BTCST_ROUNDING_DEEP_DIVE.md +293 -0
package/BTCST_ROUNDING_FINAL_VERDICT.md +9 -0
package/BTCST_SECURITY_ANALYSIS.md +391 -0
package/BTR_AUDIT.md +210 -0
package/BeamBridge-analysis.md +226 -0
package/BeamToken-analysis.md +201 -0
package/BitgertSwap_Investigation.txt +107 -0
package/CEEK_STAKING_ANALYSIS.md +0 -0
package/CHAINBASE_AUDIT.md +422 -0
package/COMPLETE_AUDIT_SUMMARY.md +342 -0
package/CORRECTED_ANALYSIS.txt +115 -0
package/DBXEN_COMPARISON_SUMMARY.md +232 -0
package/DBXEN_EXPLOIT_ANALYSIS.md +530 -0
package/DOPFairLaunch_raw.json +29 -0
package/DOPFairLaunch_source.txt +0 -0
package/DOP_BRIDGE_FINAL_ANALYSIS.txt +86 -0
package/DOP_BUSD_LP_ANALYSIS.txt +44 -0
package/DOP_FAIRLAUNCH_ANALYSIS.txt +61 -0
package/DOP_FAIRLAUNCH_FINAL_VERDICT.txt +113 -0
package/DOP_STAKING_CONTRACT_ANALYSIS.txt +67 -0
package/DSYNC_ECOSYSTEM_ANALYSIS.md +221 -0
package/DSyncStaking-exploit-analysis.md +153 -0
package/DSyncVault-analysis.md +120 -0
package/DUSD_PROXY_AUDIT.md +407 -0
package/DXSALE_LOCK_AUDIT.md +0 -0
package/DXSaleLock_bytecode.txt +1 -0
package/ECHIDNA_QUICK_START.md +101 -0
package/ELEPHANT_ECOSYSTEM_AUDIT_PLAN.md +159 -0
package/ELEPHANT_ECOSYSTEM_COMPREHENSIVE_AUDIT.md +427 -0
package/ELEPHANT_SECURITY_ANALYSIS.md +209 -0
package/ELEPHANT_VULNERABILITIES_EXPLAINED.md +455 -0
package/EXPLOIT_FIX.md +300 -0
package/EXPLOIT_INSTRUCTIONS.md +273 -0
package/EXPLOIT_SUMMARY.md +285 -0
package/EXPLOIT_SUMMARY.txt +175 -0
package/FALCON_FINANCE_AUDIT.md +258 -0
package/FANDOM_AUDIT.md +359 -0
package/FEE_ON_TRANSFER_ANALYSIS.md +228 -0
package/FINAL_AUDIT_REPORT.md +0 -0
package/FOLIO_PROXY_AUDIT.md +299 -0
package/FOT_EXPLOIT_RESULTS.txt +110 -0
package/FOT_TOKENS_AUDITED.md +103 -0
package/HEGIC-mythril-analysis.txt +39 -0
package/HEGIC_COMPLETE_ANALYSIS.md +343 -0
package/HOTCROSS_SWAP_EXPLOIT_ANALYSIS.md +123 -0
package/ICECREAMSWAP_EXPLOITS.md +259 -0
package/IMMUNEFI_REPORT.md +314 -0
package/KCCPAD_EXPLOIT_GUIDE.md +285 -0
package/KEL_CEL_EXPLOIT_ANALYSIS.md +0 -0
package/KOGE_AUDIT.md +328 -0
package/LENDFLARE_ANALYSIS.md +239 -0
package/LENDFLARE_ECHIDNA_GUIDE.md +356 -0
package/LENDFLARE_EXPLOIT_INSTRUCTIONS.md +297 -0
package/LENDFLARE_EXPLOIT_SUMMARY.md +292 -0
package/LENDFLARE_FLASHLOAN_GUIDE.md +383 -0
package/LENDFLARE_FUZZING_RESULTS.md +252 -0
package/LENDFLARE_HONEYPOT_BYPASS_ANALYSIS.md +420 -0
package/LENDFLARE_MANUAL_FUZZING.md +324 -0
package/LENDFLARE_MYTHRIL_ANALYSIS.md +339 -0
package/LENDFLARE_V3_BYPASS.md +296 -0
package/LFTDECOMPILE.txt +14478 -0
package/LFT_ACCOUNTING_ANALYSIS.md +0 -0
package/LFT_ACCOUNTING_BUG_ANALYSIS.md +426 -0
package/LFT_BACKDOOR_DEEP_DIVE.md +0 -0
package/LFT_CRITICAL_EXPLOIT_CONFIRMED.md +428 -0
package/LFT_EXPLOIT_VISUAL.md +253 -0
package/LFT_QUICK_SUMMARY.md +124 -0
package/LFT_REVERSE_EXPLOIT_ANALYSIS.md +521 -0
package/MGO_AUDIT_REPORT.md +420 -0
package/MYTHRIL_FINAL_REPORT.md +306 -0
package/MYTHRIL_SLITHER_SUMMARY.md +244 -0
package/NETX_MIGRATION_AUDIT.md +0 -0
package/NPM_PUBLISH_GUIDE.md +0 -0
package/NRV_CRITICAL_EXPLOIT.txt +143 -0
package/NetX_Analysis.txt +76 -0
package/NetX_Migration_bytecode.txt +1 -0
package/NetX_Migration_source.txt +0 -0
package/NetX_Token_source.txt +0 -0
package/NetxWhitehatRescue +22 -0
package/OILER_ATTACK_VISUAL.md +351 -0
package/OILER_BLOCKSEC_TEST_RESULTS.md +421 -0
package/OILER_DEEP_ANALYSIS.md +212 -0
package/OILER_FINAL_EXPLOIT_REPORT.md +241 -0
package/OILER_FINAL_VERDICT.md +339 -0
package/OILER_REENTRANCY_EXPLAINED.md +638 -0
package/OILER_REENTRANCY_FINAL_SUMMARY.md +391 -0
package/OILER_REENTRANCY_REALITY_CHECK.md +393 -0
package/OILER_REENTRANCY_STEP_BY_STEP.md +597 -0
package/OILER_STAKING_MAINNET_ANALYSIS.md +366 -0
package/OILER_STAKING_SECURITY_ANALYSIS.md +409 -0
package/PANCAKESWAP_UNDERFLOW_HUNTING.md +317 -0
package/POLS_MULTICHAIN_AUDIT.md +0 -0
package/POSI_STAKING_AUDIT.md +0 -0
package/PROXY2_SECURITY_ANALYSIS.md +0 -0
package/Proxy2TACS +29748 -0
package/QUICK_START.md +240 -0
package/RAMP_SECURITY_ANALYSIS.md +0 -0
package/README.md +238 -0
package/REAUDIT_MASTER_LIST.txt +15 -0
package/RING_analysis.txt +212 -0
package/RPC +4 -0
package/RULES.txt +20 -0
package/SIREN_AUDIT.md +186 -0
package/SYNC_EXPLOIT_README.md +0 -0
package/SYNC_TOKEN_EXPLOIT_REPORT.md +224 -0
package/TLM_raw.html +0 -0
package/TLM_raw.txt +0 -0
package/TLM_response.json +1 -0
package/TRADOOR_AUDIT.md +253 -0
package/TRUNK_AUDIT.md +285 -0
package/UNIBASE_AUDIT.md +241 -0
package/UNLOCK_ANALYSIS.md +0 -0
package/UNLOCK_EXPLOIT.md +49 -0
package/UNLOCK_EXPLOIT_ANALYSIS.md +0 -0
package/UPS +232 -0
package/UUPSCHECKER +208 -0
package/VAULT_PROXY_AUDIT.md +457 -0
package/VAULT_PROXY_FINAL_VERDICT.md +0 -0
package/VERIFIED_EXPLOITS_FINAL.txt +146 -0
package/WKEYDAO2_AUDIT.md +245 -0
package/WSG_AUDIT.md +0 -0
package/XFI_DEEP_ANALYSIS.md +327 -0
package/YOOSHI_EXPLOIT_GUIDE.md +119 -0
package/YSDAO_EXPLOIT_GUIDE.md +0 -0
package/agent-4-bundle.md +22490 -0
package/alpha-proxy-echidna.txt +1 -0
package/alpha-proxy-fuzz-results.txt +81 -0
package/alpha-proxy-mythril.txt +2 -0
package/analyze-btcst-farm.js +54 -0
package/analyze-dxsale-lock.js +75 -0
package/analyze-elephant.js +69 -0
package/analyze-fara-rewards.js +109 -0
package/analyze-fara-storage.js +83 -0
package/analyze-lft-transaction.js +158 -0
package/analyze-lock-bytecode.js +59 -0
package/analyze-shegic.js +0 -0
package/analyze-staking-abi.js +0 -0
package/analyze-sxp.js +57 -0
package/analyze-tlm.js +76 -0
package/analyze-trumpet.js +98 -0
package/analyze-unlimited-nft.js +108 -0
package/analyze_elephant.sh +27 -0
package/analyze_vault.sh +32 -0
package/aria-bytecode.txt +1 -0
package/aria_response.json +1 -0
package/ark_temp/README.md +66 -0
package/ark_temp/lib/forge-std/.gitattributes +1 -0
package/ark_temp/lib/forge-std/.github/CODEOWNERS +1 -0
package/ark_temp/lib/forge-std/.github/dependabot.yml +6 -0
package/ark_temp/lib/forge-std/.github/workflows/ci.yml +125 -0
package/ark_temp/lib/forge-std/.github/workflows/sync.yml +36 -0
package/ark_temp/lib/forge-std/CONTRIBUTING.md +193 -0
package/ark_temp/lib/forge-std/LICENSE-APACHE +203 -0
package/ark_temp/lib/forge-std/LICENSE-MIT +25 -0
package/ark_temp/lib/forge-std/README.md +314 -0
package/ark_temp/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/ark_temp/lib/forge-std/package.json +16 -0
package/ark_temp/lib/forge-std/scripts/vm.py +636 -0
package/audits/AiFi-security-audit-20260326.md +499 -0
package/audits/BasedAI-Brains-security-audit-20260324.md +651 -0
package/audits/BinanceAlphaWallet-pashov-ai-audit-report-20260324-170000.md +362 -0
package/audits/DGToken-security-audit-20260324.md +376 -0
package/audits/DSyncStaking-audit-part1.md +161 -0
package/audits/DSyncStaking-security-audit-20260324.md +547 -0
package/audits/DecompiledERC20-security-audit-20260325.md +397 -0
package/audits/DegenVC-security-audit-20260324.md +585 -0
package/audits/DelreyInu-security-audit-20260324.md +463 -0
package/audits/DestraNetwork-security-audit-20260324.md +705 -0
package/audits/DomiToken-security-audit-20260324.md +514 -0
package/audits/LendFlareToken-security-audit-20260325.md +197 -0
package/audits/LockReleaseTokenPool-security-audit-20260324.md +482 -0
package/audits/MOG-pashov-ai-audit-report-20260324-164900.md +229 -0
package/audits/PAALAI-security-audit-20260324.md +475 -0
package/audits/PAR-security-audit-20260325.md +311 -0
package/audits/PepeCoinStaking-security-audit-20260324.md +358 -0
package/audits/StakingPool-security-audit-20260324.md +517 -0
package/audits/SyncToken-security-audit-20260324.md +778 -0
package/audits/UndeadToken-decompiled-security-audit-20260324.md +485 -0
package/audits/UnknownToken-decompiled-security-audit-20260324.md +647 -0
package/audits/XFIStaking-security-audit-20260324.md +682 -0
package/audits/Xfinance-security-audit-20260324.md +463 -0
package/audits/basedAIFarm-security-audit-20260324.md +330 -0
package/audits/pepeCoin-security-audit-20260324.md +462 -0
package/bin/ups +232 -0
package/binance-wallet-exploit/.env.example +2 -0
package/binance-wallet-exploit/EXECUTIVE_SUMMARY.md +272 -0
package/binance-wallet-exploit/EXPLOIT_SUMMARY.md +104 -0
package/binance-wallet-exploit/FINAL_ANALYSIS.md +326 -0
package/binance-wallet-exploit/FLASHLOAN_ATTACK.md +292 -0
package/binance-wallet-exploit/HONEYPOT_REPORT.md +526 -0
package/binance-wallet-exploit/INVESTIGATION_COMPLETE.md +362 -0
package/binance-wallet-exploit/LENDFLARE_EXPLOIT.md +219 -0
package/binance-wallet-exploit/LENDFLARE_FINAL_ATTACK.md +307 -0
package/binance-wallet-exploit/LENDFLARE_REAL_EXPLOIT.md +286 -0
package/binance-wallet-exploit/LENDFLARE_RUGPULL.md +269 -0
package/binance-wallet-exploit/LFT_ANALYSIS.md +206 -0
package/binance-wallet-exploit/QUICK_START.md +75 -0
package/binance-wallet-exploit/README.md +195 -0
package/binance-wallet-exploit/REAL_TX_EXPLOIT_ANALYSIS.md +271 -0
package/binance-wallet-exploit/REMIX_INSTRUCTIONS.md +223 -0
package/binance-wallet-exploit/TEST_RESULTS.md +203 -0
package/binance-wallet-exploit/cache/solidity-files-cache.json +1 -0
package/binance-wallet-exploit/cache/test-failures +1 -0
package/binance-wallet-exploit/lib/forge-std/.gitattributes +1 -0
package/binance-wallet-exploit/lib/forge-std/.github/CODEOWNERS +1 -0
package/binance-wallet-exploit/lib/forge-std/.github/dependabot.yml +6 -0
package/binance-wallet-exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
package/binance-wallet-exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
package/binance-wallet-exploit/lib/forge-std/CONTRIBUTING.md +193 -0
package/binance-wallet-exploit/lib/forge-std/LICENSE-APACHE +203 -0
package/binance-wallet-exploit/lib/forge-std/LICENSE-MIT +25 -0
package/binance-wallet-exploit/lib/forge-std/README.md +314 -0
package/binance-wallet-exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/binance-wallet-exploit/lib/forge-std/package.json +16 -0
package/binance-wallet-exploit/lib/forge-std/scripts/vm.py +636 -0
package/binance-wallet-exploit/out/build-info/1e9aa7e86cf56962.json +1 -0
package/binance-wallet-exploit/out/build-info/6f56f10e9d7b56eb.json +1 -0
package/binance-wallet-exploit/out/build-info/7edba961ff697a24.json +1 -0
package/binance-wallet-exploit/out/build-info/8c27fe3efea2f2e7.json +1 -0
package/binance-wallet-exploit/out/build-info/978b680daffec63a.json +1 -0
package/binance-wallet-exploit/out/build-info/9806b900b5672d0c.json +1 -0
package/binance-wallet-exploit/out/build-info/b4b9ff36e9b3fc27.json +1 -0
package/binance-wallet-exploit/out/build-info/b6f4df9ae05c0812.json +1 -0
package/binance-wallet-exploit/out/build-info/c88dbc86551f7b5c.json +1 -0
package/binance-wallet-exploit/out/build-info/e9657504010623db.json +1 -0
package/cache/fuzz/failures/ARIAVerifiedFuzzTest/testFuzz_ApprovalRaceCondition +1 -0
package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_DirectTransferExploit +1 -0
package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_LargeSwapDrain +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_ApprovalExploit +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_BalanceManipulation +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_RateManipulation +1 -0
package/cache/fuzz/failures/LendFlareFuzz/testFuzz_StorageManipulation +1 -0
package/cache/fuzz/failures/PARFuzzTest/testFuzz_OverflowTransfer +1 -0
package/cache/fuzz/failures/PARFuzzTest/testFuzz_Transfer +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_FrontrunAddfunds +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RewardOverflow +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RoundingExploit +1 -0
package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_WithdrawLimit +1 -0
package/cache/solidity-files-cache.json +1 -0
package/cache/test-failures +1 -0
package/calculate-elephant-flashloan.js +195 -0
package/check-address-approval.js +112 -0
package/check-alpha-proxy.js +42 -0
package/check-arbitrage.js +155 -0
package/check-aria-token.js +47 -0
package/check-ark.sh +20 -0
package/check-btcst-mining.js +75 -0
package/check-btcst-pools.js +163 -0
package/check-btcst.js +88 -0
package/check-caller.js +26 -0
package/check-ceek-lp.js +73 -0
package/check-ceek.js +47 -0
package/check-dxsale-address.js +35 -0
package/check-fara-exploit-timing.js +56 -0
package/check-fara-real-exploit.js +73 -0
package/check-flashloan-limits.js +129 -0
package/check-kel-cel-pool.js +91 -0
package/check-lax-staking.js +41 -0
package/check-lendflare.js +165 -0
package/check-lft-accounting.js +109 -0
package/check-lft-roles.js +165 -0
package/check-lock-time.js +47 -0
package/check-min-stake.js +73 -0
package/check-mystery-contract.js +52 -0
package/check-next-token.js +50 -0
package/check-nora-lock.js +67 -0
package/check-oiler-approvals.js +116 -0
package/check-oiler-proxy.js +73 -0
package/check-oiler-staking.js +117 -0
package/check-proxy-simple.js +71 -0
package/check-recent-stakes.js +54 -0
package/check-shegic-holdings.js +67 -0
package/check-snowcrash-ecosystem.js +83 -0
package/check-sync-lp.js +97 -0
package/check-sync-stake.js +42 -0
package/check-tlm.js +37 -0
package/check-token-pools.js +146 -0
package/check-trunk-depeg.js +181 -0
package/check-tusd-decimals.js +58 -0
package/check-user-storage-deep.js +81 -0
package/check-welephant-pools.js +130 -0
package/check-xfi-pool.js +75 -0
package/check-zypher.js +32 -0
package/check_proxy.sh +36 -0
package/compare-tlm-chains.js +90 -0
package/contract_0x05f2.html +6025 -0
package/contract_0x3720.html +6361 -0
package/contract_0x928e.html +5606 -0
package/contract_0xc42d.html +5304 -0
package/contract_page.html +5789 -0
package/decode-stake-tx.js +50 -0
package/deep-analyze-lock.js +82 -0
package/dune_uups_proxy_query.sql +42 -0
package/dune_uups_vulnerable_query.sql +0 -0
package/echidna/alpha-proxy.yaml +14 -0
package/echidna/elephant.yaml +7 -0
package/echidna/lendflare.yaml +42 -0
package/echidna.config.yaml +12 -0
package/elephant_raw.json +1 -0
package/eps_raw.json +1 -0
package/exploit/.github/workflows/test.yml +38 -0
package/exploit/.gitmodules +3 -0
package/exploit/README.md +66 -0
package/exploit/foundry.lock +8 -0
package/exploit/lib/forge-std/.gitattributes +1 -0
package/exploit/lib/forge-std/.github/CODEOWNERS +1 -0
package/exploit/lib/forge-std/.github/dependabot.yml +6 -0
package/exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
package/exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
package/exploit/lib/forge-std/CONTRIBUTING.md +193 -0
package/exploit/lib/forge-std/LICENSE-APACHE +203 -0
package/exploit/lib/forge-std/LICENSE-MIT +25 -0
package/exploit/lib/forge-std/README.md +314 -0
package/exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/exploit/lib/forge-std/package.json +16 -0
package/exploit/lib/forge-std/scripts/vm.py +636 -0
package/exploit_analysis.txt +51 -0
package/extract_contract.py +21 -0
package/extract_elephant_contracts.py +24 -0
package/fara-staking-bytecode.txt +1 -0
package/fara-staking-raw.txt +1 -0
package/fetch-aria.js +46 -0
package/fetch-contract.js +50 -0
package/fetch-shegic-source.js +86 -0
package/fetch-snowcrash.js +44 -0
package/fetch-staking-source.js +53 -0
package/fetch-tlm.js +60 -0
package/fetch_elephant_source.py +32 -0
package/find-ceek-staking.js +21 -0
package/find-exploit-tx.js +88 -0
package/find-oiler-holders.js +100 -0
package/find-tlm-holder.js +36 -0
package/find-vulnerable-fund.js +94 -0
package/foundry.lock +8 -0
package/fuzz-all.sh +53 -0
package/get-aria-contract.py +40 -0
package/get-lft-holders.js +89 -0
package/get-tlm-source.sh +8 -0
package/harvest_txs.json +1 -0
package/lft-bytecode-raw.txt +1 -0
package/lft-bytecode.json +1 -0
package/lft-impl.bin +1 -0
package/lft-implementation-bytecode.txt +1 -0
package/lib/forge-std/.gitattributes +1 -0
package/lib/forge-std/.github/CODEOWNERS +1 -0
package/lib/forge-std/.github/dependabot.yml +6 -0
package/lib/forge-std/.github/workflows/ci.yml +125 -0
package/lib/forge-std/.github/workflows/sync.yml +36 -0
package/lib/forge-std/CONTRIBUTING.md +193 -0
package/lib/forge-std/LICENSE-APACHE +203 -0
package/lib/forge-std/LICENSE-MIT +25 -0
package/lib/forge-std/README.md +314 -0
package/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
package/lib/forge-std/package.json +16 -0
package/lib/forge-std/scripts/vm.py +636 -0
package/lib/openzeppelin-contracts/.changeset/config.json +12 -0
package/lib/openzeppelin-contracts/.codecov.yml +12 -0
package/lib/openzeppelin-contracts/.editorconfig +21 -0
package/lib/openzeppelin-contracts/.eslintrc +20 -0
package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/config.yml +4 -0
package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/feature_request.md +14 -0
package/lib/openzeppelin-contracts/.github/PULL_REQUEST_TEMPLATE.md +20 -0
package/lib/openzeppelin-contracts/.github/actions/gas-compare/action.yml +49 -0
package/lib/openzeppelin-contracts/.github/actions/setup/action.yml +21 -0
package/lib/openzeppelin-contracts/.github/actions/storage-layout/action.yml +55 -0
package/lib/openzeppelin-contracts/.github/workflows/actionlint.yml +18 -0
package/lib/openzeppelin-contracts/.github/workflows/changeset.yml +28 -0
package/lib/openzeppelin-contracts/.github/workflows/checks.yml +118 -0
package/lib/openzeppelin-contracts/.github/workflows/docs.yml +19 -0
package/lib/openzeppelin-contracts/.github/workflows/formal-verification.yml +68 -0
package/lib/openzeppelin-contracts/.github/workflows/release-cycle.yml +214 -0
package/lib/openzeppelin-contracts/.github/workflows/upgradeable.yml +34 -0
package/lib/openzeppelin-contracts/.gitmodules +7 -0
package/lib/openzeppelin-contracts/.mocharc.js +4 -0
package/lib/openzeppelin-contracts/.prettierrc +15 -0
package/lib/openzeppelin-contracts/.solcover.js +13 -0
package/lib/openzeppelin-contracts/CHANGELOG.md +972 -0
package/lib/openzeppelin-contracts/CODE_OF_CONDUCT.md +73 -0
package/lib/openzeppelin-contracts/CONTRIBUTING.md +36 -0
package/lib/openzeppelin-contracts/GUIDELINES.md +148 -0
package/lib/openzeppelin-contracts/LICENSE +22 -0
package/lib/openzeppelin-contracts/README.md +107 -0
package/lib/openzeppelin-contracts/RELEASING.md +45 -0
package/lib/openzeppelin-contracts/SECURITY.md +42 -0
package/lib/openzeppelin-contracts/audits/2017-03.md +292 -0
package/lib/openzeppelin-contracts/audits/2018-10.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2022-10-Checkpoints.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2022-10-ERC4626.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2023-05-v4.9.pdf +0 -0
package/lib/openzeppelin-contracts/audits/2023-10-v5.0.pdf +0 -0
package/lib/openzeppelin-contracts/audits/README.md +17 -0
package/lib/openzeppelin-contracts/certora/Makefile +54 -0
package/lib/openzeppelin-contracts/certora/README.md +60 -0
package/lib/openzeppelin-contracts/certora/diff/access_manager_AccessManager.sol.patch +97 -0
package/lib/openzeppelin-contracts/certora/reports/2021-10.pdf +0 -0
package/lib/openzeppelin-contracts/certora/reports/2022-03.pdf +0 -0
package/lib/openzeppelin-contracts/certora/reports/2022-05.pdf +0 -0
package/lib/openzeppelin-contracts/certora/run.js +160 -0
package/lib/openzeppelin-contracts/certora/specs/AccessControl.spec +119 -0
package/lib/openzeppelin-contracts/certora/specs/AccessControlDefaultAdminRules.spec +464 -0
package/lib/openzeppelin-contracts/certora/specs/DoubleEndedQueue.spec +300 -0
package/lib/openzeppelin-contracts/certora/specs/ERC20.spec +352 -0
package/lib/openzeppelin-contracts/certora/specs/ERC20FlashMint.spec +55 -0
package/lib/openzeppelin-contracts/certora/specs/ERC20Wrapper.spec +198 -0
package/lib/openzeppelin-contracts/certora/specs/ERC721.spec +679 -0
package/lib/openzeppelin-contracts/certora/specs/EnumerableMap.spec +333 -0
package/lib/openzeppelin-contracts/certora/specs/EnumerableSet.spec +246 -0
package/lib/openzeppelin-contracts/certora/specs/Initializable.spec +165 -0
package/lib/openzeppelin-contracts/certora/specs/Ownable.spec +77 -0
package/lib/openzeppelin-contracts/certora/specs/Ownable2Step.spec +108 -0
package/lib/openzeppelin-contracts/certora/specs/Pausable.spec +96 -0
package/lib/openzeppelin-contracts/certora/specs/TimelockController.spec +274 -0
package/lib/openzeppelin-contracts/certora/specs/helpers/helpers.spec +7 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControl.spec +8 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControlDefaultAdminRules.spec +36 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC20.spec +11 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC2612.spec +5 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashBorrower.spec +3 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashLender.spec +5 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC5313.spec +3 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC721.spec +17 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IERC721Receiver.spec +3 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable.spec +5 -0
package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable2Step.spec +7 -0
package/lib/openzeppelin-contracts/certora/specs.json +86 -0
package/lib/openzeppelin-contracts/contracts/access/README.adoc +43 -0
package/lib/openzeppelin-contracts/contracts/finance/README.adoc +14 -0
package/lib/openzeppelin-contracts/contracts/governance/README.adoc +167 -0
package/lib/openzeppelin-contracts/contracts/interfaces/README.adoc +82 -0
package/lib/openzeppelin-contracts/contracts/metatx/README.adoc +12 -0
package/lib/openzeppelin-contracts/contracts/package.json +32 -0
package/lib/openzeppelin-contracts/contracts/proxy/README.adoc +87 -0
package/lib/openzeppelin-contracts/contracts/token/ERC1155/README.adoc +41 -0
package/lib/openzeppelin-contracts/contracts/token/ERC20/README.adoc +67 -0
package/lib/openzeppelin-contracts/contracts/token/ERC721/README.adoc +67 -0
package/lib/openzeppelin-contracts/contracts/token/common/README.adoc +10 -0
package/lib/openzeppelin-contracts/contracts/utils/README.adoc +88 -0
package/lib/openzeppelin-contracts/contracts/vendor/compound/LICENSE +11 -0
package/lib/openzeppelin-contracts/docs/README.md +16 -0
package/lib/openzeppelin-contracts/docs/antora.yml +7 -0
package/lib/openzeppelin-contracts/docs/config.js +21 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3a.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3b.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-6.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-deposit.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-mint.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-linear.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglog.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglogext.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-exec.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-vote.png +0 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/nav.adoc +23 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/access-control.adoc +204 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/backwards-compatibility.adoc +48 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/crowdsales.adoc +11 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/drafts.adoc +19 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc1155.adoc +145 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20-supply.adoc +71 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20.adoc +77 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc4626.adoc +214 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc721.adoc +79 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/extending-contracts.adoc +77 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/faq.adoc +13 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/governance.adoc +240 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/index.adoc +79 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/tokens.adoc +31 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/upgradeable.adoc +77 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/utilities.adoc +185 -0
package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/wizard.adoc +15 -0
package/lib/openzeppelin-contracts/docs/templates/contract.hbs +111 -0
package/lib/openzeppelin-contracts/docs/templates/helpers.js +46 -0
package/lib/openzeppelin-contracts/docs/templates/page.hbs +4 -0
package/lib/openzeppelin-contracts/docs/templates/properties.js +64 -0
package/lib/openzeppelin-contracts/hardhat/env-artifacts.js +24 -0
package/lib/openzeppelin-contracts/hardhat/env-contract.js +25 -0
package/lib/openzeppelin-contracts/hardhat/ignore-unreachable-warnings.js +45 -0
package/lib/openzeppelin-contracts/hardhat/skip-foundry-tests.js +6 -0
package/lib/openzeppelin-contracts/hardhat/task-test-get-files.js +25 -0
package/lib/openzeppelin-contracts/hardhat.config.js +131 -0
package/lib/openzeppelin-contracts/lib/erc4626-tests/LICENSE +661 -0
package/lib/openzeppelin-contracts/lib/erc4626-tests/README.md +116 -0
package/lib/openzeppelin-contracts/lib/forge-std/.github/workflows/ci.yml +92 -0
package/lib/openzeppelin-contracts/lib/forge-std/.gitmodules +3 -0
package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-APACHE +203 -0
package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-MIT +25 -0
package/lib/openzeppelin-contracts/lib/forge-std/README.md +250 -0
package/lib/openzeppelin-contracts/lib/forge-std/package.json +16 -0
package/lib/openzeppelin-contracts/logo.svg +15 -0
package/lib/openzeppelin-contracts/netlify.toml +3 -0
package/lib/openzeppelin-contracts/package-lock.json +16544 -0
package/lib/openzeppelin-contracts/package.json +96 -0
package/lib/openzeppelin-contracts/remappings.txt +1 -0
package/lib/openzeppelin-contracts/renovate.json +4 -0
package/lib/openzeppelin-contracts/requirements.txt +1 -0
package/lib/openzeppelin-contracts/scripts/checks/compare-layout.js +20 -0
package/lib/openzeppelin-contracts/scripts/checks/compareGasReports.js +243 -0
package/lib/openzeppelin-contracts/scripts/checks/extract-layout.js +38 -0
package/lib/openzeppelin-contracts/scripts/checks/generation.sh +6 -0
package/lib/openzeppelin-contracts/scripts/checks/inheritance-ordering.js +54 -0
package/lib/openzeppelin-contracts/scripts/gen-nav.js +41 -0
package/lib/openzeppelin-contracts/scripts/generate/format-lines.js +16 -0
package/lib/openzeppelin-contracts/scripts/generate/run.js +49 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.js +247 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.opts.js +17 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.t.js +146 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableMap.js +283 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableSet.js +250 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/SafeCast.js +126 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/StorageSlot.js +78 -0
package/lib/openzeppelin-contracts/scripts/generate/templates/conversion.js +30 -0
package/lib/openzeppelin-contracts/scripts/git-user-config.sh +6 -0
package/lib/openzeppelin-contracts/scripts/helpers.js +37 -0
package/lib/openzeppelin-contracts/scripts/prepack.sh +23 -0
package/lib/openzeppelin-contracts/scripts/prepare-docs.sh +26 -0
package/lib/openzeppelin-contracts/scripts/release/format-changelog.js +33 -0
package/lib/openzeppelin-contracts/scripts/release/synchronize-versions.js +15 -0
package/lib/openzeppelin-contracts/scripts/release/update-comment.js +34 -0
package/lib/openzeppelin-contracts/scripts/release/version.sh +11 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/exit-prerelease.sh +8 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/github-release.js +48 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/integrity-check.sh +20 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/pack.sh +26 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/publish.sh +26 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/rerun.js +7 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/set-changesets-pr-title.js +17 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/start.sh +35 -0
package/lib/openzeppelin-contracts/scripts/release/workflow/state.js +112 -0
package/lib/openzeppelin-contracts/scripts/remove-ignored-artifacts.js +45 -0
package/lib/openzeppelin-contracts/scripts/solhint-custom/index.js +84 -0
package/lib/openzeppelin-contracts/scripts/solhint-custom/package.json +5 -0
package/lib/openzeppelin-contracts/scripts/update-docs-branch.js +65 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/README.md +21 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/patch-apply.sh +19 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/patch-save.sh +18 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/transpile-onto.sh +54 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/transpile.sh +47 -0
package/lib/openzeppelin-contracts/scripts/upgradeable/upgradeable.patch +360 -0
package/lib/openzeppelin-contracts/slither.config.json +5 -0
package/lib/openzeppelin-contracts/solhint.config.js +20 -0
package/mythril-lft-output.txt +1 -0
package/mythril-lft-symbolic.txt +18 -0
package/mythril-lft.sh +20 -0
package/mythril-symbolic-output.txt +1 -0
package/mythril-symbolic.sh +42 -0
package/out/build-info/0026b78428192979.json +1 -0
package/out/build-info/03c4fc3b88486eba.json +1 -0
package/out/build-info/0540afa9b9a5c5a6.json +1 -0
package/out/build-info/081932f505bc08b9.json +1 -0
package/out/build-info/0da104ba0d6642d5.json +1 -0
package/out/build-info/197281971dbb5f23.json +1 -0
package/out/build-info/197e7e332832a232.json +1 -0
package/out/build-info/1a1cab9136eb5f94.json +1 -0
package/out/build-info/1b320204eb162aa2.json +1 -0
package/out/build-info/1e03f94398052674.json +1 -0
package/out/build-info/22ac085949602937.json +1 -0
package/out/build-info/234ef37453a9fa64.json +1 -0
package/out/build-info/2447db7b1878fa8e.json +1 -0
package/out/build-info/25568daeb484f5ff.json +1 -0
package/out/build-info/27465853244c49ce.json +1 -0
package/out/build-info/2c57a9e0f087453b.json +1 -0
package/out/build-info/3c62ae7de8da68c4.json +1 -0
package/out/build-info/3e771ae109e97bb3.json +1 -0
package/out/build-info/460499bc0a3465c4.json +1 -0
package/out/build-info/47ce37e50a4f115e.json +1 -0
package/out/build-info/4fcce5c63cf427d6.json +1 -0
package/out/build-info/4fd0a53fe63fddbb.json +1 -0
package/out/build-info/50f1247db9d769cc.json +1 -0
package/out/build-info/5317d0181a7a5e02.json +1 -0
package/out/build-info/594df509275ceb5b.json +1 -0
package/out/build-info/61983ac3f6141719.json +1 -0
package/out/build-info/638c4548307122fe.json +1 -0
package/out/build-info/67c2c43bdb7c0ded.json +1 -0
package/out/build-info/777f42643aad37b7.json +1 -0
package/out/build-info/7d7856f19e845354.json +1 -0
package/out/build-info/83976260b6f71e94.json +1 -0
package/out/build-info/83c23882000b963d.json +1 -0
package/out/build-info/84b2cce8f70b36be.json +1 -0
package/out/build-info/8bc13d31d7c3206a.json +1 -0
package/out/build-info/8e183bd4d9d8cf88.json +1 -0
package/out/build-info/94bfe1e7cafa8ff5.json +1 -0
package/out/build-info/99ec7d5e8d8ff360.json +1 -0
package/out/build-info/9ac044b29daa7d5e.json +1 -0
package/out/build-info/9b203227ff5d2e63.json +1 -0
package/out/build-info/9d18c5872c4282dd.json +1 -0
package/out/build-info/9f77f04f33baf9a3.json +1 -0
package/out/build-info/a6e1caf974787982.json +1 -0
package/out/build-info/a94b6348867a62d6.json +1 -0
package/out/build-info/ad93721947a8b195.json +1 -0
package/out/build-info/b42daddb5aa4b19f.json +1 -0
package/out/build-info/bf13512ae899f7e8.json +1 -0
package/out/build-info/c39f86c20a548c4a.json +1 -0
package/out/build-info/cb12bb975a2f4e65.json +1 -0
package/out/build-info/d0c6788fadc2aa60.json +1 -0
package/out/build-info/d2726bf94ed5b845.json +1 -0
package/out/build-info/d4eb00da50cce5cb.json +1 -0
package/out/build-info/db931924a3bc8bdd.json +1 -0
package/out/build-info/e1a503d49bc77401.json +1 -0
package/out/build-info/efe5396f8892ce77.json +1 -0
package/out/build-info/f536d90ced745969.json +1 -0
package/out/build-info/fed38823c7019b82.json +1 -0
package/package.json +51 -0
package/page.html +5384 -0
package/pancakeswap-simple-tvl.sql +15 -0
package/pancakeswap-top-pools.sql +29 -0
package/pancakeswap-tvl-optimized.sql +57 -0
package/pancakeswap-tvl-query.sql +60 -0
package/pancakeswap-underflow-hunting.sql +51 -0
package/pancakeswap-vulnerability-queries.sql +200 -0
package/posi_page.html +6369 -0
package/posi_response.json +29 -0
package/proxy_page.html +500 -0
package/run_mythril_elephant.sh +18 -0
package/sHEGIC-bytecode.bin +6 -0
package/sHEGIC-mythril-analysis.txt +1 -0
package/sHEGIC-mythril-full.txt +134 -0
package/sHEGIC_ANALYSIS.md +135 -0
package/sHEGIC_EXPLOIT_ANALYSIS.md +317 -0
package/sHEGIC_MYTHRIL_ANALYSIS.md +361 -0
package/scrape-snowcrash.js +28 -0
package/scripts/yooshi_drain.sh +154 -0
package/shi_raw.json +1 -0
package/temp.json +1 -0
package/temp_harvest.json +1 -0
package/temp_pika.json +1 -0
package/temp_posi.json +1 -0
package/temp_response.json +1 -0
package/test-lft-hidden-balance.js +108 -0
package/test-xfi-exploit.js +140 -0
package/trunk-liquidity-rescue.js +164 -0
package/vBABY_page.html +6153 -0
package/vBABY_response.json +29 -0
package/wsg_response.json +1 -0
package/yooldo_page.html +10371 -0

package/QUICK_START.md ADDED Viewed

@@ -0,0 +1,240 @@
+# Quick Start Guide - XFI Staking Exploit
+## TL;DR - Fastest Way to Test
+### Option 1: Remix (Easiest)
+1. **Open Remix**: https://remix.ethereum.org
+2. **Copy `RemixExploit.sol`** into Remix
+3. **Compile** with Solidity 0.6.0
+4. **Deploy** `SimpleXFIExploit` contract on your fork
+5. **Transfer XFI** tokens to the deployed contract
+6. **Call** `setupExploit()` to approve
+7. **Call** `executeExploit()` to run the attack
+8. **Call** `getResults()` to see the profit
+### Option 2: Foundry (For Automated Testing)
+```bash
+# Clone and setup
+git clone <your-repo>
+cd <your-repo>
+# Run the exploit test
+forge test --match-test testDoubleCountingExploit -vvv --fork-url <YOUR_RPC_URL>
+```
+## Detailed Remix Instructions
+### Prerequisites
+- MetaMask connected to a fork
+- Some XFI tokens (get from token holder or mint on fork)
+### Step-by-Step
+1. **Deploy the Exploit Contract**
+   ```
+   - Open Remix
+   - Create new file: RemixExploit.sol
+   - Paste the code
+   - Compile with 0.6.0
+   - Deploy SimpleXFIExploit
+   ```
+2. **Fund the Contract**
+   ```solidity
+   // From your account with XFI
+   xfi.transfer(exploitContractAddress, 2000000000000000000000); // 2000 XFI
+   ```
+3. **Setup**
+   ```
+   - Call setupExploit()
+   - This approves the staking contract
+   ```
+4. **Execute**
+   ```
+   - Call executeExploit()
+   - This runs the double-counting attack
+   ```
+5. **Check Results**
+   ```
+   - Call getResults()
+   - You should see profit > 0 if exploit worked
+   ```
+## What You'll See
+### Before Exploit
+```
+Balance: 2000 XFI
+Staked: 0 XFI
+Pending: 0 XFI
+```
+### After First Stake
+```
+Balance: 1000 XFI (1000 staked)
+Staked: 975 XFI (25 XFI fee)
+Pending: ~X XFI (depends on pool rewards)
+```
+### After Second Stake (BUG TRIGGERED)
+```
+Balance: 0 XFI (2000 staked)
+Staked: 1950 XFI (50 XFI total fees)
+Pending: ~2X XFI (DOUBLED!)
+```
+### After Claiming
+```
+Balance: 2X XFI (doubled rewards claimed)
+Staked: 1950 XFI
+Pending: 0 XFI
+Profit: X XFI (stolen from pool)
+```
+## Understanding the Bug
+### Normal Flow (Expected)
+```
+1. User stakes → pending rewards calculated
+2. Rewards added to remainder ONCE
+3. User claims → receives correct amount
+```
+### Buggy Flow (Actual)
+```
+1. User stakes → pendingReward() called
+   - Adds rewards to remainder (COUNT #1)
+2. Code adds owing to remainder (COUNT #2)
+3. User stakes again → pendingReward() called
+   - Adds rewards to remainder (COUNT #3)
+4. Code adds owing to remainder (COUNT #4)
+5. User claims → receives 2X rewards!
+```
+## Testing Scenarios
+### Scenario A: Simple Double-Counting
+```
+1. Pool has existing stakes
+2. Pool has rewards
+3. Attacker stakes once
+4. Attacker stakes again (triggers bug)
+5. Attacker claims doubled rewards
+```
+### Scenario B: First Staker Advantage
+```
+1. Pool is empty (totalStakes = 0)
+2. Attacker stakes first (pays 0% fee)
+3. Victim stakes second (pays 2.5% fee)
+4. Attacker saved 2.5%
+```
+### Scenario C: Complete Drain
+```
+1. Multiple users stake (pool has funds)
+2. Rewards accumulate
+3. Attacker stakes multiple times
+4. Each stake doubles pending rewards
+5. Attacker claims and drains pool
+```
+## Verification Checklist
+- [ ] Contract deployed successfully
+- [ ] XFI tokens transferred to contract
+- [ ] setupExploit() called successfully
+- [ ] executeExploit() called successfully
+- [ ] getResults() shows profit > 0
+- [ ] Pending rewards were doubled
+- [ ] Contract balance increased
+## Common Issues
+### "No XFI tokens in contract"
+**Solution**: Transfer XFI to the exploit contract first
+```solidity
+xfi.transfer(exploitAddress, amount);
+```
+### "Approval failed"
+**Solution**: Make sure contract has XFI balance before calling setupExploit()
+### "Need at least 2000 XFI"
+**Solution**: Transfer at least 2000 XFI to the contract
+### "No profit shown"
+**Solution**:
+- Make sure pool has existing stakes
+- Make sure pool has rewards
+- Try adding rewards manually: `staking.ADDFUNDS(1000 * 10**18)`
+## Advanced: Multi-Step Demo
+For detailed step-by-step analysis, use `DetailedExploitDemo`:
+```solidity
+1. Deploy DetailedExploitDemo
+2. Transfer XFI to contract
+3. Call step0_approve()
+4. Call step1_firstStake(1000 * 10**18)
+5. Call step2_checkPending()
+6. Call step3_secondStake(1000 * 10**18)
+7. Call step4_claimRewards()
+8. Call getProof() to see the bug
+```
+## Expected Output
+### getProof() Result
+```
+pendingBeforeSecondStake: 500 XFI
+pendingAfterSecondStake: 1000 XFI
+difference: 500 XFI
+verdict: "BUG CONFIRMED: Pending rewards increased after staking!"
+```
+This proves the double-counting bug!
+## Contract Addresses
+- **XFI Token**: `0x5BEfBB272290dD5b8521D4a938f6c4757742c430`
+- **Staking Contract**: `0x5cD1C00a88822182733E3ac335863fcC9A1c0705`
+## Safety Notes
+⚠️ **IMPORTANT**:
+- This is for educational purposes on a FORK only
+- Do NOT run on mainnet
+- Do NOT steal real user funds
+- Report vulnerabilities responsibly
+## Next Steps
+After confirming the exploit:
+1. Document the findings
+2. Calculate potential impact
+3. Recommend fixes
+4. Suggest contract redeployment
+## Support
+If you encounter issues:
+1. Check you're on a fork (not mainnet)
+2. Verify contract addresses
+3. Ensure you have XFI tokens
+4. Check transaction logs for errors
+5. Review the audit report for details
+## Files Reference
+- `RemixExploit.sol` - Simple exploit for Remix
+- `XFIStakingExploit.sol` - Full exploit contract
+- `test/XFIStakingExploit.t.sol` - Foundry test
+- `EXPLOIT_INSTRUCTIONS.md` - Detailed instructions
+- `audits/XFIStaking-security-audit-20260324.md` - Full audit report

package/RAMP_SECURITY_ANALYSIS.md ADDED Viewed

File without changes

package/README.md ADDED Viewed

@@ -0,0 +1,238 @@
+# UUPS Checker
+A command-line tool to check UUPS and Transparent Proxy initialization status for whitehat security research.
+## Features
+- ✅ Detects UUPS vs Transparent Proxies
+- ✅ Checks initialization status of proxy and implementation
+- ✅ Shows owner/admin addresses
+- ✅ Displays contract balance
+- ✅ Supports multiple chains (ETH, BSC, Polygon, Arbitrum, Optimism, opBNB)
+- ✅ Color-coded output for easy reading
+- ✅ Works on Linux, macOS, and Android (Termux)
+## Prerequisites
+- [Foundry](https://book.getfoundry.sh/getting-started/installation) (for `cast` command)
+- `bc` (basic calculator - usually pre-installed)
+## Installation
+### Option 1: npm (Recommended)
+```bash
+npm install -g uups-checker
+```
+After installation, you can use either command:
+```bash
+ups <contract_address> [chain]
+# or
+uups-checker <contract_address> [chain]
+```
+### Option 2: From source
+```bash
+git clone https://github.com/yourusername/uups-checker
+cd uups-checker
+chmod +x bin/ups
+npm link
+```
+## Termux Installation (Android)
+1. Install Termux from [F-Droid](https://f-droid.org/en/packages/com.termux/) (NOT Google Play)
+2. Update packages and install dependencies:
+```bash
+pkg update && pkg upgrade
+pkg install git nodejs bc
+```
+3. Install Rust (required for Foundry):
+```bash
+pkg install rust
+```
+4. Install Foundry:
+```bash
+curl -L https://foundry.paradigm.xyz | bash
+source ~/.bashrc
+foundryup
+```
+5. Install uups-checker:
+```bash
+npm install -g uups-checker
+```
+6. Test it:
+```bash
+ups 0x8599068597fd27D87514CB90c42300c03a474084 bsc
+```
+## Usage
+```bash
+ups <contract_address> [chain]
+```
+### Examples
+```bash
+# Check on Ethereum mainnet (default)
+ups 0x1234...
+# Check on BSC
+ups 0x1234... bsc
+# Check on Polygon
+ups 0x1234... polygon
+# Check on opBNB
+ups 0x1234... opbnb
+# Check on Arbitrum
+ups 0x1234... arbitrum
+# Check on Optimism
+ups 0x1234... optimism
+```
+### Supported Chains
+- `eth` - Ethereum Mainnet (default)
+- `bsc` - Binance Smart Chain
+- `opbnb` - opBNB
+- `polygon` - Polygon
+- `arbitrum` - Arbitrum
+- `optimism` - Optimism
+## Output
+The tool provides:
+- Proxy type (UUPS or Transparent)
+- Implementation address
+- Owner/Admin address
+- Initialization status for BOTH proxy and implementation
+- Contract balance
+- Vulnerability assessment
+## Example Output
+```
+╔══════════════════════════════════════════╗
+║       UUPS INITIALIZATION CHECKER        ║
+║          Whitehat Bounty Tool            ║
+╚══════════════════════════════════════════╝
+[INFO] Checking: 0x8599...
+[INFO] Chain: bsc
+[INFO] Explorer: https://bscscan.com/address/0x8599...
+[1/5] Reading EIP-1967 implementation slot...
+[✓] Implementation: 0xd28A...
+[2/5] Checking if UUPS proxy...
+[✓] UUPS proxy detected!
+[3/5] Checking owner/admin...
+[✓] Owner/Admin: 0x1234...
+[4/5] Checking initialization status...
+[✓] Proxy: INITIALIZED
+[✓] Implementation: INITIALIZED
+[5/5] Checking balance...
+[✓] Balance: 0 ETH
+═══════════════════════════════════════════
+              FINAL VERDICT
+═══════════════════════════════════════════
+Proxy Type:      UUPS
+Implementation:  0xd28A...
+Owner:           0x1234...
+Balance:         0 ETH
+Status:          ✓ INITIALIZED
+[SAFE] Proxy is properly configured
+```
+### Vulnerable Contract Example
+```
+[4/5] Checking initialization status...
+[!] Proxy: NOT INITIALIZED
+[!] Implementation: NOT INITIALIZED
+Status:          ✗ UNINITIALIZED
+[VULNERABLE] UUPS implementation is uninitialized!
+[EXPLOIT] Potential takeover vulnerability!
+Next steps:
+1. Try calling initialize() on the implementation
+2. Check if you can set yourself as owner
+3. Verify with: cast call 0x... "owner()(address)" --rpc-url ...
+```
+## Troubleshooting
+### Termux Issues
+If you get "command not found" errors:
+```bash
+# Reload your shell
+source ~/.bashrc
+# Or restart Termux
+```
+If Foundry installation fails:
+```bash
+# Make sure Rust is installed
+pkg install rust
+# Try installing Foundry again
+curl -L https://foundry.paradigm.xyz | bash
+```
+### RPC Issues
+If you get RPC errors, the default Infura endpoint might be rate-limited. You can modify the script to use your own RPC endpoints.
+## Publishing to npm (For Developers)
+1. Create a GitHub repository and push your code
+2. Update `package.json` with your GitHub URL
+3. Login to npm: `npm login`
+4. Publish: `npm publish`
+## Security Notice
+This tool is for security research and whitehat bounty hunting only. Always:
+- Get proper authorization before testing contracts
+- Report vulnerabilities responsibly through official channels (Immunefi, HackerOne, etc.)
+- Never exploit vulnerabilities for personal gain
+- Follow responsible disclosure practices
+## How It Works
+The tool checks:
+1. EIP-1967 implementation slot to detect proxies
+2. `proxiableUUID()` function to identify UUPS proxies
+3. Admin slot (0xb53127...) for Transparent Proxies
+4. Initialization status by checking storage slot 0 and owner functions
+5. Contract balance and ownership
+## License
+MIT
+## Contributing
+Pull requests are welcome! For major changes, please open an issue first.
+## Author
+Created for whitehat security researchers and bug bounty hunters.
+## Disclaimer
+This tool is provided as-is for educational and security research purposes. Use responsibly and ethically.

package/REAUDIT_MASTER_LIST.txt ADDED Viewed

@@ -0,0 +1,15 @@
+COMPLETE RE-AUDIT - ALL CONTRACTS
+Generated: March 28, 2026
+Total Contracts: 138
+RULES:
+- ONLY user-side exploits
+- NO admin exploits
+- NO cheatcodes in tests
+- VERIFY with forge test on mainnet fork
+- FETCH actual verified source code (not decompiled)
+- PROVE or DISPROVE each claimed exploit
+STATUS: STARTING SYSTEMATIC VERIFICATION
+========================================

package/RING_analysis.txt ADDED Viewed

@@ -0,0 +1,212 @@
+RING TOKEN (0x521ef54063148e5f15f18b9631426175cee23de2) - SECURITY ANALYSIS
+================================================================================
+TOKEN INFO:
+- Name: RING
+- Symbol: RING
+- Compiler: v0.8.7+commit.e28d00a7
+- Optimization: Yes with 200 runs
+- Total Supply: 20,456,743 tokens
+- Deployed: Nov 19, 2021 (4+ years old)
+- Holders: 10,490
+CONTRACT TYPE: Node-as-a-Service (NaaS) token with dividend distribution
+================================================================================
+CRITICAL VULNERABILITIES - USER-SIDE EXPLOITS
+================================================================================
+1. OWNER CAN BLACKLIST ANY ADDRESS (CRITICAL)
+   - Function: blacklistMalicious(address account, bool value)
+   - Owner can blacklist ANY address at ANY time
+   - Blacklisted addresses CANNOT transfer tokens
+   - Blacklisted addresses CANNOT create nodes
+   - Blacklisted addresses CANNOT cashout rewards
+   - EXPLOIT: Owner can rug pull by blacklisting all holders
+2. OWNER CAN CHANGE ALL FEES (CRITICAL)
+   - updateRewardsFee(uint256 value)
+   - updateLiquiditFee(uint256 value)
+   - updateFuturFee(uint256 value)
+   - updateCashoutFee(uint256 value)
+   - updateRwSwapFee(uint256 value)
+   - NO MAXIMUM LIMITS on fees
+   - EXPLOIT: Owner can set fees to 100% and drain all transactions
+3. OWNER CAN CHANGE NODE PARAMETERS (CRITICAL)
+   - changeNodePrice(uint256 newNodePrice)
+   - changeRewardPerNode(uint256 newPrice)
+   - changeClaimTime(uint256 newTime)
+   - NO LIMITS on these values
+   - EXPLOIT: Owner can make nodes worthless by:
+     * Setting node price to 1000000000 tokens (impossible to buy)
+     * Setting reward per node to 0 (no rewards)
+     * Setting claim time to 999999999 (can never claim)
+4. OWNER CAN CHANGE CRITICAL ADDRESSES (CRITICAL)
+   - updateFuturWall(address payable wall)
+   - updateRewardsWall(address payable wall)
+   - Owner can redirect all fees to their own address
+   - EXPLOIT: Owner can drain all accumulated fees
+5. OWNER CAN CHANGE ROUTER (CRITICAL)
+   - updateUniswapV2Router(address newAddress)
+   - Can change DEX router to malicious contract
+   - EXPLOIT: Owner can route swaps through malicious contract
+6. PAYMENT SPLITTER VULNERABILITY (HIGH)
+   - Contract inherits PaymentSplitter
+   - release(address payable account) - anyone can trigger
+   - release(IERC20 token, address account) - anyone can trigger
+   - EXPLOIT: Attacker can drain payment splitter shares
+================================================================================
+HONEYPOT MECHANISMS
+================================================================================
+1. BLACKLIST TRAP
+   - Owner can blacklist addresses AFTER they buy
+   - Blacklisted users cannot sell or transfer
+   - This is a HONEYPOT mechanism
+2. FEE MANIPULATION
+   - Owner can increase fees to 100% AFTER users buy
+   - Users cannot sell without losing everything
+   - This is a HONEYPOT mechanism
+3. NODE PRICE MANIPULATION
+   - Owner can increase node price to impossible levels
+   - Users who bought nodes cannot create more
+   - Existing node holders get diluted
+================================================================================
+CENTRALIZATION RISKS
+================================================================================
+1. SINGLE OWNER CONTROL
+   - Owner has COMPLETE control over:
+     * Blacklisting
+     * All fees
+     * Node parameters
+     * Critical addresses
+     * Router address
+   - NO TIMELOCK
+   - NO MULTISIG
+   - NO GOVERNANCE
+2. NO RENOUNCE OWNERSHIP PROTECTION
+   - renounceOwnership() exists but owner can call it
+   - If owner renounces, contract becomes FROZEN
+   - No one can update parameters
+================================================================================
+NODE SYSTEM VULNERABILITIES
+================================================================================
+1. CENTRALIZED NODE REWARDS
+   - distributeRewards() controlled by owner
+   - Owner decides when rewards are distributed
+   - Owner can stop distributing rewards
+2. NODE CREATION FEES
+   - createNodeWithTokens() burns tokens from user
+   - Tokens go to contract, not burned
+   - Owner controls what happens to these tokens
+3. CASHOUT FEES
+   - cashoutReward() and cashoutAll() charge fees
+   - Fees go to futurUsePool (owner controlled)
+   - Owner can set cashout fee to 100%
+================================================================================
+SWAP AND LIQUIDITY VULNERABILITIES
+================================================================================
+1. SWAP MANIPULATION
+   - swapLiquify can be enabled/disabled by owner
+   - When enabled, contract auto-swaps tokens
+   - Owner controls swap thresholds
+   - EXPLOIT: Owner can manipulate when swaps happen
+2. LIQUIDITY PROVISION
+   - addLiquidity() sends LP tokens to address(0)
+   - LP tokens are BURNED
+   - This is actually GOOD (prevents owner from removing liquidity)
+3. AUTOMATED MARKET MAKER PAIRS
+   - setAutomatedMarketMakerPair() controlled by owner
+   - Owner can add/remove AMM pairs
+   - EXPLOIT: Owner can manipulate which pairs trigger fees
+================================================================================
+USER-SIDE EXPLOIT STRATEGIES
+================================================================================
+EXPLOIT 1: PAYMENT SPLITTER DRAIN
+1. Check if you are a payee in the payment splitter
+2. Call release(address(this)) to claim BNB share
+3. Call release(IERC20 token, address(this)) to claim token shares
+4. This is LEGITIMATE if you are a payee
+EXPLOIT 2: FRONT-RUN BLACKLIST
+1. Monitor owner transactions for blacklistMalicious() calls
+2. If you see your address being blacklisted, front-run with sell
+3. Sell all tokens before blacklist takes effect
+4. This requires MEV bot or fast monitoring
+EXPLOIT 3: FRONT-RUN FEE CHANGES
+1. Monitor owner transactions for fee update calls
+2. If fees are being increased, front-run with sell
+3. Sell before high fees take effect
+EXPLOIT 4: NODE REWARD TIMING
+1. Monitor distributeRewards() calls
+2. Create nodes right before distribution
+3. Cashout immediately after distribution
+4. This maximizes reward per time invested
+EXPLOIT 5: AVOID THIS TOKEN
+- This token is HEAVILY CENTRALIZED
+- Owner has COMPLETE control
+- High risk of rug pull via:
+  * Blacklisting all holders
+  * Setting fees to 100%
+  * Stopping reward distribution
+  * Changing node parameters to worthless values
+================================================================================
+LEGITIMATE CONCERNS (NOT EXPLOITABLE BY USERS)
+================================================================================
+1. Owner can rug pull at any time
+2. No protection against owner malicious actions
+3. No timelock on critical functions
+4. No multisig requirement
+5. No governance mechanism
+6. Payment splitter shares are fixed at deployment
+================================================================================
+CONCLUSION
+================================================================================
+RISK LEVEL: EXTREME
+This token is a CENTRALIZED HONEYPOT waiting to happen. The owner has:
+- Complete control over blacklisting
+- Complete control over all fees
+- Complete control over node parameters
+- Complete control over reward distribution
+- Complete control over critical addresses
+USER-EXPLOITABLE VULNERABILITIES:
+1. Payment splitter drain (if you are a payee)
+2. Front-running owner transactions (requires MEV)
+3. Timing node creation/cashout (minimal profit)
+RECOMMENDATION: AVOID THIS TOKEN
+- Too much centralization
+- Too many owner controls
+- High rug pull risk
+- Honeypot mechanisms present
+The only "exploit" is to NOT BUY THIS TOKEN.

package/RPC ADDED Viewed

@@ -0,0 +1,4 @@
+https://bsc-mainnet.infura.io/v3/db4d2c885bc946b691dbb3d5ef26d9e2
+https://bnb-mainnet.g.alchemy.com/v2/5IWkkFu-rS6plYHO9MLq-
+https://mainnet.infura.io/v3/db4d2c885bc946b691dbb3d5ef26d9e2
+https://eth-mainnet.g.alchemy.com/v2/5IWkkFu-rS6plYHO9MLq-