uups-checker 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (670) hide show
  1. package/.gitmodules +6 -0
  2. package/AIFI_AUDIT.md +220 -0
  3. package/ALL_AUDITS_SUMMARY.md +366 -0
  4. package/ALPHA_PROXY_CRITICAL_FINDING.md +136 -0
  5. package/ALPHA_PROXY_FINAL_ANALYSIS.md +213 -0
  6. package/ALPHA_PROXY_FINAL_VERDICT.md +233 -0
  7. package/ALPHA_PROXY_SELFDESTRUCT_EXPLOIT.md +161 -0
  8. package/ARIA-foundry-test.txt +9 -0
  9. package/ARIA-mythril-analysis.txt +20 -0
  10. package/ARIA-slither-analysis.txt +38 -0
  11. package/ARIA_AI_SECURITY_AUDIT.md +290 -0
  12. package/ARIA_VERIFIED_AUDIT.md +259 -0
  13. package/ARIA_VERIFIED_slither.txt +76 -0
  14. package/ARIVA_source.txt +1 -0
  15. package/ARK_AUDIT.md +349 -0
  16. package/BANANA_AUDIT.md +365 -0
  17. package/BAS_AUDIT.md +451 -0
  18. package/BAS_TOKEN_AUDIT.md +235 -0
  19. package/BCE_EXPLOIT_ANALYSIS.md +165 -0
  20. package/BEEFY_BNB_CHAIN_ANALYSIS.md +488 -0
  21. package/BEEFY_MONAD_ANALYSIS.md +239 -0
  22. package/BEEFY_STAKING_ANALYSIS.md +136 -0
  23. package/BEEFY_XVS_WBNB_ACTUAL_FINDINGS.md +223 -0
  24. package/BEEFY_XVS_WBNB_CRITICAL_FINDINGS.md +269 -0
  25. package/BLOCKSEC_ATTACK_KNOWLEDGE_BASE.md +771 -0
  26. package/BRISE_ANALYSIS.txt +31 -0
  27. package/BRISE_BSC_DAPPS.txt +68 -0
  28. package/BRISE_EXPLOITS_FOUND.md +98 -0
  29. package/BRISE_REAL_EXPLOITS.md +115 -0
  30. package/BRISE_WHITEHAT_REPORT.md +162 -0
  31. package/BRISEstake_Analysis.txt +95 -0
  32. package/BSCSLOCKTOKEN_CRITICAL_FINDING.md +240 -0
  33. package/BSW_BISWAP_SECURITY_AUDIT.md +330 -0
  34. package/BTCST_FINAL_VERDICT.md +319 -0
  35. package/BTCST_MINING_REBASE_ANALYSIS.md +229 -0
  36. package/BTCST_ROUNDING_DEEP_DIVE.md +293 -0
  37. package/BTCST_ROUNDING_FINAL_VERDICT.md +9 -0
  38. package/BTCST_SECURITY_ANALYSIS.md +391 -0
  39. package/BTR_AUDIT.md +210 -0
  40. package/BeamBridge-analysis.md +226 -0
  41. package/BeamToken-analysis.md +201 -0
  42. package/BitgertSwap_Investigation.txt +107 -0
  43. package/CEEK_STAKING_ANALYSIS.md +0 -0
  44. package/CHAINBASE_AUDIT.md +422 -0
  45. package/COMPLETE_AUDIT_SUMMARY.md +342 -0
  46. package/CORRECTED_ANALYSIS.txt +115 -0
  47. package/DBXEN_COMPARISON_SUMMARY.md +232 -0
  48. package/DBXEN_EXPLOIT_ANALYSIS.md +530 -0
  49. package/DOPFairLaunch_raw.json +29 -0
  50. package/DOPFairLaunch_source.txt +0 -0
  51. package/DOP_BRIDGE_FINAL_ANALYSIS.txt +86 -0
  52. package/DOP_BUSD_LP_ANALYSIS.txt +44 -0
  53. package/DOP_FAIRLAUNCH_ANALYSIS.txt +61 -0
  54. package/DOP_FAIRLAUNCH_FINAL_VERDICT.txt +113 -0
  55. package/DOP_STAKING_CONTRACT_ANALYSIS.txt +67 -0
  56. package/DSYNC_ECOSYSTEM_ANALYSIS.md +221 -0
  57. package/DSyncStaking-exploit-analysis.md +153 -0
  58. package/DSyncVault-analysis.md +120 -0
  59. package/DUSD_PROXY_AUDIT.md +407 -0
  60. package/DXSALE_LOCK_AUDIT.md +0 -0
  61. package/DXSaleLock_bytecode.txt +1 -0
  62. package/ECHIDNA_QUICK_START.md +101 -0
  63. package/ELEPHANT_ECOSYSTEM_AUDIT_PLAN.md +159 -0
  64. package/ELEPHANT_ECOSYSTEM_COMPREHENSIVE_AUDIT.md +427 -0
  65. package/ELEPHANT_SECURITY_ANALYSIS.md +209 -0
  66. package/ELEPHANT_VULNERABILITIES_EXPLAINED.md +455 -0
  67. package/EXPLOIT_FIX.md +300 -0
  68. package/EXPLOIT_INSTRUCTIONS.md +273 -0
  69. package/EXPLOIT_SUMMARY.md +285 -0
  70. package/EXPLOIT_SUMMARY.txt +175 -0
  71. package/FALCON_FINANCE_AUDIT.md +258 -0
  72. package/FANDOM_AUDIT.md +359 -0
  73. package/FEE_ON_TRANSFER_ANALYSIS.md +228 -0
  74. package/FINAL_AUDIT_REPORT.md +0 -0
  75. package/FOLIO_PROXY_AUDIT.md +299 -0
  76. package/FOT_EXPLOIT_RESULTS.txt +110 -0
  77. package/FOT_TOKENS_AUDITED.md +103 -0
  78. package/HEGIC-mythril-analysis.txt +39 -0
  79. package/HEGIC_COMPLETE_ANALYSIS.md +343 -0
  80. package/HOTCROSS_SWAP_EXPLOIT_ANALYSIS.md +123 -0
  81. package/ICECREAMSWAP_EXPLOITS.md +259 -0
  82. package/IMMUNEFI_REPORT.md +314 -0
  83. package/KCCPAD_EXPLOIT_GUIDE.md +285 -0
  84. package/KEL_CEL_EXPLOIT_ANALYSIS.md +0 -0
  85. package/KOGE_AUDIT.md +328 -0
  86. package/LENDFLARE_ANALYSIS.md +239 -0
  87. package/LENDFLARE_ECHIDNA_GUIDE.md +356 -0
  88. package/LENDFLARE_EXPLOIT_INSTRUCTIONS.md +297 -0
  89. package/LENDFLARE_EXPLOIT_SUMMARY.md +292 -0
  90. package/LENDFLARE_FLASHLOAN_GUIDE.md +383 -0
  91. package/LENDFLARE_FUZZING_RESULTS.md +252 -0
  92. package/LENDFLARE_HONEYPOT_BYPASS_ANALYSIS.md +420 -0
  93. package/LENDFLARE_MANUAL_FUZZING.md +324 -0
  94. package/LENDFLARE_MYTHRIL_ANALYSIS.md +339 -0
  95. package/LENDFLARE_V3_BYPASS.md +296 -0
  96. package/LFTDECOMPILE.txt +14478 -0
  97. package/LFT_ACCOUNTING_ANALYSIS.md +0 -0
  98. package/LFT_ACCOUNTING_BUG_ANALYSIS.md +426 -0
  99. package/LFT_BACKDOOR_DEEP_DIVE.md +0 -0
  100. package/LFT_CRITICAL_EXPLOIT_CONFIRMED.md +428 -0
  101. package/LFT_EXPLOIT_VISUAL.md +253 -0
  102. package/LFT_QUICK_SUMMARY.md +124 -0
  103. package/LFT_REVERSE_EXPLOIT_ANALYSIS.md +521 -0
  104. package/MGO_AUDIT_REPORT.md +420 -0
  105. package/MYTHRIL_FINAL_REPORT.md +306 -0
  106. package/MYTHRIL_SLITHER_SUMMARY.md +244 -0
  107. package/NETX_MIGRATION_AUDIT.md +0 -0
  108. package/NPM_PUBLISH_GUIDE.md +0 -0
  109. package/NRV_CRITICAL_EXPLOIT.txt +143 -0
  110. package/NetX_Analysis.txt +76 -0
  111. package/NetX_Migration_bytecode.txt +1 -0
  112. package/NetX_Migration_source.txt +0 -0
  113. package/NetX_Token_source.txt +0 -0
  114. package/NetxWhitehatRescue +22 -0
  115. package/OILER_ATTACK_VISUAL.md +351 -0
  116. package/OILER_BLOCKSEC_TEST_RESULTS.md +421 -0
  117. package/OILER_DEEP_ANALYSIS.md +212 -0
  118. package/OILER_FINAL_EXPLOIT_REPORT.md +241 -0
  119. package/OILER_FINAL_VERDICT.md +339 -0
  120. package/OILER_REENTRANCY_EXPLAINED.md +638 -0
  121. package/OILER_REENTRANCY_FINAL_SUMMARY.md +391 -0
  122. package/OILER_REENTRANCY_REALITY_CHECK.md +393 -0
  123. package/OILER_REENTRANCY_STEP_BY_STEP.md +597 -0
  124. package/OILER_STAKING_MAINNET_ANALYSIS.md +366 -0
  125. package/OILER_STAKING_SECURITY_ANALYSIS.md +409 -0
  126. package/PANCAKESWAP_UNDERFLOW_HUNTING.md +317 -0
  127. package/POLS_MULTICHAIN_AUDIT.md +0 -0
  128. package/POSI_STAKING_AUDIT.md +0 -0
  129. package/PROXY2_SECURITY_ANALYSIS.md +0 -0
  130. package/Proxy2TACS +29748 -0
  131. package/QUICK_START.md +240 -0
  132. package/RAMP_SECURITY_ANALYSIS.md +0 -0
  133. package/README.md +238 -0
  134. package/REAUDIT_MASTER_LIST.txt +15 -0
  135. package/RING_analysis.txt +212 -0
  136. package/RPC +4 -0
  137. package/RULES.txt +20 -0
  138. package/SIREN_AUDIT.md +186 -0
  139. package/SYNC_EXPLOIT_README.md +0 -0
  140. package/SYNC_TOKEN_EXPLOIT_REPORT.md +224 -0
  141. package/TLM_raw.html +0 -0
  142. package/TLM_raw.txt +0 -0
  143. package/TLM_response.json +1 -0
  144. package/TRADOOR_AUDIT.md +253 -0
  145. package/TRUNK_AUDIT.md +285 -0
  146. package/UNIBASE_AUDIT.md +241 -0
  147. package/UNLOCK_ANALYSIS.md +0 -0
  148. package/UNLOCK_EXPLOIT.md +49 -0
  149. package/UNLOCK_EXPLOIT_ANALYSIS.md +0 -0
  150. package/UPS +232 -0
  151. package/UUPSCHECKER +208 -0
  152. package/VAULT_PROXY_AUDIT.md +457 -0
  153. package/VAULT_PROXY_FINAL_VERDICT.md +0 -0
  154. package/VERIFIED_EXPLOITS_FINAL.txt +146 -0
  155. package/WKEYDAO2_AUDIT.md +245 -0
  156. package/WSG_AUDIT.md +0 -0
  157. package/XFI_DEEP_ANALYSIS.md +327 -0
  158. package/YOOSHI_EXPLOIT_GUIDE.md +119 -0
  159. package/YSDAO_EXPLOIT_GUIDE.md +0 -0
  160. package/agent-4-bundle.md +22490 -0
  161. package/alpha-proxy-echidna.txt +1 -0
  162. package/alpha-proxy-fuzz-results.txt +81 -0
  163. package/alpha-proxy-mythril.txt +2 -0
  164. package/analyze-btcst-farm.js +54 -0
  165. package/analyze-dxsale-lock.js +75 -0
  166. package/analyze-elephant.js +69 -0
  167. package/analyze-fara-rewards.js +109 -0
  168. package/analyze-fara-storage.js +83 -0
  169. package/analyze-lft-transaction.js +158 -0
  170. package/analyze-lock-bytecode.js +59 -0
  171. package/analyze-shegic.js +0 -0
  172. package/analyze-staking-abi.js +0 -0
  173. package/analyze-sxp.js +57 -0
  174. package/analyze-tlm.js +76 -0
  175. package/analyze-trumpet.js +98 -0
  176. package/analyze-unlimited-nft.js +108 -0
  177. package/analyze_elephant.sh +27 -0
  178. package/analyze_vault.sh +32 -0
  179. package/aria-bytecode.txt +1 -0
  180. package/aria_response.json +1 -0
  181. package/ark_temp/README.md +66 -0
  182. package/ark_temp/lib/forge-std/.gitattributes +1 -0
  183. package/ark_temp/lib/forge-std/.github/CODEOWNERS +1 -0
  184. package/ark_temp/lib/forge-std/.github/dependabot.yml +6 -0
  185. package/ark_temp/lib/forge-std/.github/workflows/ci.yml +125 -0
  186. package/ark_temp/lib/forge-std/.github/workflows/sync.yml +36 -0
  187. package/ark_temp/lib/forge-std/CONTRIBUTING.md +193 -0
  188. package/ark_temp/lib/forge-std/LICENSE-APACHE +203 -0
  189. package/ark_temp/lib/forge-std/LICENSE-MIT +25 -0
  190. package/ark_temp/lib/forge-std/README.md +314 -0
  191. package/ark_temp/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  192. package/ark_temp/lib/forge-std/package.json +16 -0
  193. package/ark_temp/lib/forge-std/scripts/vm.py +636 -0
  194. package/audits/AiFi-security-audit-20260326.md +499 -0
  195. package/audits/BasedAI-Brains-security-audit-20260324.md +651 -0
  196. package/audits/BinanceAlphaWallet-pashov-ai-audit-report-20260324-170000.md +362 -0
  197. package/audits/DGToken-security-audit-20260324.md +376 -0
  198. package/audits/DSyncStaking-audit-part1.md +161 -0
  199. package/audits/DSyncStaking-security-audit-20260324.md +547 -0
  200. package/audits/DecompiledERC20-security-audit-20260325.md +397 -0
  201. package/audits/DegenVC-security-audit-20260324.md +585 -0
  202. package/audits/DelreyInu-security-audit-20260324.md +463 -0
  203. package/audits/DestraNetwork-security-audit-20260324.md +705 -0
  204. package/audits/DomiToken-security-audit-20260324.md +514 -0
  205. package/audits/LendFlareToken-security-audit-20260325.md +197 -0
  206. package/audits/LockReleaseTokenPool-security-audit-20260324.md +482 -0
  207. package/audits/MOG-pashov-ai-audit-report-20260324-164900.md +229 -0
  208. package/audits/PAALAI-security-audit-20260324.md +475 -0
  209. package/audits/PAR-security-audit-20260325.md +311 -0
  210. package/audits/PepeCoinStaking-security-audit-20260324.md +358 -0
  211. package/audits/StakingPool-security-audit-20260324.md +517 -0
  212. package/audits/SyncToken-security-audit-20260324.md +778 -0
  213. package/audits/UndeadToken-decompiled-security-audit-20260324.md +485 -0
  214. package/audits/UnknownToken-decompiled-security-audit-20260324.md +647 -0
  215. package/audits/XFIStaking-security-audit-20260324.md +682 -0
  216. package/audits/Xfinance-security-audit-20260324.md +463 -0
  217. package/audits/basedAIFarm-security-audit-20260324.md +330 -0
  218. package/audits/pepeCoin-security-audit-20260324.md +462 -0
  219. package/bin/ups +232 -0
  220. package/binance-wallet-exploit/.env.example +2 -0
  221. package/binance-wallet-exploit/EXECUTIVE_SUMMARY.md +272 -0
  222. package/binance-wallet-exploit/EXPLOIT_SUMMARY.md +104 -0
  223. package/binance-wallet-exploit/FINAL_ANALYSIS.md +326 -0
  224. package/binance-wallet-exploit/FLASHLOAN_ATTACK.md +292 -0
  225. package/binance-wallet-exploit/HONEYPOT_REPORT.md +526 -0
  226. package/binance-wallet-exploit/INVESTIGATION_COMPLETE.md +362 -0
  227. package/binance-wallet-exploit/LENDFLARE_EXPLOIT.md +219 -0
  228. package/binance-wallet-exploit/LENDFLARE_FINAL_ATTACK.md +307 -0
  229. package/binance-wallet-exploit/LENDFLARE_REAL_EXPLOIT.md +286 -0
  230. package/binance-wallet-exploit/LENDFLARE_RUGPULL.md +269 -0
  231. package/binance-wallet-exploit/LFT_ANALYSIS.md +206 -0
  232. package/binance-wallet-exploit/QUICK_START.md +75 -0
  233. package/binance-wallet-exploit/README.md +195 -0
  234. package/binance-wallet-exploit/REAL_TX_EXPLOIT_ANALYSIS.md +271 -0
  235. package/binance-wallet-exploit/REMIX_INSTRUCTIONS.md +223 -0
  236. package/binance-wallet-exploit/TEST_RESULTS.md +203 -0
  237. package/binance-wallet-exploit/cache/solidity-files-cache.json +1 -0
  238. package/binance-wallet-exploit/cache/test-failures +1 -0
  239. package/binance-wallet-exploit/lib/forge-std/.gitattributes +1 -0
  240. package/binance-wallet-exploit/lib/forge-std/.github/CODEOWNERS +1 -0
  241. package/binance-wallet-exploit/lib/forge-std/.github/dependabot.yml +6 -0
  242. package/binance-wallet-exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
  243. package/binance-wallet-exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
  244. package/binance-wallet-exploit/lib/forge-std/CONTRIBUTING.md +193 -0
  245. package/binance-wallet-exploit/lib/forge-std/LICENSE-APACHE +203 -0
  246. package/binance-wallet-exploit/lib/forge-std/LICENSE-MIT +25 -0
  247. package/binance-wallet-exploit/lib/forge-std/README.md +314 -0
  248. package/binance-wallet-exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  249. package/binance-wallet-exploit/lib/forge-std/package.json +16 -0
  250. package/binance-wallet-exploit/lib/forge-std/scripts/vm.py +636 -0
  251. package/binance-wallet-exploit/out/build-info/1e9aa7e86cf56962.json +1 -0
  252. package/binance-wallet-exploit/out/build-info/6f56f10e9d7b56eb.json +1 -0
  253. package/binance-wallet-exploit/out/build-info/7edba961ff697a24.json +1 -0
  254. package/binance-wallet-exploit/out/build-info/8c27fe3efea2f2e7.json +1 -0
  255. package/binance-wallet-exploit/out/build-info/978b680daffec63a.json +1 -0
  256. package/binance-wallet-exploit/out/build-info/9806b900b5672d0c.json +1 -0
  257. package/binance-wallet-exploit/out/build-info/b4b9ff36e9b3fc27.json +1 -0
  258. package/binance-wallet-exploit/out/build-info/b6f4df9ae05c0812.json +1 -0
  259. package/binance-wallet-exploit/out/build-info/c88dbc86551f7b5c.json +1 -0
  260. package/binance-wallet-exploit/out/build-info/e9657504010623db.json +1 -0
  261. package/cache/fuzz/failures/ARIAVerifiedFuzzTest/testFuzz_ApprovalRaceCondition +1 -0
  262. package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_DirectTransferExploit +1 -0
  263. package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_LargeSwapDrain +1 -0
  264. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_ApprovalExploit +1 -0
  265. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_BalanceManipulation +1 -0
  266. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_RateManipulation +1 -0
  267. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_StorageManipulation +1 -0
  268. package/cache/fuzz/failures/PARFuzzTest/testFuzz_OverflowTransfer +1 -0
  269. package/cache/fuzz/failures/PARFuzzTest/testFuzz_Transfer +1 -0
  270. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_FrontrunAddfunds +1 -0
  271. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RewardOverflow +1 -0
  272. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RoundingExploit +1 -0
  273. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_WithdrawLimit +1 -0
  274. package/cache/solidity-files-cache.json +1 -0
  275. package/cache/test-failures +1 -0
  276. package/calculate-elephant-flashloan.js +195 -0
  277. package/check-address-approval.js +112 -0
  278. package/check-alpha-proxy.js +42 -0
  279. package/check-arbitrage.js +155 -0
  280. package/check-aria-token.js +47 -0
  281. package/check-ark.sh +20 -0
  282. package/check-btcst-mining.js +75 -0
  283. package/check-btcst-pools.js +163 -0
  284. package/check-btcst.js +88 -0
  285. package/check-caller.js +26 -0
  286. package/check-ceek-lp.js +73 -0
  287. package/check-ceek.js +47 -0
  288. package/check-dxsale-address.js +35 -0
  289. package/check-fara-exploit-timing.js +56 -0
  290. package/check-fara-real-exploit.js +73 -0
  291. package/check-flashloan-limits.js +129 -0
  292. package/check-kel-cel-pool.js +91 -0
  293. package/check-lax-staking.js +41 -0
  294. package/check-lendflare.js +165 -0
  295. package/check-lft-accounting.js +109 -0
  296. package/check-lft-roles.js +165 -0
  297. package/check-lock-time.js +47 -0
  298. package/check-min-stake.js +73 -0
  299. package/check-mystery-contract.js +52 -0
  300. package/check-next-token.js +50 -0
  301. package/check-nora-lock.js +67 -0
  302. package/check-oiler-approvals.js +116 -0
  303. package/check-oiler-proxy.js +73 -0
  304. package/check-oiler-staking.js +117 -0
  305. package/check-proxy-simple.js +71 -0
  306. package/check-recent-stakes.js +54 -0
  307. package/check-shegic-holdings.js +67 -0
  308. package/check-snowcrash-ecosystem.js +83 -0
  309. package/check-sync-lp.js +97 -0
  310. package/check-sync-stake.js +42 -0
  311. package/check-tlm.js +37 -0
  312. package/check-token-pools.js +146 -0
  313. package/check-trunk-depeg.js +181 -0
  314. package/check-tusd-decimals.js +58 -0
  315. package/check-user-storage-deep.js +81 -0
  316. package/check-welephant-pools.js +130 -0
  317. package/check-xfi-pool.js +75 -0
  318. package/check-zypher.js +32 -0
  319. package/check_proxy.sh +36 -0
  320. package/compare-tlm-chains.js +90 -0
  321. package/contract_0x05f2.html +6025 -0
  322. package/contract_0x3720.html +6361 -0
  323. package/contract_0x928e.html +5606 -0
  324. package/contract_0xc42d.html +5304 -0
  325. package/contract_page.html +5789 -0
  326. package/decode-stake-tx.js +50 -0
  327. package/deep-analyze-lock.js +82 -0
  328. package/dune_uups_proxy_query.sql +42 -0
  329. package/dune_uups_vulnerable_query.sql +0 -0
  330. package/echidna/alpha-proxy.yaml +14 -0
  331. package/echidna/elephant.yaml +7 -0
  332. package/echidna/lendflare.yaml +42 -0
  333. package/echidna.config.yaml +12 -0
  334. package/elephant_raw.json +1 -0
  335. package/eps_raw.json +1 -0
  336. package/exploit/.github/workflows/test.yml +38 -0
  337. package/exploit/.gitmodules +3 -0
  338. package/exploit/README.md +66 -0
  339. package/exploit/foundry.lock +8 -0
  340. package/exploit/lib/forge-std/.gitattributes +1 -0
  341. package/exploit/lib/forge-std/.github/CODEOWNERS +1 -0
  342. package/exploit/lib/forge-std/.github/dependabot.yml +6 -0
  343. package/exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
  344. package/exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
  345. package/exploit/lib/forge-std/CONTRIBUTING.md +193 -0
  346. package/exploit/lib/forge-std/LICENSE-APACHE +203 -0
  347. package/exploit/lib/forge-std/LICENSE-MIT +25 -0
  348. package/exploit/lib/forge-std/README.md +314 -0
  349. package/exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  350. package/exploit/lib/forge-std/package.json +16 -0
  351. package/exploit/lib/forge-std/scripts/vm.py +636 -0
  352. package/exploit_analysis.txt +51 -0
  353. package/extract_contract.py +21 -0
  354. package/extract_elephant_contracts.py +24 -0
  355. package/fara-staking-bytecode.txt +1 -0
  356. package/fara-staking-raw.txt +1 -0
  357. package/fetch-aria.js +46 -0
  358. package/fetch-contract.js +50 -0
  359. package/fetch-shegic-source.js +86 -0
  360. package/fetch-snowcrash.js +44 -0
  361. package/fetch-staking-source.js +53 -0
  362. package/fetch-tlm.js +60 -0
  363. package/fetch_elephant_source.py +32 -0
  364. package/find-ceek-staking.js +21 -0
  365. package/find-exploit-tx.js +88 -0
  366. package/find-oiler-holders.js +100 -0
  367. package/find-tlm-holder.js +36 -0
  368. package/find-vulnerable-fund.js +94 -0
  369. package/foundry.lock +8 -0
  370. package/fuzz-all.sh +53 -0
  371. package/get-aria-contract.py +40 -0
  372. package/get-lft-holders.js +89 -0
  373. package/get-tlm-source.sh +8 -0
  374. package/harvest_txs.json +1 -0
  375. package/lft-bytecode-raw.txt +1 -0
  376. package/lft-bytecode.json +1 -0
  377. package/lft-impl.bin +1 -0
  378. package/lft-implementation-bytecode.txt +1 -0
  379. package/lib/forge-std/.gitattributes +1 -0
  380. package/lib/forge-std/.github/CODEOWNERS +1 -0
  381. package/lib/forge-std/.github/dependabot.yml +6 -0
  382. package/lib/forge-std/.github/workflows/ci.yml +125 -0
  383. package/lib/forge-std/.github/workflows/sync.yml +36 -0
  384. package/lib/forge-std/CONTRIBUTING.md +193 -0
  385. package/lib/forge-std/LICENSE-APACHE +203 -0
  386. package/lib/forge-std/LICENSE-MIT +25 -0
  387. package/lib/forge-std/README.md +314 -0
  388. package/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  389. package/lib/forge-std/package.json +16 -0
  390. package/lib/forge-std/scripts/vm.py +636 -0
  391. package/lib/openzeppelin-contracts/.changeset/config.json +12 -0
  392. package/lib/openzeppelin-contracts/.codecov.yml +12 -0
  393. package/lib/openzeppelin-contracts/.editorconfig +21 -0
  394. package/lib/openzeppelin-contracts/.eslintrc +20 -0
  395. package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
  396. package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/config.yml +4 -0
  397. package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/feature_request.md +14 -0
  398. package/lib/openzeppelin-contracts/.github/PULL_REQUEST_TEMPLATE.md +20 -0
  399. package/lib/openzeppelin-contracts/.github/actions/gas-compare/action.yml +49 -0
  400. package/lib/openzeppelin-contracts/.github/actions/setup/action.yml +21 -0
  401. package/lib/openzeppelin-contracts/.github/actions/storage-layout/action.yml +55 -0
  402. package/lib/openzeppelin-contracts/.github/workflows/actionlint.yml +18 -0
  403. package/lib/openzeppelin-contracts/.github/workflows/changeset.yml +28 -0
  404. package/lib/openzeppelin-contracts/.github/workflows/checks.yml +118 -0
  405. package/lib/openzeppelin-contracts/.github/workflows/docs.yml +19 -0
  406. package/lib/openzeppelin-contracts/.github/workflows/formal-verification.yml +68 -0
  407. package/lib/openzeppelin-contracts/.github/workflows/release-cycle.yml +214 -0
  408. package/lib/openzeppelin-contracts/.github/workflows/upgradeable.yml +34 -0
  409. package/lib/openzeppelin-contracts/.gitmodules +7 -0
  410. package/lib/openzeppelin-contracts/.mocharc.js +4 -0
  411. package/lib/openzeppelin-contracts/.prettierrc +15 -0
  412. package/lib/openzeppelin-contracts/.solcover.js +13 -0
  413. package/lib/openzeppelin-contracts/CHANGELOG.md +972 -0
  414. package/lib/openzeppelin-contracts/CODE_OF_CONDUCT.md +73 -0
  415. package/lib/openzeppelin-contracts/CONTRIBUTING.md +36 -0
  416. package/lib/openzeppelin-contracts/GUIDELINES.md +148 -0
  417. package/lib/openzeppelin-contracts/LICENSE +22 -0
  418. package/lib/openzeppelin-contracts/README.md +107 -0
  419. package/lib/openzeppelin-contracts/RELEASING.md +45 -0
  420. package/lib/openzeppelin-contracts/SECURITY.md +42 -0
  421. package/lib/openzeppelin-contracts/audits/2017-03.md +292 -0
  422. package/lib/openzeppelin-contracts/audits/2018-10.pdf +0 -0
  423. package/lib/openzeppelin-contracts/audits/2022-10-Checkpoints.pdf +0 -0
  424. package/lib/openzeppelin-contracts/audits/2022-10-ERC4626.pdf +0 -0
  425. package/lib/openzeppelin-contracts/audits/2023-05-v4.9.pdf +0 -0
  426. package/lib/openzeppelin-contracts/audits/2023-10-v5.0.pdf +0 -0
  427. package/lib/openzeppelin-contracts/audits/README.md +17 -0
  428. package/lib/openzeppelin-contracts/certora/Makefile +54 -0
  429. package/lib/openzeppelin-contracts/certora/README.md +60 -0
  430. package/lib/openzeppelin-contracts/certora/diff/access_manager_AccessManager.sol.patch +97 -0
  431. package/lib/openzeppelin-contracts/certora/reports/2021-10.pdf +0 -0
  432. package/lib/openzeppelin-contracts/certora/reports/2022-03.pdf +0 -0
  433. package/lib/openzeppelin-contracts/certora/reports/2022-05.pdf +0 -0
  434. package/lib/openzeppelin-contracts/certora/run.js +160 -0
  435. package/lib/openzeppelin-contracts/certora/specs/AccessControl.spec +119 -0
  436. package/lib/openzeppelin-contracts/certora/specs/AccessControlDefaultAdminRules.spec +464 -0
  437. package/lib/openzeppelin-contracts/certora/specs/DoubleEndedQueue.spec +300 -0
  438. package/lib/openzeppelin-contracts/certora/specs/ERC20.spec +352 -0
  439. package/lib/openzeppelin-contracts/certora/specs/ERC20FlashMint.spec +55 -0
  440. package/lib/openzeppelin-contracts/certora/specs/ERC20Wrapper.spec +198 -0
  441. package/lib/openzeppelin-contracts/certora/specs/ERC721.spec +679 -0
  442. package/lib/openzeppelin-contracts/certora/specs/EnumerableMap.spec +333 -0
  443. package/lib/openzeppelin-contracts/certora/specs/EnumerableSet.spec +246 -0
  444. package/lib/openzeppelin-contracts/certora/specs/Initializable.spec +165 -0
  445. package/lib/openzeppelin-contracts/certora/specs/Ownable.spec +77 -0
  446. package/lib/openzeppelin-contracts/certora/specs/Ownable2Step.spec +108 -0
  447. package/lib/openzeppelin-contracts/certora/specs/Pausable.spec +96 -0
  448. package/lib/openzeppelin-contracts/certora/specs/TimelockController.spec +274 -0
  449. package/lib/openzeppelin-contracts/certora/specs/helpers/helpers.spec +7 -0
  450. package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControl.spec +8 -0
  451. package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControlDefaultAdminRules.spec +36 -0
  452. package/lib/openzeppelin-contracts/certora/specs/methods/IERC20.spec +11 -0
  453. package/lib/openzeppelin-contracts/certora/specs/methods/IERC2612.spec +5 -0
  454. package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashBorrower.spec +3 -0
  455. package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashLender.spec +5 -0
  456. package/lib/openzeppelin-contracts/certora/specs/methods/IERC5313.spec +3 -0
  457. package/lib/openzeppelin-contracts/certora/specs/methods/IERC721.spec +17 -0
  458. package/lib/openzeppelin-contracts/certora/specs/methods/IERC721Receiver.spec +3 -0
  459. package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable.spec +5 -0
  460. package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable2Step.spec +7 -0
  461. package/lib/openzeppelin-contracts/certora/specs.json +86 -0
  462. package/lib/openzeppelin-contracts/contracts/access/README.adoc +43 -0
  463. package/lib/openzeppelin-contracts/contracts/finance/README.adoc +14 -0
  464. package/lib/openzeppelin-contracts/contracts/governance/README.adoc +167 -0
  465. package/lib/openzeppelin-contracts/contracts/interfaces/README.adoc +82 -0
  466. package/lib/openzeppelin-contracts/contracts/metatx/README.adoc +12 -0
  467. package/lib/openzeppelin-contracts/contracts/package.json +32 -0
  468. package/lib/openzeppelin-contracts/contracts/proxy/README.adoc +87 -0
  469. package/lib/openzeppelin-contracts/contracts/token/ERC1155/README.adoc +41 -0
  470. package/lib/openzeppelin-contracts/contracts/token/ERC20/README.adoc +67 -0
  471. package/lib/openzeppelin-contracts/contracts/token/ERC721/README.adoc +67 -0
  472. package/lib/openzeppelin-contracts/contracts/token/common/README.adoc +10 -0
  473. package/lib/openzeppelin-contracts/contracts/utils/README.adoc +88 -0
  474. package/lib/openzeppelin-contracts/contracts/vendor/compound/LICENSE +11 -0
  475. package/lib/openzeppelin-contracts/docs/README.md +16 -0
  476. package/lib/openzeppelin-contracts/docs/antora.yml +7 -0
  477. package/lib/openzeppelin-contracts/docs/config.js +21 -0
  478. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3a.png +0 -0
  479. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3b.png +0 -0
  480. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-6.png +0 -0
  481. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack.png +0 -0
  482. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-deposit.png +0 -0
  483. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-mint.png +0 -0
  484. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-linear.png +0 -0
  485. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglog.png +0 -0
  486. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglogext.png +0 -0
  487. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-exec.png +0 -0
  488. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-vote.png +0 -0
  489. package/lib/openzeppelin-contracts/docs/modules/ROOT/nav.adoc +23 -0
  490. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/access-control.adoc +204 -0
  491. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/backwards-compatibility.adoc +48 -0
  492. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/crowdsales.adoc +11 -0
  493. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/drafts.adoc +19 -0
  494. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc1155.adoc +145 -0
  495. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20-supply.adoc +71 -0
  496. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20.adoc +77 -0
  497. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc4626.adoc +214 -0
  498. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc721.adoc +79 -0
  499. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/extending-contracts.adoc +77 -0
  500. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/faq.adoc +13 -0
  501. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/governance.adoc +240 -0
  502. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/index.adoc +79 -0
  503. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/tokens.adoc +31 -0
  504. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/upgradeable.adoc +77 -0
  505. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/utilities.adoc +185 -0
  506. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/wizard.adoc +15 -0
  507. package/lib/openzeppelin-contracts/docs/templates/contract.hbs +111 -0
  508. package/lib/openzeppelin-contracts/docs/templates/helpers.js +46 -0
  509. package/lib/openzeppelin-contracts/docs/templates/page.hbs +4 -0
  510. package/lib/openzeppelin-contracts/docs/templates/properties.js +64 -0
  511. package/lib/openzeppelin-contracts/hardhat/env-artifacts.js +24 -0
  512. package/lib/openzeppelin-contracts/hardhat/env-contract.js +25 -0
  513. package/lib/openzeppelin-contracts/hardhat/ignore-unreachable-warnings.js +45 -0
  514. package/lib/openzeppelin-contracts/hardhat/skip-foundry-tests.js +6 -0
  515. package/lib/openzeppelin-contracts/hardhat/task-test-get-files.js +25 -0
  516. package/lib/openzeppelin-contracts/hardhat.config.js +131 -0
  517. package/lib/openzeppelin-contracts/lib/erc4626-tests/LICENSE +661 -0
  518. package/lib/openzeppelin-contracts/lib/erc4626-tests/README.md +116 -0
  519. package/lib/openzeppelin-contracts/lib/forge-std/.github/workflows/ci.yml +92 -0
  520. package/lib/openzeppelin-contracts/lib/forge-std/.gitmodules +3 -0
  521. package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-APACHE +203 -0
  522. package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-MIT +25 -0
  523. package/lib/openzeppelin-contracts/lib/forge-std/README.md +250 -0
  524. package/lib/openzeppelin-contracts/lib/forge-std/package.json +16 -0
  525. package/lib/openzeppelin-contracts/logo.svg +15 -0
  526. package/lib/openzeppelin-contracts/netlify.toml +3 -0
  527. package/lib/openzeppelin-contracts/package-lock.json +16544 -0
  528. package/lib/openzeppelin-contracts/package.json +96 -0
  529. package/lib/openzeppelin-contracts/remappings.txt +1 -0
  530. package/lib/openzeppelin-contracts/renovate.json +4 -0
  531. package/lib/openzeppelin-contracts/requirements.txt +1 -0
  532. package/lib/openzeppelin-contracts/scripts/checks/compare-layout.js +20 -0
  533. package/lib/openzeppelin-contracts/scripts/checks/compareGasReports.js +243 -0
  534. package/lib/openzeppelin-contracts/scripts/checks/extract-layout.js +38 -0
  535. package/lib/openzeppelin-contracts/scripts/checks/generation.sh +6 -0
  536. package/lib/openzeppelin-contracts/scripts/checks/inheritance-ordering.js +54 -0
  537. package/lib/openzeppelin-contracts/scripts/gen-nav.js +41 -0
  538. package/lib/openzeppelin-contracts/scripts/generate/format-lines.js +16 -0
  539. package/lib/openzeppelin-contracts/scripts/generate/run.js +49 -0
  540. package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.js +247 -0
  541. package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.opts.js +17 -0
  542. package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.t.js +146 -0
  543. package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableMap.js +283 -0
  544. package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableSet.js +250 -0
  545. package/lib/openzeppelin-contracts/scripts/generate/templates/SafeCast.js +126 -0
  546. package/lib/openzeppelin-contracts/scripts/generate/templates/StorageSlot.js +78 -0
  547. package/lib/openzeppelin-contracts/scripts/generate/templates/conversion.js +30 -0
  548. package/lib/openzeppelin-contracts/scripts/git-user-config.sh +6 -0
  549. package/lib/openzeppelin-contracts/scripts/helpers.js +37 -0
  550. package/lib/openzeppelin-contracts/scripts/prepack.sh +23 -0
  551. package/lib/openzeppelin-contracts/scripts/prepare-docs.sh +26 -0
  552. package/lib/openzeppelin-contracts/scripts/release/format-changelog.js +33 -0
  553. package/lib/openzeppelin-contracts/scripts/release/synchronize-versions.js +15 -0
  554. package/lib/openzeppelin-contracts/scripts/release/update-comment.js +34 -0
  555. package/lib/openzeppelin-contracts/scripts/release/version.sh +11 -0
  556. package/lib/openzeppelin-contracts/scripts/release/workflow/exit-prerelease.sh +8 -0
  557. package/lib/openzeppelin-contracts/scripts/release/workflow/github-release.js +48 -0
  558. package/lib/openzeppelin-contracts/scripts/release/workflow/integrity-check.sh +20 -0
  559. package/lib/openzeppelin-contracts/scripts/release/workflow/pack.sh +26 -0
  560. package/lib/openzeppelin-contracts/scripts/release/workflow/publish.sh +26 -0
  561. package/lib/openzeppelin-contracts/scripts/release/workflow/rerun.js +7 -0
  562. package/lib/openzeppelin-contracts/scripts/release/workflow/set-changesets-pr-title.js +17 -0
  563. package/lib/openzeppelin-contracts/scripts/release/workflow/start.sh +35 -0
  564. package/lib/openzeppelin-contracts/scripts/release/workflow/state.js +112 -0
  565. package/lib/openzeppelin-contracts/scripts/remove-ignored-artifacts.js +45 -0
  566. package/lib/openzeppelin-contracts/scripts/solhint-custom/index.js +84 -0
  567. package/lib/openzeppelin-contracts/scripts/solhint-custom/package.json +5 -0
  568. package/lib/openzeppelin-contracts/scripts/update-docs-branch.js +65 -0
  569. package/lib/openzeppelin-contracts/scripts/upgradeable/README.md +21 -0
  570. package/lib/openzeppelin-contracts/scripts/upgradeable/patch-apply.sh +19 -0
  571. package/lib/openzeppelin-contracts/scripts/upgradeable/patch-save.sh +18 -0
  572. package/lib/openzeppelin-contracts/scripts/upgradeable/transpile-onto.sh +54 -0
  573. package/lib/openzeppelin-contracts/scripts/upgradeable/transpile.sh +47 -0
  574. package/lib/openzeppelin-contracts/scripts/upgradeable/upgradeable.patch +360 -0
  575. package/lib/openzeppelin-contracts/slither.config.json +5 -0
  576. package/lib/openzeppelin-contracts/solhint.config.js +20 -0
  577. package/mythril-lft-output.txt +1 -0
  578. package/mythril-lft-symbolic.txt +18 -0
  579. package/mythril-lft.sh +20 -0
  580. package/mythril-symbolic-output.txt +1 -0
  581. package/mythril-symbolic.sh +42 -0
  582. package/out/build-info/0026b78428192979.json +1 -0
  583. package/out/build-info/03c4fc3b88486eba.json +1 -0
  584. package/out/build-info/0540afa9b9a5c5a6.json +1 -0
  585. package/out/build-info/081932f505bc08b9.json +1 -0
  586. package/out/build-info/0da104ba0d6642d5.json +1 -0
  587. package/out/build-info/197281971dbb5f23.json +1 -0
  588. package/out/build-info/197e7e332832a232.json +1 -0
  589. package/out/build-info/1a1cab9136eb5f94.json +1 -0
  590. package/out/build-info/1b320204eb162aa2.json +1 -0
  591. package/out/build-info/1e03f94398052674.json +1 -0
  592. package/out/build-info/22ac085949602937.json +1 -0
  593. package/out/build-info/234ef37453a9fa64.json +1 -0
  594. package/out/build-info/2447db7b1878fa8e.json +1 -0
  595. package/out/build-info/25568daeb484f5ff.json +1 -0
  596. package/out/build-info/27465853244c49ce.json +1 -0
  597. package/out/build-info/2c57a9e0f087453b.json +1 -0
  598. package/out/build-info/3c62ae7de8da68c4.json +1 -0
  599. package/out/build-info/3e771ae109e97bb3.json +1 -0
  600. package/out/build-info/460499bc0a3465c4.json +1 -0
  601. package/out/build-info/47ce37e50a4f115e.json +1 -0
  602. package/out/build-info/4fcce5c63cf427d6.json +1 -0
  603. package/out/build-info/4fd0a53fe63fddbb.json +1 -0
  604. package/out/build-info/50f1247db9d769cc.json +1 -0
  605. package/out/build-info/5317d0181a7a5e02.json +1 -0
  606. package/out/build-info/594df509275ceb5b.json +1 -0
  607. package/out/build-info/61983ac3f6141719.json +1 -0
  608. package/out/build-info/638c4548307122fe.json +1 -0
  609. package/out/build-info/67c2c43bdb7c0ded.json +1 -0
  610. package/out/build-info/777f42643aad37b7.json +1 -0
  611. package/out/build-info/7d7856f19e845354.json +1 -0
  612. package/out/build-info/83976260b6f71e94.json +1 -0
  613. package/out/build-info/83c23882000b963d.json +1 -0
  614. package/out/build-info/84b2cce8f70b36be.json +1 -0
  615. package/out/build-info/8bc13d31d7c3206a.json +1 -0
  616. package/out/build-info/8e183bd4d9d8cf88.json +1 -0
  617. package/out/build-info/94bfe1e7cafa8ff5.json +1 -0
  618. package/out/build-info/99ec7d5e8d8ff360.json +1 -0
  619. package/out/build-info/9ac044b29daa7d5e.json +1 -0
  620. package/out/build-info/9b203227ff5d2e63.json +1 -0
  621. package/out/build-info/9d18c5872c4282dd.json +1 -0
  622. package/out/build-info/9f77f04f33baf9a3.json +1 -0
  623. package/out/build-info/a6e1caf974787982.json +1 -0
  624. package/out/build-info/a94b6348867a62d6.json +1 -0
  625. package/out/build-info/ad93721947a8b195.json +1 -0
  626. package/out/build-info/b42daddb5aa4b19f.json +1 -0
  627. package/out/build-info/bf13512ae899f7e8.json +1 -0
  628. package/out/build-info/c39f86c20a548c4a.json +1 -0
  629. package/out/build-info/cb12bb975a2f4e65.json +1 -0
  630. package/out/build-info/d0c6788fadc2aa60.json +1 -0
  631. package/out/build-info/d2726bf94ed5b845.json +1 -0
  632. package/out/build-info/d4eb00da50cce5cb.json +1 -0
  633. package/out/build-info/db931924a3bc8bdd.json +1 -0
  634. package/out/build-info/e1a503d49bc77401.json +1 -0
  635. package/out/build-info/efe5396f8892ce77.json +1 -0
  636. package/out/build-info/f536d90ced745969.json +1 -0
  637. package/out/build-info/fed38823c7019b82.json +1 -0
  638. package/package.json +51 -0
  639. package/page.html +5384 -0
  640. package/pancakeswap-simple-tvl.sql +15 -0
  641. package/pancakeswap-top-pools.sql +29 -0
  642. package/pancakeswap-tvl-optimized.sql +57 -0
  643. package/pancakeswap-tvl-query.sql +60 -0
  644. package/pancakeswap-underflow-hunting.sql +51 -0
  645. package/pancakeswap-vulnerability-queries.sql +200 -0
  646. package/posi_page.html +6369 -0
  647. package/posi_response.json +29 -0
  648. package/proxy_page.html +500 -0
  649. package/run_mythril_elephant.sh +18 -0
  650. package/sHEGIC-bytecode.bin +6 -0
  651. package/sHEGIC-mythril-analysis.txt +1 -0
  652. package/sHEGIC-mythril-full.txt +134 -0
  653. package/sHEGIC_ANALYSIS.md +135 -0
  654. package/sHEGIC_EXPLOIT_ANALYSIS.md +317 -0
  655. package/sHEGIC_MYTHRIL_ANALYSIS.md +361 -0
  656. package/scrape-snowcrash.js +28 -0
  657. package/scripts/yooshi_drain.sh +154 -0
  658. package/shi_raw.json +1 -0
  659. package/temp.json +1 -0
  660. package/temp_harvest.json +1 -0
  661. package/temp_pika.json +1 -0
  662. package/temp_posi.json +1 -0
  663. package/temp_response.json +1 -0
  664. package/test-lft-hidden-balance.js +108 -0
  665. package/test-xfi-exploit.js +140 -0
  666. package/trunk-liquidity-rescue.js +164 -0
  667. package/vBABY_page.html +6153 -0
  668. package/vBABY_response.json +29 -0
  669. package/wsg_response.json +1 -0
  670. package/yooldo_page.html +10371 -0
package/BEEFY_MONAD_ANALYSIS.md ADDED
@@ -0,0 +1,239 @@
1
+ # Beefy Finance Monad Chain Analysis
2
+
3
+ ## Overview
4
+ Analyzing Beefy Finance vaults deployed on Monad chain with focus on yield strategies, security, and opportunities.
5
+
6
+ **Chain Stats:**
7
+ - Total Value Locked: $176.82M
8
+ - Weekly Yield: $206,390
9
+ - Weekly Revenue: $11,632
10
+ - Weekly Buyback: $3,001
11
+
12
+ ## Vault Analysis
13
+
14
+ ### 1. WBTC-WMON PancakeSwap CLM Vault (Boosted)
15
+ **Performance:**
16
+ - APY: 171.38%
17
+ - Base APY: 115.09%
18
+ - Daily APY: 0.3642%
19
+ - Daily Boost: 0.21%
20
+ - TVL: $84,804
21
+ - Liquidity: $74,840
22
+
23
+ **Strategy Type:** Concentrated Liquidity Market (CLM) with Boost
24
+ **Risk Level:** High (volatile pair, concentrated liquidity)
25
+ **Notes:** Extremely high APY suggests high IL risk and potential reward farming incentives
26
+
27
+ ### 2. WETH-WMON PancakeSwap CLM Vault (Boosted)
28
+ **Performance:**
29
+ - APY: 100.57%
30
+ - Base APY: 56.7%
31
+ - Daily APY: 0.2433%
32
+ - Daily Boost: 0.1231%
33
+ - TVL: $112,714
34
+ - Liquidity: $53,943
35
+
36
+ **Strategy Type:** CLM with Boost
37
+ **Risk Level:** Medium-High
38
+ **Notes:** Native token pairing with ETH, lower TVL than liquidity suggests active management
39
+
40
+ ### 3. USDC-WMON PancakeSwap CLM Vault (Boosted)
41
+ **Performance:**
42
+ - APY: 125.77%
43
+ - Base APY: 93.13%
44
+ - Daily APY: 0.2699%
45
+ - Daily Boost: 0.1804%
46
+ - TVL: $307,443
47
+ - Liquidity: $618,097
48
+
49
+ **Strategy Type:** CLM with Boost
50
+ **Risk Level:** Medium (stablecoin pairing reduces IL)
51
+ **Notes:** Highest TVL in CLM vaults, good liquidity depth, safer IL profile
52
+
53
+ ### 4. apyUSD 18Jun26 Pendle Vault
54
+ **Performance:**
55
+ - APY: 14.99%
56
+ - Daily APY: 0.0396%
57
+ - TVL: $49,908
58
+ - Liquidity: $11.17M
59
+
60
+ **Strategy Type:** Pendle yield tokenization with Points
61
+ **Risk Level:** Low-Medium
62
+ **Notes:** Fixed maturity date (June 18, 2026), points farming strategy
63
+
64
+ ### 5. apxUSD 18Jun26 Pendle Vault
65
+ **Performance:**
66
+ - APY: 11.36%
67
+ - Daily APY: 0.0299%
68
+ - TVL: $3.11
69
+ - Liquidity: $3.97M
70
+
71
+ **Strategy Type:** Pendle yield tokenization with Points
72
+ **Risk Level:** Low-Medium
73
+ **Notes:** Very low TVL despite high liquidity - potential opportunity or red flag
74
+
75
+ ### 6. VIRTUAL-USDC PancakeSwap CLM Vault
76
+ **Performance:**
77
+ - APY: 29.86%
78
+ - Daily APY: 0.0716%
79
+ - TVL: $182.46
80
+ - Liquidity: $271,960
81
+
82
+ **Strategy Type:** CLM
83
+ **Risk Level:** Medium
84
+ **Notes:** Minimal TVL, decent liquidity
85
+
86
+ ### 7. VIRTUAL-USDC PancakeSwap CLM Pool
87
+ **Performance:**
88
+ - APY: 28.47%
89
+ - Daily APY: 0.0749%
90
+ - TVL: $1.01
91
+ - Liquidity: $271,960
92
+
93
+ **Strategy Type:** Direct CLM Pool
94
+ **Risk Level:** Medium
95
+ **Notes:** Nearly empty vault, same liquidity as vault version
96
+
97
+ ### 8. WETH-USDC PancakeSwap CLM Vault
98
+ **Performance:**
99
+ - APY: 54.05%
100
+ - Daily APY: 0.1184%
101
+ - TVL: $13,462
102
+ - Liquidity: $5.00M
103
+
104
+ **Strategy Type:** CLM
105
+ **Risk Level:** Low-Medium
106
+ **Notes:** Classic blue-chip pair, excellent liquidity depth
107
+
108
+ ### 9. WETH-USDC PancakeSwap CLM Pool
109
+ **Performance:**
110
+ - APY: 49.51%
111
+ - Daily APY: 0.1223%
112
+ - TVL: $10,711
113
+ - Liquidity: $5.00M
114
+
115
+ **Strategy Type:** Direct CLM Pool
116
+ **Risk Level:** Low-Medium
117
+ **Notes:** Direct pool access, slightly lower APY than vault
118
+
119
+ ## Security Considerations
120
+
121
+ ### Smart Contract Risks
122
+ 1. **CLM Strategy Complexity:** Concentrated liquidity requires active rebalancing
123
+ 2. **Boost Mechanisms:** Additional complexity in boosted vaults
124
+ 3. **Cross-Protocol Risk:** Dependency on PancakeSwap and Pendle protocols
125
+ 4. **Monad Chain Maturity:** Relatively new chain, less battle-tested
126
+
127
+ ### Key Areas to Audit
128
+
129
+
130
+ #### 1. Vault Contract Architecture
131
+ - Deposit/withdrawal mechanisms
132
+ - Fee structures
133
+ - Emergency withdrawal functions
134
+ - Pause mechanisms
135
+ - Access controls
136
+
137
+ #### 2. Strategy Contracts
138
+ - Rebalancing logic for CLM positions
139
+ - Reward harvesting and compounding
140
+ - Slippage protection
141
+ - Price oracle dependencies
142
+
143
+ #### 3. Boost Mechanisms
144
+ - Boost calculation logic
145
+ - Reward distribution fairness
146
+ - Potential gaming vectors
147
+
148
+ #### 4. Integration Points
149
+ - PancakeSwap CLM integration
150
+ - Pendle protocol integration
151
+ - Token approvals and allowances
152
+ - Cross-contract calls
153
+
154
+ ## Potential Vulnerabilities to Test
155
+
156
+ ### High Priority
157
+ 1. **Reentrancy in deposit/withdraw flows**
158
+ 2. **Price manipulation via flash loans**
159
+ 3. **Reward calculation overflow/underflow**
160
+ 4. **Access control bypasses**
161
+ 5. **Emergency function abuse**
162
+
163
+ ### Medium Priority
164
+ 6. **Slippage exploitation during rebalancing**
165
+ 7. **Fee calculation errors**
166
+ 8. **Rounding errors in share calculations**
167
+ 9. **Stale price oracle data**
168
+ 10. **Boost calculation manipulation**
169
+
170
+ ### Low Priority
171
+ 11. **Gas griefing attacks**
172
+ 12. **Front-running harvest calls**
173
+ 13. **Dust amount handling**
174
+
175
+ ## Recommended Testing Approach
176
+
177
+ ### Phase 1: Contract Discovery
178
+ ```solidity
179
+ // Fetch vault addresses from Beefy API
180
+ // Verify contract source code
181
+ // Map contract relationships
182
+ ```
183
+
184
+ ### Phase 2: Static Analysis
185
+ ```bash
186
+ # Run Slither on vault contracts
187
+ slither VaultContract.sol --detect reentrancy-eth,reentrancy-no-eth
188
+
189
+ # Check for common patterns
190
+ slither VaultContract.sol --detect arbitrary-send-eth,suicidal
191
+ ```
192
+
193
+ ### Phase 3: Dynamic Testing
194
+ ```solidity
195
+ // Test deposit/withdrawal flows
196
+ // Test reward harvesting
197
+ // Test emergency scenarios
198
+ // Test edge cases (zero amounts, max amounts)
199
+ ```
200
+
201
+ ### Phase 4: Economic Analysis
202
+ - Calculate actual vs advertised APY
203
+ - Analyze fee impact on returns
204
+ - Test IL scenarios for CLM positions
205
+ - Verify boost calculations
206
+
207
+ ## Opportunities
208
+
209
+ ### High APY Vaults (>100%)
210
+ 1. **WBTC-WMON (171.38%)** - High risk, high reward
211
+ 2. **USDC-WMON (125.77%)** - Better risk/reward with stablecoin
212
+
213
+ ### Stable Yield (10-30%)
214
+ 1. **Pendle vaults (11-15%)** - Lower risk, fixed maturity
215
+ 2. **WETH-USDC (49-54%)** - Blue chip pair, good liquidity
216
+
217
+ ### Arbitrage Opportunities
218
+ - **Vault vs Pool APY differences** (WETH-USDC: 54.05% vs 49.51%)
219
+ - **Low TVL with high liquidity** (apxUSD: $3.11 TVL, $3.97M liquidity)
220
+
221
+ ## Red Flags
222
+
223
+ 1. **apxUSD vault:** $3.11 TVL with $3.97M liquidity - why is no one depositing?
224
+ 2. **VIRTUAL-USDC pool:** $1.01 TVL - essentially empty
225
+ 3. **High APYs on WMON pairs:** Potential for rapid depreciation of native token
226
+ 4. **New chain risk:** Monad is relatively new, less security track record
227
+
228
+ ## Next Steps
229
+
230
+ 1. **Fetch contract addresses** from Beefy API
231
+ 2. **Verify source code** on Monad explorer
232
+ 3. **Run automated security tools** (Slither, Mythril)
233
+ 4. **Create Foundry test suite** for identified vulnerabilities
234
+ 5. **Analyze tokenomics** of WMON and reward tokens
235
+ 6. **Review audit reports** if available
236
+
237
+ ## Conclusion
238
+
239
+ The Monad Beefy vaults present interesting opportunities with high APYs, but require careful security analysis. The CLM strategies add complexity, and the new chain introduces additional risk. Priority should be given to auditing the USDC-WMON vault (highest TVL) and investigating the apxUSD anomaly (high liquidity, no deposits).
package/BEEFY_STAKING_ANALYSIS.md ADDED
@@ -0,0 +1,136 @@
1
+ # Beefy Staking Contract Analysis
2
+ ## Contract: 0x453D4Ba9a2D594314DF88564248497F7D74d6b2C (BSC)
3
+
4
+ ### Contract Type
5
+ Standard Synthetix-style StakingRewards contract (similar to MasterChef reward pool)
6
+
7
+ ### Key Parameters
8
+ - **Staking Token**: 0xca3f508b8e4dd382ee878a314789373d80a5190a
9
+ - **Rewards Token**: 0xbb4cdb9cbd36b01bd1cbaebf2de08d9173bc095c (WBNB)
10
+ - **Total Staked**: 82.18 tokens
11
+ - **Reward Rate**: ~3.05e27 per second
12
+ - **Period Finish**: 1668010298 (Nov 9, 2022)
13
+ - **Last Update**: 1668010298
14
+
15
+ ### Contract Status
16
+ **INACTIVE** - The reward period ended in November 2022. No new rewards are being distributed.
17
+
18
+ ### Known Exploit Vectors for This Contract Type
19
+
20
+ #### 1. **First Depositor Inflation Attack** ❌ NOT APPLICABLE
21
+ - **Description**: Attacker deposits 1 wei, then directly transfers large amount to inflate share price
22
+ - **Status**: Pool already has 82.18 tokens staked, attack window closed
23
+ - **Impact**: N/A
24
+
25
+ #### 2. **Reward Rate Manipulation** ❌ NOT APPLICABLE
26
+ - **Description**: Manipulate `notifyRewardAmount()` to drain rewards
27
+ - **Status**: Reward period ended, no active rewards
28
+ - **Impact**: N/A
29
+
30
+ #### 3. **Rounding Error Exploitation** ⚠️ HISTORICAL RISK
31
+ - **Description**: Small stakes round down to 0 rewards due to division by 1e18
32
+ - **Formula**: `earned = balance * (rewardPerToken - userRewardPerTokenPaid) / 1e18`
33
+ - **Status**: Was possible during active period
34
+ - **Impact**: LOW - Dust amounts only
35
+
36
+ #### 4. **Reward Calculation Precision Loss** ⚠️ HISTORICAL RISK
37
+ - **Description**: `rewardPerToken = rewardPerTokenStored + (timeDelta * rewardRate * 1e18 / totalSupply)`
38
+ - **Issue**: When totalSupply is very large, rewards per token become tiny
39
+ - **Status**: With 82 tokens staked, precision was maintained
40
+ - **Impact**: LOW
41
+
42
+ #### 5. **Time-Based Reward Sniping** ❌ NOT APPLICABLE
43
+ - **Description**: Stake right before reward distribution, unstake immediately after
44
+ - **Status**: Rewards ended in 2022
45
+ - **Impact**: N/A
46
+
47
+ #### 6. **Reentrancy on Withdraw** ✅ PROTECTED
48
+ - **Description**: Reenter during token transfer to manipulate state
49
+ - **Protection**: Uses `updateReward` modifier before state changes
50
+ - **Status**: Standard Checks-Effects-Interactions pattern followed
51
+ - **Impact**: NONE
52
+
53
+ ### Potential Exploits (If Contract Were Active)
54
+
55
+ #### A. **Reward Draining via Flash Loan**
56
+ ```solidity
57
+ // If rewards were active:
58
+ 1. Flash loan large amount of staking tokens
59
+ 2. Stake all tokens
60
+ 3. Wait for rewards to accumulate (even 1 block)
61
+ 4. Withdraw + claim rewards
62
+ 5. Repay flash loan
63
+ 6. Keep rewards
64
+ ```
65
+ **Mitigation**: Requires time-weighted staking or minimum lock period
66
+
67
+ #### B. **Sandwich Attack on Reward Distribution**
68
+ ```solidity
69
+ // Front-run notifyRewardAmount():
70
+ 1. Detect notifyRewardAmount() in mempool
71
+ 2. Front-run with large stake
72
+ 3. Let notifyRewardAmount() execute
73
+ 4. Back-run with immediate withdraw
74
+ 5. Claim disproportionate rewards
75
+ ```
76
+ **Mitigation**: Requires gradual reward distribution or vesting
77
+
78
+ #### C. **Dust Attack for Gas Griefing**
79
+ ```solidity
80
+ // Create many tiny stakes:
81
+ 1. Stake 1 wei from many addresses
82
+ 2. Force contract to track many users
83
+ 3. Increase gas costs for legitimate users
84
+ 4. Potential DoS on reward calculations
85
+ ```
86
+ **Mitigation**: Minimum stake requirement
87
+
88
+ ### DeFiHackLabs Knowledge Base Matches
89
+
90
+ #### Similar Exploits:
91
+ 1. **Sorra Finance Hack (Jan 2025)** - $41K
92
+ - Flawed `getPendingRewards()` logic
93
+ - Failed to track distributed rewards
94
+ - Enabled repeated withdrawals
95
+ - **Match**: Reward calculation vulnerability
96
+
97
+ 2. **Penpie Protocol Exploit** - $27M
98
+ - Missing reentrancy guards in PendleStaking
99
+ - Market manipulation + malicious harvest
100
+ - **Match**: Staking contract reentrancy
101
+
102
+ 3. **Balancer Vault Inflation Attack**
103
+ - First depositor manipulation
104
+ - Share price inflation
105
+ - **Match**: ERC4626-style vault vulnerability
106
+
107
+ ### BlockSec Knowledge Base Matches
108
+
109
+ #### Common Staking Vulnerabilities:
110
+ 1. **Reward Calculation Errors**
111
+ - Integer overflow/underflow
112
+ - Precision loss in division
113
+ - Incorrect time delta calculations
114
+
115
+ 2. **Access Control Issues**
116
+ - Unauthorized reward distribution
117
+ - Missing owner checks
118
+ - Compromised admin keys
119
+
120
+ 3. **Economic Attacks**
121
+ - Flash loan manipulation
122
+ - Sandwich attacks
123
+ - Reward sniping
124
+
125
+ ### Conclusion
126
+
127
+ **Current Status**: This Beefy staking contract is INACTIVE (rewards ended Nov 2022) and has 82.18 tokens still staked. No active exploits are possible.
128
+
129
+ **Historical Assessment**: During its active period, the contract was vulnerable to:
130
+ - Flash loan reward manipulation
131
+ - Sandwich attacks on reward distribution
132
+ - Minor rounding errors for dust amounts
133
+
134
+ **Security Rating**: MEDIUM - Standard Synthetix implementation with known limitations but no critical flaws. The contract follows best practices for this design pattern.
135
+
136
+ **Recommendation**: Users with staked tokens should withdraw their principal. No rewards are accumulating.
package/BEEFY_XVS_WBNB_ACTUAL_FINDINGS.md ADDED
@@ -0,0 +1,223 @@
1
+ # Beefy XVS-WBNB Vault - Actual Findings
2
+
3
+ ## Vault Details
4
+ - **Vault:** 0x5C60E395995123dE9B9099d01E592c97a73e0e12
5
+ - **Strategy:** 0x3DF82f3E1a11B9d7d06267773B5BB2be5F8Be010
6
+ - **TVL:** $16,938
7
+ - **APY:** 39.78%
8
+ - **Chain:** BNB Chain (Mainnet Fork Tested)
9
+
10
+ ---
11
+
12
+ ## Test Results Summary
13
+
14
+ ### ✅ REENTRANCY - NOT EXPLOITABLE FOR PROFIT
15
+
16
+ **Status:** Vulnerability exists but NOT profitable
17
+
18
+ **Test Result:**
19
+ ```
20
+ Attacker deposited: 100 ether
21
+ Attacker withdrew: 99.999 ether (lost 1 wei)
22
+ Profit: 0
23
+ ```
24
+
25
+ **Why No Profit:**
26
+ The reentrancy allows calling `withdrawAll()` multiple times, but:
27
+ 1. Each withdrawal burns the attacker's shares
28
+ 2. The attacker only gets back their own deposited funds
29
+ 3. Cannot steal from other depositors
30
+ 4. Share accounting prevents double-spending
31
+
32
+ **Actual Impact:**
33
+ - Griefing attack only
34
+ - Could cause gas waste
35
+ - Could disrupt normal operations
36
+ - NOT a fund-stealing vulnerability
37
+
38
+ **Severity Downgrade:** HIGH → LOW (griefing only)
39
+
40
+ ---
41
+
42
+ ## ⚠️ CONFIRMED: Public Harvest Function
43
+
44
+ **Status:** CONFIRMED - Anyone can call harvest
45
+
46
+ **Test Result:**
47
+ ```
48
+ test_HarvestManipulation() - PASS
49
+ Logs:
50
+ Harvest succeeded - anyone can call!
51
+ ```
52
+
53
+ **Actual Profit Calculation:**
54
+
55
+ The harvest function has no access control, but the profit depends on:
56
+
57
+ 1. **Call Reward:** 0 (checked on-chain)
58
+ 2. **Pending Rewards:** 0 CAKE currently
59
+ 3. **MEV Opportunity:** Depends on reward accumulation
60
+
61
+ **Profit Scenario:**
62
+ ```
63
+ IF rewards accumulate to 100 CAKE:
64
+ - Attacker front-runs legitimate harvest
65
+ - Attacker gets call reward (if configured)
66
+ - Attacker can sandwich the reward swaps
67
+ - Estimated profit: 0.1-0.5% of reward value
68
+ ```
69
+
70
+ **Current State:**
71
+ - No pending rewards to harvest
72
+ - Call reward is 0
73
+ - Limited immediate profit
74
+
75
+ **Severity:** MEDIUM (MEV extraction, not fund theft)
76
+
77
+ ---
78
+
79
+ ## Real Profit Calculation
80
+
81
+ ### Scenario 1: Reentrancy Attack
82
+ ```
83
+ Investment: 100 ETH worth of LP
84
+ Profit: 0 ETH
85
+ ROI: 0%
86
+ Gas Cost: ~800k gas (~$5-10)
87
+ Net Profit: NEGATIVE
88
+ ```
89
+
90
+ **Verdict:** NOT PROFITABLE
91
+
92
+ ### Scenario 2: Public Harvest MEV
93
+ ```
94
+ Pending Rewards: Variable (currently 0)
95
+ Call Reward: 0
96
+ MEV from sandwich: 0.1-0.5% of rewards
97
+ Estimated profit per harvest: $0-50 (depends on reward size)
98
+ Gas cost: ~200k gas (~$2-5)
99
+ Net profit: $0-45 per harvest
100
+ ```
101
+
102
+ **Verdict:** MARGINALLY PROFITABLE (only when rewards accumulate)
103
+
104
+ ### Scenario 3: Flash Loan + Harvest Manipulation
105
+ ```
106
+ Flash loan: 10,000 BNB
107
+ Manipulate XVS-WBNB pool price
108
+ Trigger harvest at manipulated price
109
+ Profit from price difference
110
+ Estimated profit: $100-500 (high risk)
111
+ Gas + flash loan fees: $50-100
112
+ Net profit: $0-400
113
+ ```
114
+
115
+ **Verdict:** POTENTIALLY PROFITABLE (but risky and complex)
116
+
117
+ ---
118
+
119
+ ## Actual Vulnerabilities Ranked by Profit
120
+
121
+ ### 1. Public Harvest (MEDIUM)
122
+ - **Profit:** $0-50 per harvest
123
+ - **Frequency:** Every 8-24 hours
124
+ - **Complexity:** Low
125
+ - **Risk:** Low
126
+ - **Total potential:** $0-1,500/month
127
+
128
+ ### 2. Flash Loan + Harvest (MEDIUM-HIGH)
129
+ - **Profit:** $100-500 per attack
130
+ - **Frequency:** When rewards accumulate
131
+ - **Complexity:** High
132
+ - **Risk:** High (could fail, lose gas)
133
+ - **Total potential:** $500-2,000/month
134
+
135
+ ### 3. Reentrancy (LOW)
136
+ - **Profit:** $0
137
+ - **Frequency:** N/A
138
+ - **Complexity:** Medium
139
+ - **Risk:** None (no profit)
140
+ - **Total potential:** $0
141
+
142
+ ---
143
+
144
+ ## Why This Vault Isn't Worth Exploiting
145
+
146
+ 1. **Low TVL:** Only $16,938 - limited profit potential
147
+ 2. **No Call Rewards:** Harvest doesn't pay the caller
148
+ 3. **Reentrancy Doesn't Steal:** Just withdraws your own funds
149
+ 4. **Better Targets Exist:** Other vaults have higher TVL and worse security
150
+
151
+ ---
152
+
153
+ ## Comparison to Real Exploits
154
+
155
+ ### This Vault:
156
+ - Max profit: ~$500/attack
157
+ - Requires flash loan
158
+ - High complexity
159
+ - Low success rate
160
+
161
+ ### Typical DeFi Exploit:
162
+ - Profit: $100k - $10M
163
+ - Direct fund theft
164
+ - Medium complexity
165
+ - High success rate if vulnerability exists
166
+
167
+ ---
168
+
169
+ ## Actual Recommendations
170
+
171
+ ### For Beefy Team:
172
+
173
+ 1. **Add harvest access control** (prevents MEV, not critical)
174
+ ```solidity
175
+ modifier onlyKeeper() {
176
+ require(msg.sender == keeper, "!keeper");
177
+ _;
178
+ }
179
+ ```
180
+
181
+ 2. **Add ReentrancyGuard** (prevents griefing, not fund theft)
182
+ ```solidity
183
+ function withdrawAll() external nonReentrant {
184
+ // ...
185
+ }
186
+ ```
187
+
188
+ 3. **Priority:** LOW - No immediate fund theft risk
189
+
190
+ ### For Researchers:
191
+
192
+ 1. **Don't waste time on this vault** - profit too low
193
+ 2. **Look for:**
194
+ - Higher TVL vaults (>$1M)
195
+ - Actual fund theft vulnerabilities
196
+ - Broken access controls on admin functions
197
+ - Price oracle manipulation with high impact
198
+
199
+ ---
200
+
201
+ ## Conclusion
202
+
203
+ **Initial Assessment:** CRITICAL - Reentrancy can drain vault!
204
+
205
+ **Actual Reality:** LOW - Reentrancy doesn't steal funds, public harvest has minimal MEV
206
+
207
+ **Profit Potential:** $0-500 per attack (not worth the effort)
208
+
209
+ **Recommendation:** Move on to more profitable targets
210
+
211
+ The vault has security issues but they're not exploitable for significant profit. The reentrancy is a red herring - it looks scary but doesn't actually steal funds. The public harvest is the real issue but with only $16k TVL and no call rewards, the MEV opportunity is minimal.
212
+
213
+ ---
214
+
215
+ ## Lessons Learned
216
+
217
+ 1. **Reentrancy ≠ Automatic Profit** - Need to verify actual fund flow
218
+ 2. **Test with real numbers** - Don't assume vulnerability = profit
219
+ 3. **Consider economics** - Gas costs, flash loan fees, slippage
220
+ 4. **TVL matters** - Small vaults aren't worth complex attacks
221
+ 5. **Verify on mainnet fork** - Simulations reveal actual behavior
222
+
223
+ This is why you always test exploits before claiming bounties or attempting attacks. The vulnerability exists but the economics don't work out.