white-hat-scanner 1.0.1

package/research/vuln-pattern-library.md

@@ -0,0 +1,401 @@
+# DeFi Vulnerability Pattern Library
+
+*Last updated: 2026-04-03. Based on analysis of 40+ post-mortems from rekt.news, DeFiLlama hacks database, and Immunefi disclosures.*
+
+---
+
+## Recent Major Hacks (2025–2026)
+
+| Protocol | Date | Loss | Vuln Class | Audited | Bug Bounty | Bounty Ceiling vs Loss |
+|---|---|---|---|---|---|---|
+| Drift Trade | Apr 2026 | $285M | Compromised Admin + Fake Token Price Manip | Unknown | Unknown | — |
+| Resolv | Mar 2026 | $24.5M | Private Key Compromise | Yes | Unknown | — |
+| Cyrus Finance | Mar 2026 | $5M | Flash Loan Pool Shares Exploit | Unknown | No | — |
+| Venus Core Pool | Mar 2026 | $3.7M | Donation Attack / Supply Cap Manipulation | Yes (4th rekt) | Yes | $1M ceiling vs $3.7M loss |
+| Yieldblox (Blend V2) | Feb 2026 | $10.97M | Oracle Price Manipulation | Unknown | No | — |
+| IoTeX ioTube Bridge | Feb 2026 | $4.4M | Private Key Compromise | Yes | Unknown | — |
+| Moonwell | Feb 2026 | $1.78M | Oracle Misconfiguration (vibe-coded) | No (AI-generated code) | Yes | Unknown |
+| Solv BRO Vault | Mar 2026 | $2.73M | Reentrancy on Callback (ERC-3525) | No | No | — |
+| FoomCash | Mar 2026 | $2.26M | ZK Groth16 Trusted Setup Skipped | No | Yes ($320K "code is law") | $320K ceiling vs $2.26M loss |
+| dTRINITY dLEND | Mar 2026 | $257K | Deposit Inflation / Share Price Manipulation | Unknown | Unknown | — |
+
+**Key pattern**: Bug bounty ceiling is consistently 10–100x below actual losses. Audited protocols still get rekt on second/third incidents (Venus rekt IV, Aave rekt).
+
+---
+
+## Vulnerability Pattern Catalog
+
+---
+
+### Pattern 1: Oracle Price Manipulation
+
+**Description**: Attacker manipulates an on-chain price oracle (often a spot AMM price or thinly-traded DEX pair) to borrow against inflated collateral or trigger artificial liquidations.
+
+**Subtypes**:
+- Spot price oracle from a single low-liquidity AMM pool
+- Flash loan + swap to pump price in same transaction
+- Illiquid collateral pumped 100x on a DEX (Yieldblox/Stellar DEX, Feb 2026)
+- Oracle cap misconfiguration pricing asset at wrong value (Moonwell cbETH: $1.12 instead of $2,200)
+
+**Detection — grep/static**:
+```bash
+# Look for direct AMM pair getReserves() used as price
+grep -r "getReserves\|slot0\|observe\|consult" contracts/ --include="*.sol"
+
+# Look for single-block TWAP (length 0 or 1)
+grep -r "twap\|TWAP\|timeWeighted" contracts/ --include="*.sol"
+
+# Semgrep: spot price oracle
+# rule: calls to UniswapV2Pair.getReserves without TWAP
+```
+
+**Detection — Slither**:
+```bash
+slither . --detect oracle-manipulation,price-manipulation
+# Manual: check oracle.getPrice() call chain — does it touch AMM reserves directly?
+```
+
+**Detection — Foundry invariant**:
+```solidity
+// Invariant: borrowable amount cannot exceed X% of liquidity when price changes >10% in one block
+function invariant_borrowCapAfterPriceShock() external {
+    uint256 prevPrice = oracle.getPrice(token);
+    // simulate 10x price pump
+    vm.prank(attacker);
+    flashLoanPump(token, 10e18);
+    uint256 newPrice = oracle.getPrice(token);
+    assertLt(newPrice / prevPrice, 10, "oracle accepts 10x price in single block");
+}
+```
+
+**Real examples**: Yieldblox Feb 2026 ($10.97M), Moonwell Feb 2026 ($1.78M), Mango Markets Oct 2022 ($117M), Euler Finance Mar 2023 ($197M adjacent)
+
+**Detection difficulty**: **Medium** — easy to detect single-AMM dependency, hard to catch multi-hop manipulation chains
+
+---
+
+### Pattern 2: Flash Loan + Share Inflation (Donation / Deposit Inflation Attack)
+
+**Description**: Attacker donates tokens directly to a vault/lending pool to inflate the price-per-share, then exploits the rounding behavior in `convertToShares()` / `balanceOf()`. Often a first-depositor attack. Related to ERC-4626 share inflation.
+
+**Subtypes**:
+- Direct token donation to vault before first deposit (dead shares bypass)
+- Flash loan + donate to inflate share price, borrow against inflated shares
+- Venus "supply cap bypass via donation" (Venus Rekt IV, Mar 2026)
+- Cyrus Finance "Flashloan Pool Shares Exploit" (Mar 2026, $5M)
+- dTRINITY "Deposit Inflation Attack" (Mar 2026, $257K)
+
+**Detection — grep/static**:
+```bash
+# Look for totalAssets() that reads raw token.balanceOf(address(this))
+grep -rn "balanceOf(address(this))" contracts/ --include="*.sol"
+
+# Look for convertToShares with division that can round to 0
+grep -rn "convertToShares\|previewDeposit\|totalSupply()" contracts/ --include="*.sol"
+
+# Missing virtual shares / dead shares defense
+grep -rn "1e3\|1000\|_DEAD_SHARES\|virtual" contracts/ --include="*.sol"
+```
+
+**Detection — Slither**:
+```bash
+slither . --detect divide-before-multiply,weak-prng
+# Custom detector: ERC-4626 without virtual shares protection
+```
+
+**Detection — Foundry invariant**:
+```solidity
+// Invariant: attacker cannot inflate PPS by more than 1e6 via direct donation
+function invariant_sharePriceCannotBeInflated() external {
+    uint256 pps_before = vault.convertToAssets(1e18);
+    deal(address(asset), attacker, 1e30);
+    vm.prank(attacker);
+    asset.transfer(address(vault), 1e30); // direct donation
+    uint256 pps_after = vault.convertToAssets(1e18);
+    assertLt(pps_after / pps_before, 1e6, "share price inflated > 1e6x");
+}
+```
+
+**Real examples**: Venus Core Pool Mar 2026 ($3.7M), Cyrus Finance Mar 2026 ($5M), dTRINITY dLEND Mar 2026 ($257K), Sonne Finance May 2024 ($20M), Hundred Finance Apr 2023 ($7.4M)
+
+**Detection difficulty**: **Easy** — well-understood pattern, Slither and ToB's checklist catch it; the danger is in novel variants
+
+---
+
+### Pattern 3: Reentrancy on Callback
+
+**Description**: Contract sends ETH or calls an external contract (token hook, ERC-777 callback, ERC-3525 `_beforeValueTransfer`, NFT `onERC721Received`) before updating internal state. Attacker's callback re-enters the contract in an inconsistent state.
+
+**Subtypes**:
+- Classic single-function reentrancy (send-before-update)
+- Cross-function reentrancy (update in `withdraw`, read stale in `borrow`)
+- Read-only reentrancy (price read from a pool mid-callback)
+- ERC-3525 value transfer callback (Solv BRO Vault Mar 2026: 22 re-entry loops, 135 BRO → 567M BRO)
+- ERC-777 `tokensToSend` hook on deposit
+
+**Detection — grep/static**:
+```bash
+# Functions making external calls before state changes
+grep -rn "\.call{value\|\.transfer(\|\.send(" contracts/ --include="*.sol"
+
+# ERC-777 / ERC-3525 callback hooks
+grep -rn "tokensToSend\|tokensReceived\|_beforeValueTransfer\|onERC721Received" contracts/ --include="*.sol"
+
+# Missing ReentrancyGuard
+grep -rn "nonReentrant\|ReentrancyGuard" contracts/ --include="*.sol"
+# If not present: flag all external calls
+```
+
+**Detection — Slither**:
+```bash
+slither . --detect reentrancy-eth,reentrancy-no-eth,reentrancy-benign,reentrancy-events
+# slither-check-erc for ERC-777/3525 hook analysis
+```
+
+**Detection — Foundry invariant**:
+```solidity
+// Invariant: token balance cannot increase by minting during deposit callback
+function invariant_mintedSupplyAfterDeposit() external {
+    uint256 supply_before = token.totalSupply();
+    depositWithMaliciousCallback(attacker, 1e18);
+    assertLe(token.totalSupply(), supply_before + 1e18, "reentrancy inflated supply");
+}
+```
+
+**Real examples**: Solv BRO Vault Mar 2026 ($2.73M, ERC-3525), Curve Finance Jul 2023 ($73.5M, Vyper reentrancy lock bug), The DAO Jun 2016 ($60M classic)
+
+**Detection difficulty**: **Easy for classic variants** / **Hard for cross-function and read-only** — automated tools catch basic cases, cross-function and read-only require taint analysis
+
+---
+
+### Pattern 4: Private Key Compromise / Compromised Admin
+
+**Description**: Attacker obtains a privileged private key (deployer, multisig signer, admin) and drains funds directly or upgrades proxy to malicious implementation.
+
+**Subtypes**:
+- Single private key as sole admin (IoTeX ioTube Feb 2026: "key was the only lock")
+- Leaked key from CI/CD env var, GitHub repo, or employee compromise
+- Compromised multisig via social engineering or malware
+- Drift Trade Apr 2026 ($285M): compromised admin + fake token price manipulation
+
+**Detection — grep/static**:
+```bash
+# Single EOA as owner without multisig/timelock
+grep -rn "owner\|Ownable\|onlyOwner" contracts/ --include="*.sol"
+
+# Missing timelocks on critical parameter changes
+grep -rn "setOracle\|setFee\|upgradeTo\|_authorizeUpgrade" contracts/ --include="*.sol"
+# Verify timelock in constructor args or separate contract
+
+# Missing multisig (check for Gnosis Safe / AccessControl with role count)
+grep -rn "AccessControl\|TimelockController\|Timelock" contracts/ --include="*.sol"
+```
+
+**Detection — Slither**:
+```bash
+slither . --detect controlled-delegatecall,arbitrary-send-eth,unprotected-upgrade
+# slither-prop: centralization risk detector
+```
+
+**Detection — Foundry**:
+```solidity
+// Test: admin functions have timelock
+function test_adminFunctionsRequireTimelock() external {
+    vm.prank(attacker); // non-admin
+    vm.expectRevert();
+    protocol.setOracle(address(maliciousOracle));
+
+    // Even admin: test delay exists
+    vm.prank(admin);
+    protocol.proposeOracleChange(address(newOracle));
+    vm.warp(block.timestamp + 1); // advance 1 second (should still revert)
+    vm.expectRevert("Timelock: not ready");
+    protocol.executeOracleChange();
+}
+```
+
+**Real examples**: Drift Trade Apr 2026 ($285M), Resolv Mar 2026 ($24.5M), IoTeX Feb 2026 ($4.4M), Ronin Bridge Mar 2022 ($625M), Harmony Horizon Jun 2022 ($100M)
+
+**Detection difficulty**: **Easy to flag centralization risk** / **Hard to prevent off-chain key theft** — static analysis detects single-admin pattern; real fix is operational security + multisig + timelock
+
+---
+
+### Pattern 5: ZK Proof System Misconfiguration (Trusted Setup Failure)
+
+**Description**: ZK proving system (Groth16, PLONK) requires a "trusted setup ceremony" to generate cryptographic parameters. If ceremony is incomplete or parameters reused from demo/test, attacker can forge proofs and mint arbitrary tokens.
+
+**Subtypes**:
+- Skipped MPC ceremony (used default/test `ptau` parameters)
+- Copied ceremony from different circuit (parameters don't match constraint system)
+- FoomCash Mar 2026: one skipped CLI step left verifier broken from day one ($2.26M)
+- "Default Settings" Mar 2026: two protocols, one skipped command
+
+**Detection — grep/static**:
+```bash
+# Look for hardcoded verifier keys that match test vectors
+grep -rn "ptau\|powers_of_tau\|hermez\|setup\|ceremony" . --include="*.json" --include="*.ts" --include="*.js"
+
+# Check if verificationKey.json matches production ceremony transcript
+# Compare vk.alpha, vk.beta, vk.gamma against known test parameters:
+# Hermez test ptau: alpha="0x0fd42..."
+
+# Check for Groth16 vs production verifier deployment
+grep -rn "Groth16Verifier\|PlonkVerifier\|verifyProof" contracts/ --include="*.sol"
+```
+
+**Detection — Semgrep**:
+```yaml
+rules:
+  - id: groth16-test-vk
+    pattern: |
+      alpha: "0x0fd42..."  # Hermez test ceremony alpha
+    message: "ZK verifier may use test/dev trusted setup parameters"
+    severity: CRITICAL
+```
+
+**Detection — Foundry**:
+```solidity
+// Test: invalid proof must fail verification
+function test_invalidProofRejected() external {
+    bytes memory fakeProof = abi.encode(uint256(1), uint256(2), uint256(3), uint256(4));
+    bool result = verifier.verifyProof(fakeProof, publicInputs);
+    assertFalse(result, "Fake proof accepted — ceremony may be broken");
+}
+```
+
+**Real examples**: FoomCash Mar 2026 ($2.26M), "Default Settings" protocols Mar 2026 (~$1M+), Tornado Cash (historical concern, not exploited due to community audit)
+
+**Detection difficulty**: **Hard** — requires cryptographic knowledge and access to ceremony transcript; automated tools can only flag "test ptau" heuristics
+
+---
+
+### Pattern 6: Governance Flash Loan Attack
+
+**Description**: Protocol allows governance token holders to vote on proposals, but lacks delay between acquiring voting power and using it. Attacker takes a flash loan of governance tokens, votes to pass a malicious proposal, and repays the loan — all in one transaction.
+
+**Subtypes**:
+- No vote-weight snapshot (reads current balance instead of historical)
+- Proposal + vote + execute in single tx (no timelock)
+- Borrow governance tokens, vote, repay (e.g., Compound-style delegation exploits)
+
+**Detection — grep/static**:
+```bash
+# Look for governance with current-block balance reads
+grep -rn "balanceOf\|getVotes\|getPastVotes" contracts/ --include="*.sol"
+
+# Missing snapshot / block number check
+grep -rn "block.number\|getPastVotes\|ERC20Votes" contracts/ --include="*.sol"
+
+# Missing timelock between proposal and execution
+grep -rn "TimelockController\|Timelock\|votingDelay\|executionDelay" contracts/ --include="*.sol"
+```
+
+**Detection — Slither**:
+```bash
+slither . --detect tautology,incorrect-equality
+# Custom: check if vote weight is read at proposal time vs current block
+```
+
+**Detection — Foundry invariant**:
+```solidity
+// Invariant: cannot propose AND vote AND execute in single transaction
+function invariant_governanceCannotFlashLoanAttack() external {
+    vm.startPrank(attacker);
+    flashLoan(govToken, 1e24, "");  // get majority voting power
+    uint256 proposalId = governor.propose(...);
+    vm.expectRevert("Governor: vote not yet active");
+    governor.castVote(proposalId, 1);  // must fail — no snapshot yet
+}
+```
+
+**Real examples**: Beanstalk Apr 2022 ($182M flash loan governance attack), Mango Markets Oct 2022 ($117M — governance + price manip), Build Finance DAO Feb 2022 (hostile takeover)
+
+**Detection difficulty**: **Medium** — pattern is well-known; danger is in novel governance designs (e.g., optimistic voting, gauges)
+
+---
+
+### Pattern 7: Bridge Relay / Validator Compromise
+
+**Description**: Cross-chain bridges rely on a set of validators or relayers to attest to cross-chain events. If the validator set is compromised (private keys stolen, threshold too low), attacker can authorize fraudulent withdrawals.
+
+**Subtypes**:
+- Low validator threshold (e.g., 5-of-9 with keys on hot servers)
+- Single admin key controls bridge (IoTeX ioTube pattern)
+- Compromised relayer submits fake deposit proofs
+- Fake token price manipulation + bridge (Drift Trade Apr 2026)
+
+**Detection — grep/static**:
+```bash
+# Check validator threshold
+grep -rn "threshold\|quorum\|minSignatures\|VALIDATOR_COUNT" contracts/ --include="*.sol"
+
+# Check if bridge has emergency pause / guardian role
+grep -rn "pause\|guardian\|emergencyStop" contracts/ --include="*.sol"
+
+# Single-sig bridge admin
+grep -rn "onlyOwner\|onlyAdmin" contracts/ --include="*.sol" | grep -i "bridge\|relay"
+```
+
+**Real examples**: Drift Trade Apr 2026 ($285M), IoTeX ioTube Feb 2026 ($4.4M), Ronin Network Mar 2022 ($625M), Wormhole Feb 2022 ($320M), Nomad Aug 2022 ($190M)
+
+**Detection difficulty**: **Easy to flag low threshold / single admin** / **Hard to prevent off-chain compromise**
+
+---
+
+### Pattern 8: Incorrect Token Accounting / Share Rounding
+
+**Description**: Subtle errors in how a protocol tracks user shares, balances, or claimable amounts. Often manifests as rounding errors in integer arithmetic that accumulate or can be triggered in a single large transaction.
+
+**Subtypes**:
+- Division before multiplication (truncation in wrong order)
+- Unchecked balance after fee-on-transfer token deposit
+- `totalSupply()` doesn't account for locked/burned shares
+- `GoonFi` "mispricing arbitrage" Mar 2026 ($254K)
+
+**Detection — grep/static**:
+```bash
+# Detect division before multiplication pattern
+grep -rn "/" contracts/ --include="*.sol" -A 1 | grep "*"
+# Better: use Slither
+
+# Fee-on-transfer token not accounted for
+grep -rn "transferFrom\|safeTransferFrom" contracts/ --include="*.sol"
+# If no before/after balanceOf check: flag as potential FoT issue
+```
+
+**Detection — Slither**:
+```bash
+slither . --detect divide-before-multiply,incorrect-equality,tautology
+```
+
+**Detection difficulty**: **Medium** — Slither catches divide-before-multiply; fee-on-transfer and share accounting bugs require semantic understanding
+
+---
+
+## Summary: Automation Coverage by Vuln Class
+
+| Pattern | Slither | Semgrep | Foundry Fuzzing | LLM Review | Priority |
+|---|---|---|---|---|---|
+| Oracle Price Manipulation | Partial | Custom rule | High (property tests) | High | **CRITICAL** |
+| Flash Loan Share Inflation | Yes (ERC-4626) | Custom rule | High | Medium | **CRITICAL** |
+| Reentrancy (classic) | Yes | Yes | Medium | Low | HIGH |
+| Reentrancy (cross-func/read-only) | Partial | No | High | High | HIGH |
+| Private Key / Admin Compromise | Centralization flag | No | N/A (off-chain) | High | HIGH |
+| ZK Trusted Setup Failure | No | Custom rule | Partial | High | CRITICAL (emerging) |
+| Governance Flash Loan | No | Custom rule | High | High | HIGH |
+| Bridge Validator Threshold | No | Partial | No | High | HIGH |
+| Token Accounting / Rounding | Yes | Partial | High | Medium | MEDIUM |
+
+---
+
+## Key Takeaways for Automated Scanning
+
+1. **Audited protocols still get rekt** — Venus rekt IV, Aave rekt (both audited). Static analysis must look for *variant* patterns, not just textbook examples.
+
+2. **Bug bounty ceilings are systemically too low** — FoomCash had a "code is law" $320K bounty vs $2.26M loss. Immunefi max bounties ($1M-$3M) cover only Tier-1 protocols; most protocols have no bounty or low ceilings.
+
+3. **AI-generated code is a new attack surface** — Moonwell Feb 2026 was "co-authored by Claude Opus 4.6." Standard audit tooling wasn't adapted for AI-generated contract patterns.
+
+4. **ZK vulnerabilities are emerging** — Two protocols in one week (Mar 2026) exploited via trusted setup failures. Tooling gap: no Slither detector, no standard CI check.
+
+5. **Oracle manipulation is perennial** — Every year, multiple protocols lose $5M–$300M to oracle manipulation in forms the previous year's patches didn't cover.