search

a16z / halmos

A symbolic testing tool for EVM smart contracts
GNU Affero General Public License v3.0
816 stars 68 forks source link

Support vm.fork/createSelectFork from foundry #190

Closed whbjzzwjxq closed 4 days ago

whbjzzwjxq commented 1 year ago

Is your feature request related to a problem? Please describe.

vm.createSelectFork(getChain(56).rpcUrl, 26685503);

Got

Warning: setUp() execution encountered an issue at SLOAD: symbolic storage base slot: sha3_296(48454946083833549120556327910798628449690199008091185690930824427871641913341814859890690)
Error: setUp() failed: ValueError: No successful path found in setUp()

Describe the solution you'd like Allow vm.fork/createSelectFork in function setUp to make the state of the blockchain start with a specific block instead of pure symbolic storage.

Describe alternatives you've considered

Additional context

daejunpark commented 1 year ago

https://github.com/a16z/halmos/wiki/FAQ#does-halmos-provide-support-for-mainnet-forking

Could you please provide more context on the use cases that you have in mind?

whbjzzwjxq commented 1 year ago

@daejunpark Dear author, Thanks for your timely reply. This functionality will help the community to re-produce existing attacks, such as events collected in DeFiHackLabs

In particular, considering the following attack: Source Link

    function setUp() public {
        cheats.createSelectFork("Avalanche", 23435294);
    }

    function testExploit(FlashLoanAmount: uint256) public{
        MU.approve(address(Router), type(uint).max);
        MUG.approve(address(Router), type(uint).max);
        USDC_e.approve(address(Router), type(uint).max);
        USDC_e.approve(address(Bank), type(uint).max);
        // original code: FlashLoanAmount = MU.balanceOf(address(Pair)) - 1;
        Pair.swap(FlashLoanAmount, 0, address(this), new bytes(1));
        MUGToUSDC_e();
        assert(USDC_e.balanceOf(address(this)) >= 10e8);
        emit log_named_decimal_uint(
            "[End] Attacker USDC.e balance after exploit",
            USDC_e.balanceOf(address(this)),
            6
        );
    }
    function xxx;

As a researcher, I wonder whether Halmos could generate a counter-example to make the attack happen(Re-produce the actual attack). But it will be time-cost to initialize the blockchain state instead of forking it from the blockchain directly.

daejunpark commented 4 days ago

closing, as we don't plan to support fork testing in halmos: https://github.com/a16z/halmos/wiki/FAQ#does-halmos-provide-support-for-mainnet-forking