search

coinspect / learn-evm-attacks

Learn and contribute by exploring blockchain attacks in detail. Maintained by Coinspect smart contract audit team, renowned for their top-tier smart contract audit services.
https://www.coinspect.com/services/smart-contract-audit/
MIT License
1.64k stars 211 forks source link

Reimplement exploits without using cheat.startPrank(attacker) #36

Closed juli closed 1 year ago

juli commented 1 year ago

If adding attacker to an allowlist is necessary then is better to spoof the owner's address and add our random attacker address to the allow list. This way the exploit code will be more real and more valuable for future research projects based on this repository.

joaquinlpereyra commented 1 year ago

Partially implemented in #37.

We are missing two attacks that still rely on prank:

  1. Bad Guys NFT: because attacker was authenticated with a merkle proof, we could rebuild merkle proof for arbitrary address
  2. Ronin Bridge: because attacker stole keys offchain and could sign arbitrary message, I think this is a reasonable use of prank, the interesting part is off-chain.
nine-december commented 1 year ago

Leaving my POV about these:

Both cases are pretty similar in terms on how the attacker managed to get access to accounts with privileges.

In the first case, the attacker managed to get a whitelist spot (which could be achieved via the Discord channel of the collection). That attack would happen also if the WhitelistMint function was public as the bug is not related with the privilege. So, for Bad Guys NFT could be reasonable showing that anyone included in the Merkle Tree would have been able to perform the attack.

As for Ronin, the juicy part of the attack was how the attacker compromised the keys. The biggest concept there IMO is data and keys hygiene.

nine-december commented 1 year ago

I guess that the topic of this issue has been already solved. Moreover, we could leave this referenced somewhere as a guideline for future reproductions.