Skip to content

greged93/proof-of-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
bin
bin
 
 
common
common
 
 
elf
elf
 
 
program
program
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
rust-toolchain
rust-toolchain
 
 

Repository files navigation

Introduction

The proof-of-exploit repo is based off of the exploit-cli crate and aims to achieve the same result while lowering the necessary amount of code by using SP1 for the generation of the proof. Combining revm and sp1 allows for the execution of the exploit given as input a block context and a transaction previously executed on a local anvil instance.

Requirements

Installation

Run the below in order to correctly install the project and run the tests.

git clone https://github.com/greged93/proof-of-exploit
cd proof-of-exploit
git submodule update --init --recursive

cd test/huff-template
forge install
forge build

cargo test -p prove-exploit

Usage

Example

This section describes how to run the example from huff template and generate a proof of exploit for it.

cargo run --bin prove-exploit --release -- example --eth-rpc-url https://sepolia.infura.io/v3/<ALCHEMY-KEY>

This will in order:

  • Start a local anvil instance forked from Sepolia at block 4774970
  • Execute the transaction that exploits the huff template
  • Pool all touched storage slots and accounts in order to generate the proof
  • Generate the proof using SP1
  • Log the commited storage value

General

A set of exploitable contracts are provided under test/exploits and can be used in order to generate a proof of exploit for various contract issues.

In order to compile the contracts, you will need to install solcjs, which can be done by running:

npm install -g solc
solcjs --version

From there, you can explore the contract available in test/exploits and try to figure out how to exploit them. Once you have found an input that exploits the contract, you can construct the input and send it to the contract to exploit it. The below is an example that breaks the wrong_constructor_name contract.

cargo run --bin prove-exploit --release -- exploit \
    --eth-rpc-url https://sepolia.infura.io/v3/<ALCHEMY-KEY> \
    --block-number 0 --exploited-slots 0x5 --transaction-input 67f809e9 \
    --contract-path test/exploits/wrong_constructor_name/Rubixi_source_code/Rubixi.sol

The above proves an exsiting exploit for the wrong_constructor_name contract by modifying the owner of the contract via a call to the incorrectly named constructor.

About

Generates a proof of exploit for a contract

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages