Skip to content

ChargingFoxSec/web3-vulnerability-labs

Repository files navigation

Web3 Vulnerability Labs

Tests

PoC-backed toy labs for Web3 vulnerability patterns.

This repository is for public, sanitized security research. Each lab should use standalone toy code or intentionally vulnerable examples to demonstrate a vulnerability pattern, exploit path, and mitigation. It should not disclose private platform findings, private source code, or contest details that are not safe to publish.

The cases are based on vulnerability patterns encountered during real audit practice and then rewritten into standalone toy examples. They are intended to capture non-trivial audit reasoning: cross-path invariant mismatches, oracle/fallback failure isolation, timestamp ordering, lifecycle automation assumptions, and similar protocol-design edge cases.

This is not a beginner checklist of generic bugs. The goal is to preserve the reasoning structure of real findings while removing project-specific context.

Purpose

  • Turn audit practice and private research lessons into public learning artifacts.
  • Demonstrate exploit reasoning with runnable or reviewable PoCs.
  • Separate technically reproducible bugs from findings that may not be submit-worthy because of scope, impact, privilege assumptions, or disclosure rules.
  • Build a public portfolio of security methodology without exposing confidential project details.

What Belongs Here

  • Minimal vulnerable contracts or programs.
  • Exploit scripts, tests, or transaction walkthroughs.
  • Fixed versions or remediation notes.
  • Triage notes explaining impact, assumptions, and boundary conditions.
  • Anonymous patterns derived from audit practice.

What Does Not Belong Here

  • Private audit platform submissions.
  • Undisclosed project names, commit hashes, addresses, screenshots, or report IDs.
  • Source code copied from private scopes.
  • Claims that a lab represents an accepted platform finding unless that is publicly verifiable.

Case Structure

Each case should follow this shape:

cases/
  evm/
    vulnerability-name/
      README.md
      vulnerable/
      fixed/
      test/
  solana/
    vulnerability-name/
      README.md
      vulnerable/
      fixed/
      test/
  soroban/
    vulnerability-name/
      README.md
      Cargo.toml
      src/

Use CASE_TEMPLATE.md when adding a new lab.

Every published lab is expected to include a PoC artifact, such as a Foundry test, Anchor test, exploit script, or transaction walkthrough.

Labs

ID Ecosystem Pattern PoC Link
EVM-001 EVM Price timestamp rewind Foundry test EVM-001
EVM-002 EVM Oracle failure global scan freeze Foundry test EVM-002
EVM-003 EVM Minimum order size path bypass Foundry test EVM-003
EVM-004 EVM Nested call allowlist bypass Foundry test EVM-004
EVM-005 EVM Temporary custody authorization reentrancy Foundry test EVM-005
EVM-006 EVM Daily debt limit restoration bypass Foundry test EVM-006
EVM-007 EVM Finalized share supply drift Foundry test EVM-007
EVM-008 EVM Finalized batch unwind mismatch Foundry test EVM-008
EVM-009 EVM Native withdrawal stale-reserve reentrancy Foundry test EVM-009
EVM-010 EVM Withdrawal queue frontier skip Foundry test EVM-010
EVM-011 EVM Zero-share lock cancellation Foundry test EVM-011
EVM-012 EVM Blocked spender allowance bypass Foundry test EVM-012
EVM-013 EVM Stale credit sale before loss realization Foundry test EVM-013
EVM-014 EVM Flash loan self-funded credit Foundry test EVM-014
EVM-015 EVM Premature max-factor loss realization Foundry test EVM-015
SOROBAN-001 Soroban Prepared action lifecycle bypass Cargo test SOROBAN-001
SOROBAN-002 Soroban Overlapping quorum double count Cargo test SOROBAN-002
SOROBAN-003 Soroban Call-scoped refund balance mix-up Cargo test SOROBAN-003
SOROBAN-004 Soroban Archived state auto-restore budget exhaustion Cargo test SOROBAN-004
SOROBAN-005 Soroban In-flight message invalidated by library switch Cargo test SOROBAN-005
SOROBAN-006 Soroban Undisclosed worker policy gate Cargo test SOROBAN-006
SOROBAN-007 Soroban Timeout library surface expansion Cargo test SOROBAN-007

Running Tests

The current suite contains 95 tests: 60 Foundry tests across 15 EVM labs and 35 Cargo tests across 7 Soroban state-machine models.

This repository includes an eth-security-toolbox devcontainer with Foundry available.

Start the devcontainer:

devcontainer up --workspace-folder . --config .devcontainer/eth-security-toolbox/devcontainer.json

Then run a lab test from inside the container, or through docker exec:

forge test --match-path cases/evm/EVM-001-price-timestamp-rewind/test/PriceTimestampRewind.t.sol -vvv

Soroban labs can be tested with Cargo:

cd cases/soroban/SOROBAN-001-prepared-action-lifecycle-bypass
cargo test

Or with Docker from the repository root:

docker run --rm -v "$PWD":/workspace -w /workspace/cases/soroban/SOROBAN-001-prepared-action-lifecycle-bypass rust:1.86-slim cargo test

Current Status

Cases are added as standalone toy examples rather than copied from private audit work.

Disclosure Note

Many real audit findings cannot be published because of disclosure rules, private scopes, or contest restrictions. This repository only includes sanitized materials that are safe to disclose publicly.

License

Original lab code and documentation are available under the MIT License. Third-party materials retain their upstream licenses and notices; see THIRD_PARTY_NOTICES.md.

About

PoC-backed toy labs for Web3 vulnerability patterns, exploit reasoning, and audit triage notes.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors