jtriley-eth/counter-exploit-toolkit jtriley-eth/counter-exploit-toolkit

  • Stars
    star
    108
  • Rank 321,259 (Top 7 %)
  • Language
    Solidity
  • Created over 1 year ago
  • Updated 9 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
jtriley-eth/counter-exploit-toolkit
github

jtriley-eth

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The Counter Exploit Toolkit

NOTICE: FOR RESEARCH PURPOSES ONLY.

Overiew

This repository contains the contract CounterExploit, which contains all of the logic needed for an upgradeable proxy-based counter exploit.

It provides arbitrary storage write access, arbitrary token withdrawal access, ether withdrawal access, an ether deposit honeypot, and, provided the attacker has sufficient balance and allowance for the proxy contract, it has the ability to take tokens directly from the attacker.

Each function includes a batchable interface for executing multiple operations in the same transaction.

It may be upgraded to, then upgraded from once the counter exploit is complete.

Who Is This For?

This contract is for two kinds of actors. First is the institutional actors that intend to follow the demands or requests of law enforcement to counter exploit the attacker. Second is for users of protocols with upgradeable proxies that may not be aware of the implications of such technology.

For Institutional Actors

This contract will have a canonical deployment that may be delecatecalled. All you need to do is send a transaction from the current proxy's authorized address that upgrades the current implementation address to the CounterExploit address and call initialize() IN THE SAME TRANSACTION. It is important to note that not atomically upgradingn and initializing will open a front-running opportunity that will give the attacker full control over your contract. This is the most crucial step, do not get this wrong.

Once upgraded and initialized, you may step on your technology accelerationist gas pedal and see upradeable proxies through to their end; controlled by coercive, powerful actors for any purpose they see fit.

See the API section below for more about specifics.

For Users of Protocols with Upgradeable Proxies

It is important to know exactly what you, a user, are getting into when interacting with protocols that use upgradeable proxies. Any contract that has an authorized address to upgrade the proxy has the ability to do this, regardless of whether the controller is a EOA, multisig, DAO, or an attacker through some other potential exploit in the protocol.

Definitions:

Arbitrary storage write access: Any storage slot within the contract may be overwritten. This includes, but is not limited to recordings of deposits, internal permissions, and authorized addresses.

Arbitrary token withdrawal access: Any tokens that are in the contract may be withdrawn from the contract itself. This includes up to the full amount but may be more precise by targeting attackers in particular. Note that this will likely need to be used in parallel with storage writes. For example, if an attacker's funds need to be taken, the protocol must both take the tokens from the contract itself and overwrite the attacker's deposit slot to ensure they may not withdraw any other tokens from the protocol.

Ether withdrawal access: Similar to arbitrary token withdrawal access, any ether that the contract holds may be withdrawn.

Steal token access: This is likely the most important to understand. Protocols often require some kind of ERC20 token approval to act on the user's behalf, particularly with things like deposits and swaps. It is a common user experience pattern to ask the user to give "infinite" approval to the contract to prevent the user from having to run redundant transactions. However, combining this with upgradeable proxies means that not only can tokens be withdrawn from the proxy itself, but they may also be taken from the user, provided they have sufficient allowance granted to the contract. This may be useful to recover an attacker's stolen funds, but this is not enforceable to limit it to just the attacker. If you want to see and potentially revoke your token allowances, you may do so from here https://revoke.cash/

API

The following methods are implemented on the CounterExploit contract.

Write Access

/// @notice Writes a value to storage.
/// @dev Reverts if caller is not admin.
/// @param slot The storage slot to write to.
/// @param value The value to write.
function write(bytes32 slot, bytes32 value);

/// @notice Batch writes values to storage.
/// @dev Reverts if caller is not admin.
/// @param slots The storage slots to write to.
/// @param values The values to write.
function writeBatch(bytes32[] calldata slots, bytes32[] calldata values);

Token Withdrawal Access

/// @notice Transfers tokens from this address to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer tokens to.
/// @param token The token to transfer.
/// @param amount The amount of tokens to transfer.
function takeToken(address receiver, ERC20 token, uint256 amount);

/// @notice Batch transfers tokens from this address to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer tokens to.
/// @param tokens The tokens to transfer.
/// @param amounts The amounts of tokens to transfer.
function takeTokenBatch(address receiver, ERC20[] calldata tokens, uint256[] calldata amounts);

Ether Withdrawal Access

/// @notice Transfers ether to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer ether to.
/// @param amount The amount of ether to transfer.
/// @return success True if the transfer succeeded (used to remove solc warning).
function takeEther(address receiver, uint256 amount)

Steal Token Access

/// @notice Transfers tokens from the attacker to a receiver.
/// @dev Reverts if caller is not admin. Gets the attacker's balance and allowance and transfers
/// the lesser of the two.
/// @param attacker The address to transfer tokens from.
/// @param receiver The address to transfer tokens to.
/// @param token The token to transfer.
/// @param amount The amount of tokens to transfer.
function stealToken(
    address attacker,
    address receiver,
    ERC20 token,
    uint256 amount
);

/// @notice Batch transfers tokens from the attacker to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer tokens to.
/// @param tokens The tokens to transfer.
/// @param amounts The amounts of tokens to transfer.
function stealTokenBatch(
    address attacker,
    address receiver,
    ERC20[] calldata tokens,
    uint256[] calldata amounts
);

Ether Receive Honeypot

/// @notice Receives any amount of Ether without taking action.
receive() external payable {}

More Repositories

1

the-ethereum-virtual-machine

CSS
216
star
2

loopinator

Solidity
130
star
3

token-types

Efficient Type Driven Smart Contract Interactions
Solidity
104
star
4

ether-deck

Solidity
97
star
5

minimum-viable-proxy

Solidity
88
star
6

uni-v4-core-flashloans

Simple Uniswap V4 Flashloan Receiver
Solidity
81
star
7

huff-style-guide

A mostly mostly reasonable approach to Huff styling.
78
star
8

the-rippler

Solidity
76
star
9

smart-types

Solidity
69
star
10

ether-deck-mk2

Solidity
63
star
11

mutexer

Solidity
58
star
12

ERC-6909

Solidity
56
star
13

ez-bitmap

Solidity
51
star
14

huff-hooks

Uniswap V4 Huff Hooks
Solidity
40
star
15

cursed-struct-token

Solidity
37
star
16

offensive_vyper

Vyper Based Capture The Flag Challenges
Python
35
star
17

monomorphized

Solidity
34
star
18

super-liquidator

Solidity
33
star
19

zk-calculator

Rust
30
star
20

iter-sol

Solidity
29
star
21

inline-yul-style-guide

A mostly mostly reasonable approach to inline Yul styling.
29
star
22

ez-sol

Solidity
28
star
23

safe-counter

Solidity
26
star
24

vy-deepdive

Vyper Deep Dive Notes and Scripts
Assembly
26
star
25

celebrate-push0

Solidity
24
star
26

sol-fun

Solidity
22
star
27

libhuff

optimized huff snippets
Rust
20
star
28

bigbrainchad-eth

JavaScript
20
star
29

unbug

Solidity calldata, memory, transient storage, and storage debugger
Solidity
20
star
30

reverse-subway

Assembly
19
star
31

cursed-functions

Solidity
18
star
32

erc6909-examples

Solidity
13
star
33

poc-template

Solidity
12
star
34

vyper-storage

Solidity
11
star
35

xstream

Solidity
11
star
36

hh-qualifier

Solidity
10
star
37

tcontext

Solidity
10
star
38

type-driven-tokens

Solidity
10
star
39

snarki-boi

Experimental Noir repo. Very important not to get carried away
Solidity
9
star
40

evm-dag-ir

graph-based evm intermediate representation
Rust
9
star
41

prep

Solidity
9
star
42

evm-obj-fmt

Rust
9
star
43

arbies

Python
9
star
44

decktools-mk2

Solidity
9
star
45

vy-6909

Solidity
6
star
46

libecdsa

Solidity
6
star
47

maths

Jupyter Notebook
6
star
48

naturals-lean

Lean Theorem Proving Exercises and Learning Repository
Lean
6
star
49

intent-core

Solidity
6
star
50

jtriley-eth.github.io

HTML
3
star
51

searchooor

Rust
3
star
52

dasy-6909

Solidity
3
star
53

decktools

Rust
3
star
54

quantum-lean

Quantum computing primitives in Lean 4
Lean
3
star
55

sacgeo-solver

Rust
3
star
56

jiterator

tinkering repository for iterator behavior
Rust
2
star
57

sway-research

fa&fo repo for sway
Rust
2
star
58

xsf

Solidity
1
star
59

scuffed-dao

Solidity
1
star
60

flow-state

UI/UX project around Superfluid protocol
JavaScript
1
star
61

temp-spec

temp lang spec with specific in-evm uses, very important not to get carried away
1
star
62

Consensus-Time

Time Consensus Protocol
Solidity
1
star
63

test-proj

Rust
1
star
64

token-accounting

Accounting for ERC20 tokens and Superfluid Super Tokens
TypeScript
1
star
65

ruint-simd

Rust
1
star
66

bitmap-v-memory

gas testing uniswap calls struct against bitmaps
Solidity
1
star
67

portfolio

Svelte
1
star