jtriley-eth/counter-exploit-toolkit jtriley-eth/counter-exploit-toolkit

  • Stars
    star
    101
  • Rank 328,378 (Top 7 %)
  • Language
    Solidity
  • Created over 1 year ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
jtriley-eth/counter-exploit-toolkit
github

jtriley-eth

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The Counter Exploit Toolkit

NOTICE: FOR RESEARCH PURPOSES ONLY.

Overiew

This repository contains the contract CounterExploit, which contains all of the logic needed for an upgradeable proxy-based counter exploit.

It provides arbitrary storage write access, arbitrary token withdrawal access, ether withdrawal access, an ether deposit honeypot, and, provided the attacker has sufficient balance and allowance for the proxy contract, it has the ability to take tokens directly from the attacker.

Each function includes a batchable interface for executing multiple operations in the same transaction.

It may be upgraded to, then upgraded from once the counter exploit is complete.

Who Is This For?

This contract is for two kinds of actors. First is the institutional actors that intend to follow the demands or requests of law enforcement to counter exploit the attacker. Second is for users of protocols with upgradeable proxies that may not be aware of the implications of such technology.

For Institutional Actors

This contract will have a canonical deployment that may be delecatecalled. All you need to do is send a transaction from the current proxy's authorized address that upgrades the current implementation address to the CounterExploit address and call initialize() IN THE SAME TRANSACTION. It is important to note that not atomically upgradingn and initializing will open a front-running opportunity that will give the attacker full control over your contract. This is the most crucial step, do not get this wrong.

Once upgraded and initialized, you may step on your technology accelerationist gas pedal and see upradeable proxies through to their end; controlled by coercive, powerful actors for any purpose they see fit.

See the API section below for more about specifics.

For Users of Protocols with Upgradeable Proxies

It is important to know exactly what you, a user, are getting into when interacting with protocols that use upgradeable proxies. Any contract that has an authorized address to upgrade the proxy has the ability to do this, regardless of whether the controller is a EOA, multisig, DAO, or an attacker through some other potential exploit in the protocol.

Definitions:

Arbitrary storage write access: Any storage slot within the contract may be overwritten. This includes, but is not limited to recordings of deposits, internal permissions, and authorized addresses.

Arbitrary token withdrawal access: Any tokens that are in the contract may be withdrawn from the contract itself. This includes up to the full amount but may be more precise by targeting attackers in particular. Note that this will likely need to be used in parallel with storage writes. For example, if an attacker's funds need to be taken, the protocol must both take the tokens from the contract itself and overwrite the attacker's deposit slot to ensure they may not withdraw any other tokens from the protocol.

Ether withdrawal access: Similar to arbitrary token withdrawal access, any ether that the contract holds may be withdrawn.

Steal token access: This is likely the most important to understand. Protocols often require some kind of ERC20 token approval to act on the user's behalf, particularly with things like deposits and swaps. It is a common user experience pattern to ask the user to give "infinite" approval to the contract to prevent the user from having to run redundant transactions. However, combining this with upgradeable proxies means that not only can tokens be withdrawn from the proxy itself, but they may also be taken from the user, provided they have sufficient allowance granted to the contract. This may be useful to recover an attacker's stolen funds, but this is not enforceable to limit it to just the attacker. If you want to see and potentially revoke your token allowances, you may do so from here https://revoke.cash/

API

The following methods are implemented on the CounterExploit contract.

Write Access

/// @notice Writes a value to storage.
/// @dev Reverts if caller is not admin.
/// @param slot The storage slot to write to.
/// @param value The value to write.
function write(bytes32 slot, bytes32 value);

/// @notice Batch writes values to storage.
/// @dev Reverts if caller is not admin.
/// @param slots The storage slots to write to.
/// @param values The values to write.
function writeBatch(bytes32[] calldata slots, bytes32[] calldata values);

Token Withdrawal Access

/// @notice Transfers tokens from this address to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer tokens to.
/// @param token The token to transfer.
/// @param amount The amount of tokens to transfer.
function takeToken(address receiver, ERC20 token, uint256 amount);

/// @notice Batch transfers tokens from this address to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer tokens to.
/// @param tokens The tokens to transfer.
/// @param amounts The amounts of tokens to transfer.
function takeTokenBatch(address receiver, ERC20[] calldata tokens, uint256[] calldata amounts);

Ether Withdrawal Access

/// @notice Transfers ether to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer ether to.
/// @param amount The amount of ether to transfer.
/// @return success True if the transfer succeeded (used to remove solc warning).
function takeEther(address receiver, uint256 amount)

Steal Token Access

/// @notice Transfers tokens from the attacker to a receiver.
/// @dev Reverts if caller is not admin. Gets the attacker's balance and allowance and transfers
/// the lesser of the two.
/// @param attacker The address to transfer tokens from.
/// @param receiver The address to transfer tokens to.
/// @param token The token to transfer.
/// @param amount The amount of tokens to transfer.
function stealToken(
    address attacker,
    address receiver,
    ERC20 token,
    uint256 amount
);

/// @notice Batch transfers tokens from the attacker to a receiver.
/// @dev Reverts if caller is not admin.
/// @param receiver The address to transfer tokens to.
/// @param tokens The tokens to transfer.
/// @param amounts The amounts of tokens to transfer.
function stealTokenBatch(
    address attacker,
    address receiver,
    ERC20[] calldata tokens,
    uint256[] calldata amounts
);

Ether Receive Honeypot

/// @notice Receives any amount of Ether without taking action.
receive() external payable {}

More Repositories

1

the-ethereum-virtual-machine

CSS
200
star
2

loopinator

Solidity
130
star
3

ether-deck

Solidity
96
star
4

minimum-viable-proxy

Solidity
86
star
5

uni-v4-core-flashloans

Simple Uniswap V4 Flashloan Receiver
Solidity
74
star
6

the-rippler

Solidity
73
star
7

huff-style-guide

A mostly mostly reasonable approach to Huff styling.
72
star
8

smart-types

Solidity
69
star
9

ether-deck-mk2

Solidity
61
star
10

mutexer

Solidity
57
star
11

ez-bitmap

Solidity
51
star
12

ERC-6909

Solidity
49
star
13

huff-hooks

Uniswap V4 Huff Hooks
Solidity
39
star
14

cursed-struct-token

Solidity
37
star
15

offensive_vyper

Vyper Based Capture The Flag Challenges
Python
35
star
16

super-liquidator

Solidity
33
star
17

monomorphized

Solidity
31
star
18

zk-calculator

Rust
30
star
19

iter-sol

Solidity
29
star
20

ez-sol

Solidity
28
star
21

safe-counter

Solidity
26
star
22

celebrate-push0

Solidity
24
star
23

vy-deepdive

Vyper Deep Dive Notes and Scripts
Assembly
24
star
24

sol-fun

Solidity
22
star
25

libhuff

optimized huff snippets
Rust
20
star
26

unbug

Solidity calldata, memory, transient storage, and storage debugger
Solidity
20
star
27

cursed-functions

Solidity
18
star
28

erc6909-examples

Solidity
13
star
29

poc-template

Solidity
12
star
30

xstream

Solidity
10
star
31

evm-dag-ir

graph-based evm intermediate representation
Rust
9
star
32

evm-obj-fmt

Rust
9
star
33

decktools-mk2

Solidity
9
star
34

snarki-boi

Experimental Noir repo. Very important not to get carried away
Solidity
8
star
35

prep

Solidity
8
star
36

hh-qualifier

Solidity
8
star
37

type-driven-tokens

Solidity
8
star
38

vyper-storage

Solidity
7
star
39

arbies

Python
7
star
40

vy-6909

Solidity
6
star
41

libecdsa

Solidity
6
star
42

token-types

Solidity
4
star
43

tcontext

Solidity
4
star
44

intent-core

Solidity
4
star
45

jtriley-eth.github.io

HTML
3
star
46

searchooor

Rust
3
star
47

dasy-6909

Solidity
3
star
48

decktools

Rust
3
star
49

sacgeo-solver

Rust
3
star
50

jiterator

tinkering repository for iterator behavior
Rust
2
star
51

sway-research

fa&fo repo for sway
Rust
2
star
52

xsf

Solidity
1
star
53

flow-state

UI/UX project around Superfluid protocol
JavaScript
1
star
54

inline-yul-style-guide

A mostly mostly reasonable approach to inline Yul styling.
1
star
55

scuffed-dao

Solidity
1
star
56

test-proj

Rust
1
star
57

temp-spec

temp lang spec with specific in-evm uses, very important not to get carried away
1
star
58

Consensus-Time

Time Consensus Protocol
Solidity
1
star
59

token-accounting

Accounting for ERC20 tokens and Superfluid Super Tokens
TypeScript
1
star
60

bitmap-v-memory

gas testing uniswap calls struct against bitmaps
Solidity
1
star
61

portfolio

Svelte
1
star