DeFi Hacks Reproduce - Foundry

Reproduce DeFi hack incidents using Foundry.

558 incidents included.

Let's make Web3 secure! Join Discord

Notion: 101 root cause analysis of past DeFi hacked incidents

Disclaimer: This content serves solely as a proof of concept showcasing past DeFi hacking incidents. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.

Getting Started

Follow the instructions to install Foundry.
Clone and install dependencies:git submodule update --init --recursive
Contributing Guidelines

Web3 Cybersecurity Academy

All articles are also published on Substack.

OnChain transaction debugging

Lesson 1: Tools ( English | 中文 | Vietnamese | Korean | Spanish )
Lesson 2: Warm up ( English | 中文 | Korean | Spanish )
Lesson 3: Write Your Own PoC (Price Oracle Manipulation) ( English | 中文 | Korean | Spanish )
Lesson 4: Write Your Own PoC (MEV Bot) ( English | 中文 | Korean | Spanish )
Lesson 5: Rugpull Analysis ( English | 中文 | Spanish )
Lesson 6: Write Your Own PoC (Reentrancy) ( English | 中文 | Spanish )
Lesson 7: Hack Analysis: Nomad Bridge, August 2022 ( English | 中文 | Spanish )

Who Support Us? DeFiHackLabs Received Grant From

Donate us

If you appreciate our work, please consider donating. Even a small amount helps us continue developing and improving our projects, and promoting web3 security.

Gitcoin - Donate DeFiHackLabs
EVM Chains - 0xD7d6215b4EF4b9B5f40baea48F41047Eb67a11D5
Giveth

List of Past DeFi Incidents

20250111 RoulettePotV2

2024

20241119 PolterFinance

20241111 DeltaPrime

20241026 CompoundFork

20241022 Erc20transfer

20240926 Bedrock_DeFi

20240924 MARA

20240923 Bankroll_Network

20240913 OTSeaStaking

20240910 Caterpillar_Coin_CUT

20240903 Penpiexyz_io

20240816 Zenterest

20240816 OMPxContract

20240724 Spectra_finance

20240723 MEVbot_0xdd7c

20240716 Lifiprotocol

20240703 UnverifiedContr_0x452E25

20240610 UwuLend - Price Manipulation

20240531 Liquiditytokens

20240531 MixedSwapRouter

20240529 SCROLL

20240529 MetaDragon

20240528 Tradeonorion

20240514 Sonne Finance

20240514 PredyFinance

20240419 HedgeyFinance

20240417 UnverifiedContr_0x00C409

20240416 SATX

20240416 MARS_DEFI

20240415 GFA

20240415 ChaingeFinance

20240402 HoppyFrogERC

20240401 ATM

20240401 OpenLeverage

20240228 SMOOFSStaking

20240223 Zoomer

20240223 CompoundUni

20240223 BlueberryProtocol

20240222 SwarmMarkets

20240216 ParticleTrade

20240129 PeapodsFinance

20240128 BarleyFinance

20240127 CitadelFinance

20240125 NBLGAME

20240122 DAO_SoulMate

20240117 BmiZapper

20240117 SocketGateway

20240115 Shell_MEV_0xa898

20240102 RadiantCapital

20240101 OrbitChain

2023

20231231 Channels BUSD&USDC

20231230 ChannelsFinance

20231228 CCV

20231228 DominoTT

20231225 Telcoin

20231222 PineProtocol

20231220 TransitFinance

20231217 Bob

20231217 FloorProtocol

20231211 GoodCompound

20231209 BCT

20231207 HNet

20231206 TIME

20231206 ElephantStatus

20231205 MAMO

20231205 BEARNDAO

20231202 bZxProtocol

20231201 UnverifiedContr_0x431abb

20231130 EEE

20231130 CAROLProtocol

20231117 Token8633_9419

20231106 TheStandard_io

20231106 KR

20231102 BRAND

20231102 3913Token

20231101 SwampFinance

20231101 OnyxProtocol

20231031 UniBotRouter

20231030 LaEeb

20231028 AstridProtocol

20231024 MaestroRouter2

20231022 OpenLeverage

20230930 FireBirdPair

20230818 ExactlyProtocol

20230814 ZunamiProtocol

20230809 EarningFram

20230802 CurveBurner

20230802 Uwerx

20230801 NeutraFinance

20230723 MintoFinance

20230722 ConicFinance02

20230721 ConicFinance

20230715 USDTStakingContract28

20230712 Platypus

20230712 WGPT

20230711 RodeoFinance

20230704 BaoCommunity

20230627 UnverifiedContr_9ad32

20230627 STRAC

20230623 SHIDO

20230621 BabyDogeCoin02

20230621 BUNN

20230620 MIM

20230619 Contract_0x7657

20230618 ARA

20230617 MidasCapitalXYZ

20230617 Pawnfi

20230615 CFC

20230615 DEPUSDT_LEVUSDC

20230612 Sturdy Finance

20230611 SellToken04

20230607 CompounderFinance

20230606 VINU

20230606 UN

20230602 NST SimpleSwap

20230601 DDCoin

20230601 Cellframenet

20230531 ERC20TokenBank

20230529 Jimbo

20230529 BabyDogeCoin

20230415 HundredFinance

20230413 yearnFinance

20230328 SafeMoon Hack

20230328 THENA

20230325 DBW

20230322 BIGFI

20230317 ParaSpace NFT

20230315 Poolz

20230313 EulerFinance

20230218 RevertFinance

20230217 Starlink

20230217 Dexible

20230217 Platypusdefi

20230203 Orion Protocol

20230203 Spherax USDs

20230202 BonqDAO

20230130 BEVO

20230126 TomInu Token

20230119 SHOCO Token

20230119 ThoreumFinance

20230118 QTN Token

20230118 UPS Token

20230117 OmniEstate

20230116 MidasCapital

2022

20221211 MEVbot_0x28d9

20221119 AnnexFinance

20221027 Team Finance

20221026 N00d Token

20221025 ULME

20221024 Market

20221024 MulticallWithoutCheck

20221021 OlympusDAO

20221020 HEALTH Token

20221014 EFLeverVault

20221014 MEVBOT a47b

20221012 ATK

20221011 Rabby Wallet SwapRouter

20221011 Templedao

20221010 Carrot

20221009 Xave Finance

20221006 RES-Token

20221002 Transit Swap

20221001 BabySwap

20221001 RL

20221001 Thunder Brawl

20220929 BXH

20220928 MEVBOT Badc0de

20220923 RADT-DAO

20220913 MevBot Private TX

20220909 DPC

20220908 YYDS

20220908 NewFreeDAO

20220908 Ragnarok Online Invasion

20220906 NXUSD

20220905 ZoomproFinance

20220902 ShadowFi

20220902 Bad Guys by RPF

20220828 DDC

20220824 LuckyTiger NFT

20220816 Circle_2

20220813 Circle

20220810 XSTABLE Protocol

20220802 Nomad Bridge

20220801 Reaper Farm

20220725 LPC

20220723 Audius

20220713 SpaceGodzilla

20220710 Omni NFT

20220706 FlippazOne NFT

20220701 Quixotic - Optimism NFT Marketplace

20220626 XCarnival

20220624 Harmony's Horizon Bridge

20220618 SNOOD

20220616 InverseFinance

20220608 GYMNetwork

20220608 Optimism - Wintermute

20220606 Discover

20220529 NOVO Protocol

20220524 HackDao

20220517 ApeCoin

20220508 Fortress Loans

20220430 Saddle Finance

20220430 Rari Capital/Fei Protocol

20220428 DEUS DAO

20220424 Wiener DOGE

20220423 Akutar NFT

20220421 Zeed Finance

20220416 BeanstalkFarms

20220415 Rikkei Finance

20220412 ElephantMoney

20220411 Creat Future

20220409 GYMNetwork

20220329 Ronin Network

20220329 Redacted Cartel

20220327 Revest Finance

20220326 Auctus

20220322 CompoundTUSDSweepTokenBypass

20220321 OneRing Finance

20220320 LI.FI

20220320 Umbrella Network

20220315 Agave Finance

20220315 Hundred Finance

20220313 Paraluni

20220309 Fantasm Finance

20220305 Bacon Protocol

20220303 TreasureDAO

20220214 BuildFinance - DAO

20220208 Sandbox LAND

20220205 Meter

20220204 TecraSpace

20220128 Qubit Finance

20220118 Multichain (Anyswap)

2021

20211221 Visor Finance

20211218 Grim Finance

20211214 Nerve Bridge

20211130 MonoX Finance

20211123 Ploutoz Finance

20211027 Cream Finance

20211015 Indexed Finance

20210916 SushiSwap Miso

20210915 Nimbus Platform

20210915 NowSwap Platform

20210912 ZABU Finance

20210903 DAO Maker

20210830 Cream Finance

20210817 XSURGE

20210811 Poly Network

20210804 WaultFinance

20210728 Levyathan Finance

20210710 Chainswap

20210702 Chainswap

20210628 SafeDollar

20210625 xWin Finance

20210622 Eleven Finance

20210607 88mph NFT

20210603 PancakeHunny

20210527 JulSwap

20210527 BurgerSwap

20210519 PancakeBunny

20210516 bEarn

20210508 Rari Capital

20210305 Paid Network

20210204 Yearn YDai

20210125 Sushi Badger Digg

Before 2020

20201229 Cover Protocol

20201121 Pickle Finance

20201026 Harvest Finance

20200912 bzx

20200804 Opyn Protocol

20200628 Balancer Protocol

20200618 Bancor Protocol

20180422 Beauty Chain

20171106 Parity - 'Accidentally Killed It'

Transaction debugging tools

Ethereum Signature Database

4byte | sig db | etherface

Useful tools

ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | ETHCMD - Guess ABI | Abi tools

Hacks Dashboard

List of DeFi Hacks & POCs

20250221 Bybit - Phishing attack

Lost: 1.5B

forge test --contracts ./src/test/2025-02/Bybit_exp.sol -vvv

Contract

Bybit_exp.sol

Link reference

https://x.com/dhkleung/status/1893073663391604753

20250211 FourMeme - Logic Flaw

Lost: ~186k

forge test --contracts ./src/test/2025-02/FourMeme_exp.sol -vvv --evm-version shanghai

Contract

FourMeme_exp.sol

Link reference

https://www.chaincatcher.com/en/article/2167296

20250123 ODOS - invalid-signature-verification

Lost: ~50k

forge test --contracts ./src/test/2025-01/ODOS_exp.sol -vvv

Contract

OODS_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/base/0xd10faa5b33ddb501b1dc6430896c966048271f2510ff9ed681dd6d510c5df9f6

20250121 Ast - Price-Manipulation

Lost: ~65K

forge test --contracts ./src/test/2025-01/Ast_exp.sol -vvv

Contract

Ast_exp.sol

Link reference

https://medium.com/@joichiro.sai/ast-token-hack-how-a-faulty-transfer-logic-led-to-a-65k-exploit-da75aed59a43

20250118 Paribus - Bad oracle

Lost: ~86k

forge test --contracts ./src/test/2025-01/Paribus_exp.sol -vvv

Contract

Paribus_exp.sol

Link reference

https://app.blocksec.com/explorer/tx/arbitrum/0xf5e753d3da60db214f2261343c1e1bc46e674d2fa4b7a953eaf3c52123aeebd2?line=415

20250113 Mosca2 - Logic Flaw

Lost: 37.6K

forge test --contracts ./src/test/2025-01/Mosca2_exp.sol -vvv --evm-version shanghai

Contract

Mosca2_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1878699517450883407

20250111 RoulettePotV2 - Price Manipulation

Lost: ~28K

forge test --contracts ./src/test/2025-01/RoulettePotV2_exp.sol -vvv --evm-version shanghai

Contract

RoulettePotV2_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1878008055717376068

20250110 JPulsepot - Logic Flaw

Lost: 21.5K

forge test --contracts ./src/test/2025-01/JPulsepot_exp.sol -vvv --evm-version shanghai

Contract

JPulsepot_exp.sol

Link reference

https://x.com/CertiKAlert/status/1877662352834793639

20250108 LPMine - Incorrect reward calculation

Lost: ~24k USDT

forge test --contracts ./src/test/2025-01/LPMine.sol  -vvv --evm-version cancun

Contract

LPMine_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1877030261067571234

20250107 IPC Incorrect burn pairs

Lost: ～590k USDT

forge test --contracts ./src/test/2025-01/IPC_exp.sol  -vvv --evm-version cancun

Contract

IPC_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1876663900663370056

20250106 Mosca - Logic Flaw

Lost: 19K

forge test --contracts ./src/test/2025-01/Mosca_exp.sol -vvv --evm-version shanghai

Contract

Mosca_exp.sol

Link reference

https://x.com/0xNickLFranklin/status/1876884383736430821

20250104 SorStaking - Incorrect reward calculation

Lost: ～8 ETH

forge test --contracts ./src/test/2025-01/sorraStaking.sol  -vv --evm-version cancun

Contract

sorraStaking.sol

Link reference

https://x.com/TenArmorAlert/status/1875582709512188394

20250104 98Token - Unprotected public function

Lost: 28K USDT

forge test --contracts ./src/test/2025-01/98Token_exp.sol  -vvvv --evm-version cancun

Contract

98#Token_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1875462686353363435

20250101 LAURAToken - Pair Balance Manipulation

Lost: 12.34 ETH (~$41.2K USD)

forge test --contracts ./src/test/2025-01/LAURAToken_exp.sol -vvv

Contract

LAURA_exp.sol

Link reference

https://x.com/TenArmorAlert/status/1874455664187023752

View Gas Reports

Foundry also has the ability to report the gas used per function call which mimics the behavior of hardhat-gas-reporter. Generally speaking if gas costs per function call is very high, then the likelihood of its success is reduced. Gas optimization is an important activity done by smart contract developers.

Every poc in this repository can produce a gas report like this:

forge test --gas-report --contracts <contract> -vvv

For Example: Let us find out the gas used in the Audius poc

Execution

forge test --gas-report --contracts ./src/test/Audius.exp.sol -vvv

Demo

Bug Reproduce

Moved to DeFiVulnLabs

FlashLoan Testing

Moved to DeFiLabs

Files

README.md

Latest commit

History

README.md

File metadata and controls

DeFi Hacks Reproduce - Foundry

Getting Started

Web3 Cybersecurity Academy

OnChain transaction debugging

Who Support Us? DeFiHackLabs Received Grant From

Donate us

List of Past DeFi Incidents

Transaction debugging tools

Ethereum Signature Database

Useful tools

Hacks Dashboard

List of DeFi Hacks & POCs

20250221 Bybit - Phishing attack

Lost: 1.5B

Contract

Link reference

20250211 FourMeme - Logic Flaw

Lost: ~186k

Contract

Link reference

20250123 ODOS - invalid-signature-verification

Lost: ~50k

Contract

Link reference

20250121 Ast - Price-Manipulation

Lost: ~65K

Contract

Link reference

20250118 Paribus - Bad oracle

Lost: ~86k

Contract

Link reference

20250113 Mosca2 - Logic Flaw

Lost: 37.6K

Contract

Link reference

20250111 RoulettePotV2 - Price Manipulation

Lost: ~28K

Contract

Link reference

20250110 JPulsepot - Logic Flaw

Lost: 21.5K

Contract

Link reference

20250108 LPMine - Incorrect reward calculation

Lost: ~24k USDT

Contract

Link reference

20250107 IPC Incorrect burn pairs

Lost: ～590k USDT

Contract

Link reference

20250106 Mosca - Logic Flaw

Lost: 19K

Contract

Link reference

20250104 SorStaking - Incorrect reward calculation

Lost: ～8 ETH

Contract

Link reference

20250104 98Token - Unprotected public function

Lost: 28K USDT

Contract

Link reference

20250101 LAURAToken - Pair Balance Manipulation

Lost: 12.34 ETH (~$41.2K USD)

Contract

Link reference

View Gas Reports

Bug Reproduce

FlashLoan Testing