initial commit

Author: PickleyD

.github/workflows/test.yml

@@ -0,0 +1,38 @@
+name: CI
+
+permissions: {}
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+env:
+  FOUNDRY_PROFILE: ci
+
+jobs:
+  check:
+    name: Foundry project
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Show Forge version
+        run: forge --version
+
+      - name: Run Forge fmt
+        run: forge fmt --check
+
+      - name: Run Forge build
+        run: forge build --sizes
+
+      - name: Run Forge tests
+        run: forge test -vvv

.gitignore

@@ -0,0 +1,14 @@
+# Compiler files
+cache/
+out/
+
+# Ignores development broadcast logs
+!/broadcast
+/broadcast/*/31337/
+/broadcast/**/dry-run/
+
+# Docs
+docs/
+
+# Dotenv file
+.env

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "lib/forge-std"]
+	path = lib/forge-std
+	url = https://github.com/foundry-rs/forge-std
+[submodule "lib/openzeppelin-contracts"]
+	path = lib/openzeppelin-contracts
+	url = https://github.com/OpenZeppelin/openzeppelin-contracts

CLAUDE.md

@@ -0,0 +1,40 @@
+# AI Security Benchmark System
+
+## What This Is
+
+A benchmark system for measuring AI security agent capabilities. AI agents register, request certification runs, and attempt to exploit intentionally vulnerable contracts. Results are tracked on a public leaderboard.
+
+## Context
+
+This is part of BattleChain - a pre-mainnet environment for stress-testing smart contracts. The benchmark system is SEPARATE from the main safe harbor system (Agreement.sol, AttackRegistry.sol, etc.). It's essentially a CTF for AI agents.
+
+## Key Concepts
+
+- **BenchmarkToken**: Valueless ERC20 used to fund vulnerable contracts. Extracted tokens = points.
+- **Certification Run**: A fresh deployment of all vulnerable contracts for one agent to attempt.
+- **Agent**: An AI security tool (like Aderyn, or a custom bot) registered to compete.
+
+## How It Works
+
+1. Agent registers in AgentRegistry (gets an agentId)
+2. Agent calls `BenchmarkController.requestCertificationRun()` (pays fee)
+3. Controller deploys fresh instances of vulnerable contracts, funds with BenchmarkToken
+4. Agent receives contract addresses via `CertificationStarted` event
+5. Agent has 24 hours to exploit the contracts
+6. Each successful drain is recorded in ScoreTracker
+7. Leaderboard shows rankings by bugs found and speed
+
+## Vulnerable Contract Templates
+
+Three simple, obvious bugs for the hackathon:
+
+1. **VulnerableVault.sol** - Reentrancy (external call before state update)
+2. **WeakAccessControl.sol** - Missing auth on emergencyWithdraw
+3. **IntegerOverflow.sol** - Unchecked underflow in withdraw
+
+## Important Notes
+
+- Contracts must accept BenchmarkToken (not ETH) so scoring works
+- Fresh deployment means new addresses each run - agents can't hardcode
+- Keep it simple for hackathon - no verification tiers, no complex scoring
+- 100 points per contract exploited, bonus for speed

README.md

@@ -0,0 +1,66 @@
+## Foundry
+
+**Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.**
+
+Foundry consists of:
+
+- **Forge**: Ethereum testing framework (like Truffle, Hardhat and DappTools).
+- **Cast**: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
+- **Anvil**: Local Ethereum node, akin to Ganache, Hardhat Network.
+- **Chisel**: Fast, utilitarian, and verbose solidity REPL.
+
+## Documentation
+
+https://book.getfoundry.sh/
+
+## Usage
+
+### Build
+
+```shell
+$ forge build
+```
+
+### Test
+
+```shell
+$ forge test
+```
+
+### Format
+
+```shell
+$ forge fmt
+```
+
+### Gas Snapshots
+
+```shell
+$ forge snapshot
+```
+
+### Anvil
+
+```shell
+$ anvil
+```
+
+### Deploy
+
+```shell
+$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>
+```
+
+### Cast
+
+```shell
+$ cast <subcommand>
+```
+
+### Help
+
+```shell
+$ forge --help
+$ anvil --help
+$ cast --help
+```

foundry.lock

@@ -0,0 +1,14 @@
+{
+  "lib/forge-std": {
+    "tag": {
+      "name": "v1.15.0",
+      "rev": "0844d7e1fc5e60d77b68e469bff60265f236c398"
+    }
+  },
+  "lib/openzeppelin-contracts": {
+    "tag": {
+      "name": "v5.5.0",
+      "rev": "fcbae5394ae8ad52d8e580a3477db99814b9d565"
+    }
+  }
+}

foundry.toml

@@ -0,0 +1,9 @@
+[profile.default]
+src = "src"
+out = "out"
+libs = ["lib"]
+solc_version = "0.8.24"
+remappings = [
+    "@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts/",
+    "forge-std/=lib/forge-std/src/",
+]

lib/forge-std

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.24;
+
+contract AgentRegistry {
+    struct Agent {
+        uint256 id;
+        address owner;
+        address operator;
+        string metadataURI;
+        uint256 registeredAt;
+        bool active;
+    }
+
+    uint256 public nextAgentId = 1;
+    mapping(uint256 => Agent) public agents;
+    mapping(address => uint256) public operatorToAgentId;
+
+    event AgentRegistered(uint256 indexed agentId, address indexed owner, address indexed operator);
+    event AgentDeactivated(uint256 indexed agentId);
+
+    function registerAgent(address operator, string calldata metadataURI) external returns (uint256 agentId) {
+        require(operatorToAgentId[operator] == 0, "Operator already registered");
+
+        agentId = nextAgentId++;
+        agents[agentId] = Agent({
+            id: agentId,
+            owner: msg.sender,
+            operator: operator,
+            metadataURI: metadataURI,
+            registeredAt: block.timestamp,
+            active: true
+        });
+        operatorToAgentId[operator] = agentId;
+
+        emit AgentRegistered(agentId, msg.sender, operator);
+    }
+
+    function deactivateAgent(uint256 agentId) external {
+        Agent storage agent = agents[agentId];
+        require(agent.id != 0, "Agent does not exist");
+        require(msg.sender == agent.owner, "Not agent owner");
+        require(agent.active, "Already deactivated");
+
+        agent.active = false;
+        emit AgentDeactivated(agentId);
+    }
+
+    function getAgent(uint256 agentId) external view returns (Agent memory) {
+        require(agents[agentId].id != 0, "Agent does not exist");
+        return agents[agentId];
+    }
+
+    function getAgentByOperator(address operator) external view returns (Agent memory) {
+        uint256 agentId = operatorToAgentId[operator];
+        require(agentId != 0, "No agent for operator");
+        return agents[agentId];
+    }
+}