mirror of https://github.com/SunWeb3Sec/DeFiHackLabs.git synced 2026-02-15 02:56:08 +00:00

Reproduce DeFi hacked incidents using Foundry.

defi ethereum foundry solidity web3

Find a file

SunWeb3Sec 0027c5be1a Merge pull request #1019 from HNYuuu/patch-1 Update README.md		2026-02-12 20:37:51 +08:00
.github	github: add forge fmt before build	2024-11-04 15:33:18 +08:00
academy	Add Japanese for OnChain Transaction Debugging: 7	2025-06-02 20:33:02 +09:00
lib	Fix OneInch and modules	2025-04-06 14:44:23 +02:00
past	update	2026-01-19 22:36:33 +08:00
script	fix: dont run the template when running a poc	2025-09-16 19:17:32 +05:30
src	Merge branch 'main' into poc/makina	2026-01-29 21:23:03 +08:00
.gitignore	feat: add Kame exploit and misc additions	2025-09-16 19:00:10 +05:30
.gitmodules	Upgrade: deprecated ds-test, use forge-std for all	2022-07-15 14:44:41 +08:00
.prettierrc	chore: add prettierrc	2024-04-27 11:13:55 +08:00
add_new_entry.py	fix: dont run the template when running a poc	2025-09-16 19:17:32 +05:30
AudiusPocGasReport.gif	Add demo gif of producing gas report for the audius poc	2022-08-17 18:47:05 +00:00
CONTRIBUTING.md	docs: update contributing docs	2025-09-17 02:24:53 +05:30
foundry.lock	modified: README.md	2025-08-10 09:34:51 +01:00
foundry.toml	feat: add Kame exploit and misc additions	2025-09-16 19:00:10 +05:30
README.md	Update README.md	2026-02-11 20:09:10 +08:00
remappings.txt	MidasCapital EXP	2023-01-18 11:44:45 +08:00
requirements.txt	add requirements.txt and update contributing docs to use it	2025-09-16 19:24:36 +05:30
test.py	Refactor add_new_entry.py to improve structure and add unit tests for DeFi Hack Manager. Introduced Constants, ConfigManager, TransactionManager, ReadmeManager, PocManager, and GitManager classes for better organization. Added comprehensive test coverage in test.py to ensure functionality and reliability.	2025-05-21 03:58:52 +08:00

README.md

DeFi Hacks Reproduce - Foundry

Reproduce DeFi hack incidents using Foundry.

681 incidents included.

Let's make Web3 secure! Join Discord

Notion: 101 root cause analysis of past DeFi hacked incidents

Transaction debugging tools

Disclaimer: This content serves solely as a proof of concept showcasing past DeFi hacking incidents. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.

Getting Started
Who Support Us
Donate Us
List of Past DeFi Incidents
Transaction debugging tools
Ethereum Signature Database
Useful tools
Hacks Dashboard
List of DeFi Hacks & POCs

Getting Started

Follow the instructions to install Foundry.
Clone and install dependencies:git submodule update --init --recursive
Contributing Guidelines

Web3 Cybersecurity Academy

All articles are also published on Substack.

OnChain transaction debugging

Lesson 1: Tools ( English | 中文 | Vietnamese | Korean | Spanish | 日本語 )
Lesson 2: Warm up ( English | 中文 | Korean | Spanish | 日本語 )
Lesson 3: Write Your Own PoC (Price Oracle Manipulation) ( English | 中文 | Korean | Spanish | 日本語 )
Lesson 4: Write Your Own PoC (MEV Bot) ( English | 中文 | Korean | Spanish | 日本語 )
Lesson 5: Rugpull Analysis ( English | 中文 | Spanish | 日本語 )
Lesson 6: Write Your Own PoC (Reentrancy) ( English | 中文 | Spanish | 日本語 )
Lesson 7: Hack Analysis: Nomad Bridge, August 2022 ( English | 中文 | Spanish | 日本語 )

Donate us

If you appreciate our work, please consider donating. Even a small amount helps us continue developing and improving our projects, and promoting web3 security.

Gitcoin - Donate DeFiHackLabs
EVM Chains - 0xD7d6215b4EF4b9B5f40baea48F41047Eb67a11D5
Giveth

List of Past DeFi Incidents

2025

20251020 SharwaFinance

20250830 EverValueCoin

20250831 Hexotic

20250827 0xf340

20250823 ABCCApp

20250820 MulticallWithXera

20250726 MulticallWithETH

20250724 SWAPPStaking

20250720 Stepp2p

20250716 VDS

20250709 GMX

20250705 Unverified_54cd

20250625 Unverified_b5cb

20250623 GradientMakerPool

20250620 Gangsterfinance

20250619 BankrollStack

20250619 BankrollNetwork

20250617 MetaPool

20250612 AAVEBoost

20250610 unverified_8490

20250528 Corkprotocol

20250509 Nalakuvara_LotteryTicket50

20250426 Lifeprotocol

20250411 Unverified 0x6077

20250305 1inch Fusion V1 Settlement

20250304 Pump

20250223 HegicOptions

20250222 Unverified_35bc

20250221 StepHeroNFTs

20250221 Bybit

20250215 unverified_d4f1

20250211 FourMeme

20250208 Peapods Finance

20250111 RoulettePotV2

2024

20241120 MainnetSettler

20241119 PolterFinance

20241026 CompoundFork

20241022 Erc20transfer

20240926 Bedrock_DeFi

20240924 MARA

20240923 PestoToken

20240923 Bankroll_Network

20240920 DOGGO

20240920 Shezmu

20240918 Unverified_766a

20240915 WXETA

20240913 Unverified_5697

20240913 OTSeaStaking

20240912 Unverified_03f9

20240911 INUMI

20240911 INUMI_db27

20240911 AIRBTC

20240910 Caterpillar_Coin_CUT

20240905 Unverified_a89f

20240905 PLN

20240905 HANAToken

20240904 Unverified_16d0

20240903 Penpiexyz_io

20240902 Pythia

20240828 Unverified_667d

20240828 AAVE

20240820 COCO

20240816 Zenterest

20240816 OMPxContract

20240724 Spectra_finance

20240723 MEVbot_0xdd7c

20250717 WETC

20240716 Lifiprotocol

20240703 UnverifiedContr_0x452E25

20240610 UwuLend - Price Manipulation

20240531 Liquiditytokens

20240531 MixedSwapRouter

20240529 SCROLL

20240529 MetaDragon

20240528 Tradeonorion

20240514 Sonne Finance

20240514 PredyFinance

20240419 HedgeyFinance

20240417 UnverifiedContr_0x00C409

20240416 SATX

20240416 MARS_DEFI

20240415 GFA

20240415 ChaingeFinance

20240402 HoppyFrogERC

20240401 ATM

20240401 OpenLeverage

20240228 SMOOFSStaking

20240223 Zoomer

20240223 CompoundUni

20240223 BlueberryProtocol

20240222 SwarmMarkets

20240216 ParticleTrade

20240129 PeapodsFinance

20240128 BarleyFinance

20240127 CitadelFinance

20240125 NBLGAME

20240122 DAO_SoulMate

20240117 BmiZapper

20240117 SocketGateway

20240115 Shell_MEV_0xa898

20240102 RadiantCapital

20240101 OrbitChain

2023

20231231 Channels BUSD&USDC

20231230 ChannelsFinance

20231228 CCV

20231228 DominoTT

20231225 Telcoin

20231222 PineProtocol

20231220 TransitFinance

20231217 Bob

20231217 FloorProtocol

20231211 GoodCompound

20231209 BCT

20231207 HNet

20231206 TIME

20231206 ElephantStatus

20231205 MAMO

20231205 BEARNDAO

20231202 bZxProtocol

20231201 UnverifiedContr_0x431abb

20231130 EEE

20231130 CAROLProtocol

20231117 Token8633_9419

20231106 TheStandard_io

20231106 KR

20231102 BRAND

20231102 3913Token

20231101 SwampFinance

20231101 OnyxProtocol

20231031 UniBotRouter

20231030 LaEeb

20231028 AstridProtocol

20231024 MaestroRouter2

20231022 OpenLeverage

20230930 FireBirdPair

20230818 ExactlyProtocol

20230814 ZunamiProtocol

20230809 EarningFram

20230802 CurveBurner

20230802 Uwerx

20230801 NeutraFinance

20230723 MintoFinance

20230722 ConicFinance02

20230721 ConicFinance

20230715 USDTStakingContract28

20230712 Platypus

20230712 WGPT

20230711 RodeoFinance

20230704 BaoCommunity

20230627 UnverifiedContr_9ad32

20230627 STRAC

20230623 SHIDO

20230621 BabyDogeCoin02

20230621 BUNN

20230620 MIM

20230619 Contract_0x7657

20230618 ARA

20230617 MidasCapitalXYZ

20230617 Pawnfi

20230615 CFC

20230615 DEPUSDT_LEVUSDC

20230612 Sturdy Finance

20230611 SellToken04

20230607 CompounderFinance

20230606 VINU

20230606 UN

20230602 NST SimpleSwap

20230601 DDCoin

20230601 Cellframenet

20230531 ERC20TokenBank

20230529 Jimbo

20230529 BabyDogeCoin

20230415 HundredFinance

20230413 yearnFinance

20230328 SafeMoon Hack

20230328 THENA

20230325 DBW

20230322 BIGFI

20230317 ParaSpace NFT

20230315 Poolz

20230313 EulerFinance

20230218 RevertFinance

20230217 Starlink

20230217 Dexible

20230217 Platypusdefi

20230203 Orion Protocol

20230203 Spherax USDs

20230202 BonqDAO

20230130 BEVO

20230126 TomInu Token

20230119 SHOCO Token

20230119 ThoreumFinance

20230118 QTN Token

20230118 UPS Token

20230117 OmniEstate

20230116 MidasCapital

2022

20221211 MEVbot_0x28d9

20221119 AnnexFinance

20221027 Team Finance

20221026 N00d Token

20221025 ULME

20221024 Market

20221024 MulticallWithoutCheck

20221021 OlympusDAO

20221020 HEALTH Token

20221014 EFLeverVault

20221014 MEVBOT a47b

20221012 ATK

20221011 Rabby Wallet SwapRouter

20221011 Templedao

20221010 Carrot

20221009 Xave Finance

20221006 RES-Token

20221002 Transit Swap

20221001 BabySwap

20221001 RL

20221001 Thunder Brawl

20220929 BXH

20220928 MEVBOT Badc0de

20220923 RADT-DAO

20220913 MevBot Private TX

20220909 DPC

20220908 YYDS

20220908 NewFreeDAO

20220908 Ragnarok Online Invasion

20220906 NXUSD

20220905 ZoomproFinance

20220902 ShadowFi

20220902 Bad Guys by RPF

20220828 DDC

20220824 LuckyTiger NFT

20220816 Circle_2

20220813 Circle

20220810 XSTABLE Protocol

20220802 Nomad Bridge

20220801 Reaper Farm

20220725 LPC

20220723 Audius

20220713 SpaceGodzilla

20220710 Omni NFT

20220706 FlippazOne NFT

20220701 Quixotic - Optimism NFT Marketplace

20220626 XCarnival

20220624 Harmony's Horizon Bridge

20220618 SNOOD

20220616 InverseFinance

20220608 GYMNetwork

20220608 Optimism - Wintermute

20220606 Discover

20220529 NOVO Protocol

20220524 HackDao

20220517 ApeCoin

20220508 Fortress Loans

20220430 Saddle Finance

20220430 Rari Capital/Fei Protocol

20220428 DEUS DAO

20220424 Wiener DOGE

20220423 Akutar NFT

20220421 Zeed Finance

20220416 BeanstalkFarms

20220415 Rikkei Finance

20220412 ElephantMoney

20220411 Creat Future

20220409 GYMNetwork

20220329 Ronin Network

20220329 Redacted Cartel

20220327 Revest Finance

20220326 Auctus

20220322 CompoundTUSDSweepTokenBypass

20220321 OneRing Finance

20220320 LI.FI

20220320 Umbrella Network

20220315 Agave Finance

20220315 Hundred Finance

20220313 Paraluni

20220309 Fantasm Finance

20220305 Bacon Protocol

20220303 TreasureDAO

20220214 BuildFinance - DAO

20220208 Sandbox LAND

20220205 Meter

20220204 TecraSpace

20220128 Qubit Finance

20220118 Multichain (Anyswap)

2021

20211221 Visor Finance

20211218 Grim Finance

20211214 Nerve Bridge

20211130 MonoX Finance

20211123 Ploutoz Finance

20211027 Cream Finance

20211015 Indexed Finance

20210916 SushiSwap Miso

20210915 Nimbus Platform

20210915 NowSwap Platform

20210912 ZABU Finance

20210903 DAO Maker

20210830 Cream Finance

20210817 XSURGE

20210811 Poly Network

20210804 WaultFinance

20210804 Popsicle

20210728 Levyathan Finance

20210710 Chainswap

20210702 Chainswap

20210628 SafeDollar

20210625 xWin Finance

20210622 Eleven Finance

20210607 88mph NFT

20210603 PancakeHunny

20210527 JulSwap

20210527 BurgerSwap

20210519 PancakeBunny

20210516 bEarn

20210508 Rari Capital

20210305 Paid Network

20210204 Yearn YDai

20210125 Sushi Badger Digg

Before 2020

20201229 Cover Protocol

20201121 Pickle Finance

20201026 Harvest Finance

20200912 bzx

20200804 Opyn Protocol

20200628 Balancer Protocol

20200618 Bancor Protocol

20180422 Beauty Chain

20171106 Parity - 'Accidentally Killed It'

Transaction debugging tools

Ethereum Signature Database

4byte | sig db | etherface

Useful tools

ABI to interface | Get ABI for unverified contracts | ETH Calldata Decoder | ETHCMD - Guess ABI | Abi tools

Hacks Dashboard

List of DeFi Hacks & POCs

20260120 SynapLogic - Business Logic Flaw

Lost: 27.6 ETH

BASE_ENDPOINT=XXX forge test -vvv --contracts ./src/test/2026-01/SynapLogic_exp.sol

Contract

SynapLogic_exp.sol

Link reference

https://x.com/TenArmorAlert/status/2013432861366292520?s=20 https://x.com/hklst4r/status/2013440353844461979?s=20 https://x.com/CertiKAlert/status/2013440963851755610?s=20 https://x.com/nn0b0dyyy/status/2013445844394279260?s=20

20260120 Makina - Price Oracle Manipulation

Lost: 5.1M USD

forge test -vvv --contracts ./src/test/2026-01/makina_exp.sol

Contract

makina_exp.sol

Link reference

https://x.com/nn0b0dyyy/status/2013472538832314630 https://x.com/TenArmorAlert/status/2013460083078836342 https://x.com/CertiKAlert/status/2013473512116363734

20260112 MTToken - Incorrect Fee Logic

Lost: 37K USD

forge test -vvv --contracts ./src/test/2026-01/MTToken_exp.sol

Contract

MTToken_exp.sol

Link reference

https://x.com/TenArmorAlert/status/2010630024274010460?s=20 https://x.com/nn0b0dyyy/status/2010638145155661942?s=20

20260110 FutureSwap - Unit Mismatch

Lost: 433K USD

forge test -vvv --contracts ./src/test/2026-01/futureswap_exp.sol.sol

Contract

futureswap_exp.sol

Link reference

https://x.com/nn0b0dyyy/status/2009922304927731717?s=20

20260109 Truebit - OverFlow

Lost: 8540ETH

forge test --contracts ./src/test/2026-01/Truebit_exp.sol -vvv

Contract

Truebit_exp.sol

Link reference

https://www.certik.com/zh-CN/resources/blog/truebit-incident-analysis

20260101 PRXVT - Bussiness Logic Flaw

Lost: 32.8 ETH

forge test --contracts ./src/test/2026-01/PRXVT_exp.sol -vvv --block-gas-limit 60000000 # use gas limit control iterations

Contract

PRXVT_exp.sol

Link reference

https://x.com/CertiKAlert/status/2006685174587605315

View Gas Reports

Foundry also has the ability to report the gas used per function call which mimics the behavior of hardhat-gas-reporter. Generally speaking if gas costs per function call is very high, then the likelihood of its success is reduced. Gas optimization is an important activity done by smart contract developers.

Every poc in this repository can produce a gas report like this:

forge test --gas-report --contracts <contract> -vvv

For Example: Let us find out the gas used in the Audius poc

Execution

forge test --gas-report --contracts ./src/test/Audius.exp.sol -vvv

Demo

Bug Reproduce

Moved to DeFiVulnLabs

FlashLoan Testing

Moved to DeFiLabs

README.md

DeFi Hacks Reproduce - Foundry

Table of Contents

Getting Started

Web3 Cybersecurity Academy

OnChain transaction debugging

Donate us

List of Past DeFi Incidents

Transaction debugging tools

Ethereum Signature Database

Useful tools

Hacks Dashboard

List of DeFi Hacks & POCs

20260120 SynapLogic - Business Logic Flaw

Lost: 27.6 ETH

Contract

Link reference

20260120 Makina - Price Oracle Manipulation

Lost: 5.1M USD

Contract

Link reference

20260112 MTToken - Incorrect Fee Logic

Lost: 37K USD

Contract

Link reference

20260110 FutureSwap - Unit Mismatch

Lost: 433K USD

Contract

Link reference

20260109 Truebit - OverFlow

Lost: 8540ETH

Contract

Link reference

20260101 PRXVT - Bussiness Logic Flaw

Lost: 32.8 ETH

Contract

Link reference

View Gas Reports

Bug Reproduce

FlashLoan Testing