PoC-backed toy labs for Web3 vulnerability patterns.
This repository is for public, sanitized security research. Each lab should use standalone toy code or intentionally vulnerable examples to demonstrate a vulnerability pattern, exploit path, and mitigation. It should not disclose private platform findings, private source code, or contest details that are not safe to publish.
The cases are based on vulnerability patterns encountered during real audit practice and then rewritten into standalone toy examples. They are intended to capture non-trivial audit reasoning: cross-path invariant mismatches, oracle/fallback failure isolation, timestamp ordering, lifecycle automation assumptions, and similar protocol-design edge cases.
This is not a beginner checklist of generic bugs. The goal is to preserve the reasoning structure of real findings while removing project-specific context.
- Turn audit practice and private research lessons into public learning artifacts.
- Demonstrate exploit reasoning with runnable or reviewable PoCs.
- Separate technically reproducible bugs from findings that may not be submit-worthy because of scope, impact, privilege assumptions, or disclosure rules.
- Build a public portfolio of security methodology without exposing confidential project details.
- Minimal vulnerable contracts or programs.
- Exploit scripts, tests, or transaction walkthroughs.
- Fixed versions or remediation notes.
- Triage notes explaining impact, assumptions, and boundary conditions.
- Anonymous patterns derived from audit practice.
- Private audit platform submissions.
- Undisclosed project names, commit hashes, addresses, screenshots, or report IDs.
- Source code copied from private scopes.
- Claims that a lab represents an accepted platform finding unless that is publicly verifiable.
Each case should follow this shape:
cases/
evm/
vulnerability-name/
README.md
vulnerable/
fixed/
test/
solana/
vulnerability-name/
README.md
vulnerable/
fixed/
test/
soroban/
vulnerability-name/
README.md
Cargo.toml
src/
Use CASE_TEMPLATE.md when adding a new lab.
Every published lab is expected to include a PoC artifact, such as a Foundry test, Anchor test, exploit script, or transaction walkthrough.
| ID | Ecosystem | Pattern | PoC | Link |
|---|---|---|---|---|
| EVM-001 | EVM | Price timestamp rewind | Foundry test | EVM-001 |
| EVM-002 | EVM | Oracle failure global scan freeze | Foundry test | EVM-002 |
| EVM-003 | EVM | Minimum order size path bypass | Foundry test | EVM-003 |
| EVM-004 | EVM | Nested call allowlist bypass | Foundry test | EVM-004 |
| EVM-005 | EVM | Temporary custody authorization reentrancy | Foundry test | EVM-005 |
| EVM-006 | EVM | Daily debt limit restoration bypass | Foundry test | EVM-006 |
| EVM-007 | EVM | Finalized share supply drift | Foundry test | EVM-007 |
| EVM-008 | EVM | Finalized batch unwind mismatch | Foundry test | EVM-008 |
| SOROBAN-001 | Soroban | Prepared action lifecycle bypass | Cargo test | SOROBAN-001 |
| SOROBAN-002 | Soroban | Overlapping quorum double count | Cargo test | SOROBAN-002 |
| SOROBAN-003 | Soroban | Call-scoped refund balance mix-up | Cargo test | SOROBAN-003 |
This repository includes an eth-security-toolbox devcontainer with Foundry available.
Start the devcontainer:
devcontainer up --workspace-folder . --config .devcontainer/eth-security-toolbox/devcontainer.jsonThen run a lab test from inside the container, or through docker exec:
forge test --match-path cases/evm/EVM-001-price-timestamp-rewind/test/PriceTimestampRewind.t.sol -vvvSoroban labs can be tested with Cargo:
cd cases/soroban/SOROBAN-001-prepared-action-lifecycle-bypass
cargo testOr with Docker from the repository root:
docker run --rm -v "$PWD":/workspace -w /workspace/cases/soroban/SOROBAN-001-prepared-action-lifecycle-bypass rust:1.86-slim cargo testCases are added as standalone toy examples rather than copied from private audit work.
Many real audit findings cannot be published because of disclosure rules, private scopes, or contest restrictions. This repository only includes sanitized materials that are safe to disclose publicly.