BlockheaderWeb3-Community · luhrhenz · Apr 13, 2026 · Apr 13, 2026
diff --git a/13-04-26-test/.github/workflows/test.yml b/13-04-26-test/.github/workflows/test.yml
@@ -0,0 +1,38 @@
+name: CI
+
+permissions: {}
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+
+env:
+  FOUNDRY_PROFILE: ci
+
+jobs:
+  check:
+    name: Foundry project
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+          submodules: recursive
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@v1
+
+      - name: Show Forge version
+        run: forge --version
+
+      - name: Run Forge fmt
+        run: forge fmt --check
+
+      - name: Run Forge build
+        run: forge build --sizes
+
+      - name: Run Forge tests
+        run: forge test -vvv
diff --git a/13-04-26-test/.gitignore b/13-04-26-test/.gitignore
@@ -0,0 +1,14 @@
+# Compiler files
+cache/
+out/
+
+# Ignores development broadcast logs
+!/broadcast
+/broadcast/*/31337/
+/broadcast/**/dry-run/
+
+# Docs
+docs/
+
+# Dotenv file
+.env
diff --git a/13-04-26-test/.gitmodules b/13-04-26-test/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "lib/forge-std"]
+	path = lib/forge-std
+	url = https://github.com/foundry-rs/forge-std
diff --git a/13-04-26-test/README.md b/13-04-26-test/README.md
@@ -0,0 +1,87 @@
+## Foundry
+
+**Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.**
+
+Foundry consists of:
+
+- **Forge**: Ethereum testing framework (like Truffle, Hardhat and DappTools).
+- **Cast**: Swiss army knife for interacting with EVM smart contracts, sending transactions and getting chain data.
+- **Anvil**: Local Ethereum node, akin to Ganache, Hardhat Network.
+- **Chisel**: Fast, utilitarian, and verbose solidity REPL.
+
+## Documentation
+
+https://book.getfoundry.sh/
+
+## Usage
+
+### Build
+
+```shell
+$ forge build
+```
+
+### Test
+
+```shell
+$ forge test
+```
+
+### Format
+
+```shell
+$ forge fmt
+```
+
+### Gas Snapshots
+
+```shell
+$ forge snapshot
+```
+
+### Anvil
+
+```shell
+$ anvil
+```
+
+### Deploy
+
+```shell
+$ forge script script/Counter.s.sol:CounterScript --rpc-url <your_rpc_url> --private-key <your_private_key>
+```
+
+### Cast
+
+```shell
+$ cast <subcommand>
+```
+
+### Help
+
+```shell
+$ forge --help
+$ anvil --help
+$ cast --help
+```
+/**
+ * @title Attacker
+ * @notice Exploits the reentrancy vulnerability in VulnerableVault.
+ *
+ * The bug: VulnerableVault.withdraw() sends ETH *before* updating balances[msg.sender].
+ * Combined with unchecked subtraction (mirroring pre-0.8 Solidity), this allows
+ * draining the entire vault with a minimal deposit.
+ *
+ * Attack flow (deposit = 1 ETH, vault has 8 ETH from victims):
+ *  1. Attacker deposits 1 ETH  → balances[attacker] = 1 ETH
+ *  2. Calls withdraw(1 ETH)
+ *  3. Vault sends 1 ETH → triggers receive()
+ *  4. receive() calls withdraw(1 ETH) again — balance check still passes (state not updated)
+ *  5. Repeat until vault is empty (9 total calls: 1 deposit + 8 victim ETH)
+ *  6. On unwind, each frame does: balances[attacker] -= 1 ETH (unchecked)
+ *     - Frame 9 unwind: 1 - 1 = 0
+ *     - Frame 8 unwind: 0 - 1 = type(uint256).max  (wraps, but vault is already drained)
+ *     - Frames 7..1: keep wrapping — no ETH left to steal anyway
+ *
+ * Net result: attacker spent 1 ETH, received 9 ETH → profit = 8 ETH (all victim funds).
+ */
diff --git a/13-04-26-test/foundry.lock b/13-04-26-test/foundry.lock
@@ -0,0 +1,8 @@
+{
+  "lib/forge-std": {
+    "tag": {
+      "name": "v1.15.0",
+      "rev": "0844d7e1fc5e60d77b68e469bff60265f236c398"
+    }
+  }
+}
diff --git a/13-04-26-test/foundry.toml b/13-04-26-test/foundry.toml
@@ -0,0 +1,6 @@
+[profile.default]
+src = "src"
+out = "out"
+libs = ["lib"]
+
+# See more config options https://github.com/foundry-rs/foundry/blob/master/crates/config/README.md#all-options
diff --git a/13-04-26-test/lib/forge-std/.gitattributes b/13-04-26-test/lib/forge-std/.gitattributes
@@ -0,0 +1 @@
+src/Vm.sol linguist-generated
diff --git a/13-04-26-test/lib/forge-std/.github/CODEOWNERS b/13-04-26-test/lib/forge-std/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @danipopes @klkvr @mattsse @grandizzy @yash-atreya @zerosnacks @onbjerg @0xrusowsky
diff --git a/13-04-26-test/lib/forge-std/.github/dependabot.yml b/13-04-26-test/lib/forge-std/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/13-04-26-test/lib/forge-std/.github/workflows/ci.yml b/13-04-26-test/lib/forge-std/.github/workflows/ci.yml
@@ -0,0 +1,125 @@
+name: CI
+
+permissions: {}
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  build:
+    name: build +${{ matrix.toolchain }} ${{ matrix.flags }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        toolchain: [stable, nightly]
+        flags:
+          - ""
+          - --via-ir
+          - --use solc:0.8.33 --via-ir
+          - --use solc:0.8.33
+          - --use solc:0.8.13 --via-ir
+          - --use solc:0.8.13
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: ${{ matrix.toolchain }}
+      - run: forge --version
+      - run: forge build -vvvvv --skip test --deny warnings ${{ matrix.flags }} --contracts 'test/compilation/*'
+
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        toolchain: [stable, nightly]
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: foundry-rs/foundry-toolchain@v1
+        with:
+          version: ${{ matrix.toolchain }}
+      - run: forge --version
+      - run: forge test -vvv
+
+  fmt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: foundry-rs/foundry-toolchain@v1
+      - run: forge --version
+      - run: forge fmt --check
+
+  typos:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: crate-ci/typos@78bc6fb2c0d734235d57a2d6b9de923cc325ebdd # v1
+
+  codeql:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{matrix.language}}"
+
+  ci-success:
+    runs-on: ubuntu-latest
+    if: always()
+    needs:
+      - build
+      - test
+      - fmt
+      - typos
+      - codeql
+    timeout-minutes: 10
+    steps:
+      - name: Decide whether the needed jobs succeeded or failed
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
+        with:
+          jobs: ${{ toJSON(needs) }}
diff --git a/13-04-26-test/lib/forge-std/.github/workflows/sync.yml b/13-04-26-test/lib/forge-std/.github/workflows/sync.yml
@@ -0,0 +1,36 @@
+name: Sync Release Branch
+
+permissions: {}
+
+on:
+  release:
+    types:
+      - created
+
+jobs:
+  sync-release-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    if: startsWith(github.event.release.tag_name, 'v1')
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: true
+          fetch-depth: 0
+          ref: v1
+
+      # The email is derived from the bots user id,
+      # found here: https://api.github.com/users/github-actions%5Bbot%5D
+      - name: Configure Git
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+
+      - name: Sync Release Branch
+        run: |
+          git fetch --tags
+          git checkout v1
+          git reset --hard ${GITHUB_REF}
+          git push --force
diff --git a/13-04-26-test/lib/forge-std/.gitignore b/13-04-26-test/lib/forge-std/.gitignore
@@ -0,0 +1,4 @@
+cache/
+out/
+.vscode
+.idea
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* @danipopes @klkvr @mattsse @grandizzy @yash-atreya @zerosnacks @onbjerg @0xrusowsky
-Original file line number
+Diff line change
@@ -0,0 +1,4 @@
+    cache/
+    out/
+    .vscode
+    .idea