Skip to content

alinasirlou2020/Hack-Solidity

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Hack Solidity: Smart Contract Security & Auditing Roadmap

Welcome to Hack-Solidity! 🚀 This repository is a structured, hands-on journey through smart contract security, inspired by the Smart Contract Programmer ecosystem. It is designed for educational purposes to help Web3 developers and security researchers understand how vulnerabilities occur, how they are exploited, and how to defend against them using modern development standards.

📌 About This Repository

  • Educational Value: A practical guide for developers to learn defensive coding patterns.
  • Audit Proof-of-Concept (PoC): Demonstrates my technical capability to identify, exploit, and remediate severe smart contract vulnerabilities.
  • Continuous Growth: This is a living repository. It will be updated daily/weekly as I progress through 22 critical smart contract hacking vectors.

🗺️ Roadmap & Vulnerability Tracker

Here is the 22-part checklist of vulnerabilities that will be systematically added to this repository. Each module contains the Vulnerable Contract, the Attack Vector, the Secure Implementation, and a Static Analysis (Slither) report.

Phase 1: Core Vulnerabilities & Exploits

  • 01. Reentrancy 🚨 (Status: Completed) - Draining funds via recursive fallback calls.
  • 02. Arithmetic Overflow and Underflow - Exploiting unchecked math (Pre-Solidity 0.8 legacy vs Modern behavior).
  • 03. Forcefully Sending Ether (selfdestruct) - Breaking contract logic by forcing native token balance updates.
  • 04. Accessing Private Data - Reading "hidden" on-chain storage layout.
  • 05. Unsafe Delegatecall (Part 1) - State hijacking through malicious execution contexts.
  • 06. Unsafe Delegatecall (Part 2) - Advanced proxy and owner takeover techniques.
  • 07. Insecure Source of Randomness - Exploiting predictable block variables (block.timestamp, blockhash).
  • 08. Denial of Service (DoS) - Blocking contract functionality via gas exhaustion or deliberate reverts.
  • 09. Phishing with tx.origin - Tricking authorized users using malicious middleman contracts.
  • 10. Hiding Malicious Code - Tricking auditors using external contract pointers.
  • 11. Honeypot - Analyzing contracts designed to trap an attacker's funds.

Phase 2: Advanced Concepts & DeFi Vectors

  • 12. Front Running - Exploiting the mempool for sandwich attacks and transaction displacement.
  • 13. Block Timestamp Manipulation - How miners can subtly tweak timestamps to win on-chain logic.
  • 14. Signature Replay - Reusing valid cryptographic signatures across multi-sigs or claims.
  • 15. Contract With Zero Code Size - Bypassing extcodesize restrictions via the constructor.
  • 16. Read-Only Reentrancy - Exploiting un-updated view functions in DeFi protocols.
  • 17. Tornado Cash Hack - Deep dive into deploying completely different bytecode at the same deterministic address.
  • 18. Advanced CREATE2 Deployments - How CREATE2 layout manipulation affects protocol security.
  • 19. Vault Inflation Attack - Draining share-based ERC4626 vaults via early direct asset transfers.
  • 20. WETH Permit Exploits - Hijacking approvals using front-run signature submissions.
  • 21. Front-Run ERC20 Approval - Classic race conditions in basic approve() mechanisms.
  • 22. 63/64 Gas Rule Attack - Manipulating sub-calls by sending precise gas limits to force targeted state failures.

🛠️ Tools Used

  • Framework: Foundry (Forge & Cast)
  • Static Analyzer: Slither (with customized local .config path filtering)
  • Compiler Version: Solidity ^0.8.20

🤝 Disclaimer

This repository is created strictly for cybersecurity research, educational tracking, and professional portfolio demonstration. Never use any of these attack vectors on live mainnet deployments.

About

🛡️A comprehensive, evolving repository tracking common Solidity vulnerabilities, real-world exploits, and production-grade mitigation strategies. Built for educational purposes and smart contract auditing mastery.

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors