test(security): cost-basis solvency regression + live front-run fork proof#192
Merged
Conversation
… live front-run fork proof
Two regression tests that close the open questions from the red-team pass:
1. Regression_Delegation_CostBasisSolvency: the agent-rated HIGH at
DelegationManagerLib.sol:616-694 ('cross-operator cost-basis lets a
delegator drain other delegators') is NOT exploitable. The original PoC
failed its over-withdraw assertion; this exercises the full lifecycle it
stopped short of — attacker fully exits BOTH divergent-rate positions and
withdraws everything. Decisive invariants both hold: the attacker cannot
extract more than their true post-slash entitlement (15 ETH), and the
honest co-delegator is still made whole (30 ETH) — i.e. the pool stays
solvent. The internal dep.amount overstatement is fully offset and
unmonetizable. Non-vacuity guarded (attacker really does recover ~15).
2. Fork_MigrationClaim_VestingFrontRun_BaseSepolia: proves the vesting
delegatee front-run (fixed in #190) is LIVE on the actual Base Sepolia
deployment, not just the local harness. Forks the chain, calls the
deployed TNTVestingFactory, and shows a victim's vesting clone delegating
its voting power to an attacker on the real ERC20Votes TangleToken. Skips
cleanly when the fork RPC is unreachable so CI never red-fails offline.
tangletools
approved these changes
Jun 25, 2026
tangletools
left a comment
Contributor
There was a problem hiding this comment.
✅ Auto-approved PR — 5a1e9808
Blanket team auto-approval is enabled for this reviewer service.
The full PR reviewer audit still runs separately and will publish findings if it detects issues.
tangletools · auto-approval · reason: blanket_auto_approve · 2026-06-25T08:01:12Z
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the two open questions left after the red-team pass. Both are passing tests.
1. The "HIGH" is provably not exploitable (
Regression_Delegation_CostBasisSolvency)A red-team agent rated
DelegationManagerLib.sol:616-694a HIGH: a delegator holding two same-asset positions to operators with divergent exchange rates supposedly under-realizes a slash loss and drains other delegators. The original exploit PoC failed its own over-withdraw assertion —dep.amountis internally overstated after the slash, but the withdrawable amount stayed correctly bounded.This regression exercises the full lifecycle the original stopped short of: the attacker fully exits both positions and withdraws everything, then the honest co-delegator withdraws. Two decisive invariants both hold:
Conclusion: the internal
dep.amountoverstatement is fully offset and not monetizable. Not a vulnerability.2. The front-run is live in production (
Fork_MigrationClaim_VestingFrontRun_BaseSepolia)Proves the vesting delegatee front-run (fixed in #190) is real against the actual Base Sepolia deployment, not just the local harness. The test forks the chain, calls the deployed
TNTVestingFactory(0x45C1…), and shows a victim's vesting clone delegating its voting power to an attacker on the real ERC20VotesTangleToken(0xB546…). Confirms #190 is needed in prod.Forking degrades gracefully (
vm.skip) when the RPC is unreachable or the deployment is absent, so it never red-fails a sandboxed/offline CI runner. Verified locally againsthttps://sepolia.base.org: PASS, 0 skipped.Context
Final cleanup from the red-team pass. Fixes:
emergencyWithdrawtoken guard (#189, merged), vesting front-run (#190), subscription terminate gate (#191).