Skip to content

test(security): cost-basis solvency regression + live front-run fork proof#192

Merged
drewstone merged 1 commit into
mainfrom
test/red-team-regressions
Jun 25, 2026
Merged

test(security): cost-basis solvency regression + live front-run fork proof#192
drewstone merged 1 commit into
mainfrom
test/red-team-regressions

Conversation

@drewstone

Copy link
Copy Markdown
Contributor

Closes the two open questions left after the red-team pass. Both are passing tests.

1. The "HIGH" is provably not exploitable (Regression_Delegation_CostBasisSolvency)

A red-team agent rated DelegationManagerLib.sol:616-694 a HIGH: a delegator holding two same-asset positions to operators with divergent exchange rates supposedly under-realizes a slash loss and drains other delegators. The original exploit PoC failed its own over-withdraw assertiondep.amount is internally overstated after the slash, but the withdrawable amount stayed correctly bounded.

This regression exercises the full lifecycle the original stopped short of: the attacker fully exits both positions and withdraws everything, then the honest co-delegator withdraws. Two decisive invariants both hold:

  • the attacker cannot extract more than their true post-slash entitlement (opX 10 + opY 5 = 15 ETH) — non-vacuity guarded (they really do recover ~15, so the bound is a real test;
  • the honest co-delegator is still made whole (30 ETH) — the pool is solvent.

Conclusion: the internal dep.amount overstatement is fully offset and not monetizable. Not a vulnerability.

2. The front-run is live in production (Fork_MigrationClaim_VestingFrontRun_BaseSepolia)

Proves the vesting delegatee front-run (fixed in #190) is real against the actual Base Sepolia deployment, not just the local harness. The test forks the chain, calls the deployed TNTVestingFactory (0x45C1…), and shows a victim's vesting clone delegating its voting power to an attacker on the real ERC20Votes TangleToken (0xB546…). Confirms #190 is needed in prod.

Forking degrades gracefully (vm.skip) when the RPC is unreachable or the deployment is absent, so it never red-fails a sandboxed/offline CI runner. Verified locally against https://sepolia.base.org: PASS, 0 skipped.

Context

Final cleanup from the red-team pass. Fixes: emergencyWithdraw token guard (#189, merged), vesting front-run (#190), subscription terminate gate (#191).

… live front-run fork proof

Two regression tests that close the open questions from the red-team pass:

1. Regression_Delegation_CostBasisSolvency: the agent-rated HIGH at
   DelegationManagerLib.sol:616-694 ('cross-operator cost-basis lets a
   delegator drain other delegators') is NOT exploitable. The original PoC
   failed its over-withdraw assertion; this exercises the full lifecycle it
   stopped short of — attacker fully exits BOTH divergent-rate positions and
   withdraws everything. Decisive invariants both hold: the attacker cannot
   extract more than their true post-slash entitlement (15 ETH), and the
   honest co-delegator is still made whole (30 ETH) — i.e. the pool stays
   solvent. The internal dep.amount overstatement is fully offset and
   unmonetizable. Non-vacuity guarded (attacker really does recover ~15).

2. Fork_MigrationClaim_VestingFrontRun_BaseSepolia: proves the vesting
   delegatee front-run (fixed in #190) is LIVE on the actual Base Sepolia
   deployment, not just the local harness. Forks the chain, calls the
   deployed TNTVestingFactory, and shows a victim's vesting clone delegating
   its voting power to an attacker on the real ERC20Votes TangleToken. Skips
   cleanly when the fork RPC is unreachable so CI never red-fails offline.

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Auto-approved PR — 5a1e9808

Blanket team auto-approval is enabled for this reviewer service.
The full PR reviewer audit still runs separately and will publish findings if it detects issues.

tangletools · auto-approval · reason: blanket_auto_approve · 2026-06-25T08:01:12Z

@drewstone drewstone merged commit d1a23b7 into main Jun 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants