Skip to content

Yudis-bit/DeFi-Exploit-PoCs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github/workflows
.github/workflows
 
 
EVM
EVM
 
 
MoveVM
MoveVM
 
 
SVM
SVM
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
README.md
README.md
 
 

Repository files navigation

DeFi-Exploit-PoCs

EVM Tests SVM Tests

Deterministic Proof-of-Concept exploits for high-severity Web3 vulnerabilities across EVM, SVM, and MoveVM architectures. Maintained by Arkheionx (@Yudis-bit).

Vulnerability Registry

ID Date Protocol Vulnerability Vector Severity PoC Path
01 2022-10 Illuminate / APWine DoS via 1 wei Donation 🔴 High EVM/test/2022-10-Illuminate.t.sol
02 2023-03 Euler Finance Logic Error (Donation) 🔴 Critical EVM/test/2023-03-EulerFinance.t.sol

Embargoed Research

Vulnerabilities currently under responsible disclosure or active contest embargo. Proof of Concepts will be published post-patch.

Target Environment Vulnerability Class Expected Release Status
Soroban (Stellar) Cryptography / Signature Replay TBD 🟡 Pending Fix Validation
EVM (Arbitrum) Logic Error / DeFi Math Q3 2026 🟢 Patched

Attack Taxonomy

  • Logic & State: Euler Finance
  • Denial of Service (DoS): Illuminate
  • Cryptography & Signatures: (Embargoed)

Repository Architecture & Execution

Environments are isolated by virtual machine. Dependencies, execution flows, and runtime assumptions are scoped per VM family.

EVM (Foundry / Solidity)

Dependencies:

curl -L https://foundry.paradigm.xyz | bash

Execution:

forge test --fork-url $ETH_RPC_URL -vvvv

(Forked block numbers are pinned in test file headers).

SVM (Rust / Anchor / Solana)

Dependencies: Solana CLI, Anchor, Bankrun

Execution:

anchor test --skip-local-validator

MoveVM (Aptos / Sui)

Execution:

aptos move test --dev

The Arkheionx Standard

  • Isolation: One exploit per file. Zero shared state across tests.
  • Deterministic Verification: Every exploit terminates with hard assertions against concrete post-exploit state.
  • Call Trace Transparency: Tests are designed for maximum trace visibility. Full call traces expose calldata manipulation and internal state transitions.
  • Real State Execution: No mocks. Exploits utilize mainnet forks at pinned block numbers or deterministic local validators with deployed bytecode.

File Naming Convention

Format: [VM_Directory]/test/YYYY-MM-ProtocolName.[ext]

Component Definition
YYYY-MM Disclosure date
ProtocolName PascalCase
[ext] .t.sol for Foundry, .rs for Rust

Severity Classification

Level Definition
🔴 Critical Direct, unconditional loss of funds or protocol takeover.
🔴 High Loss of funds under specific conditions, or permanent DoS of core functionality.
🟡 Medium Conditional fund risk, governance manipulation, or reversible DoS.

Disclaimer & Contact

This repository is provided exclusively for defensive security research, vulnerability analysis, and auditor training. Any unauthorized reproduction, deployment, or adaptation of these Proof of Concepts against live, unpatched contracts, protocols, or production systems is strictly prohibited and may violate applicable law, contractual restrictions, and responsible disclosure obligations.

Contact: Arkheionx (@Yudis-bit)

About

Deterministic DeFi Exploit PoCs & Security Research | Arkheionx Vault

github.com/Yudis-bit/DeFi-Exploit-PoCs

Topics

forge foundry solidity-security exploit-poc defi-security smart-contract-auditing ethereum-archival arkheionx

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages