Skip to content

c-plus-plus-equals-c-plus-one/yETH-hack

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
lib
lib
 
 
src
src
 
 
test
test
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
README.md
README.md
 
 
foundry.lock
foundry.lock
 
 
foundry.toml
foundry.toml
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

yETH-hack

A proof of concept demonstrating an attack that occurred on yETH.

The Vulnerability

The attack exploited unsafe math operations in Pool.vy:1274. The original code used unsafe_div, unsafe_sub, and unsafe_mul which bypass Vyper's built-in overflow/underflow checks.

Fix: Using safe math (standard arithmetic operators) instead of unsafe math causes the attack to revert. See the commented code in src/Pool.vy at line 1272-1276 and test_attack in test/Hack.t.sol.

Installation

  1. Clone the repository

    git clone https://github.com/johnnyonline/yETH-hack.git
cd yETH-hack

  2. Set up virtual environment

    uv venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
deactivate  # To deactivate the venv

  3. Install dependencies

    # Install all dependencies
uv sync

    Note: This project uses uv for faster dependency installation. If you don't have uv installed, you can install it with pip install uv or follow the installation instructions.

  4. Environment setup

    cp .env.example .env
# Edit .env with your API keys and configuration

Usage

Build:

forge b

Test:

forge t --mt test_attack -vv

About

A proof of concept demonstrating an attack that occurred on yETH

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Vyper 76.8%
  • Solidity 23.2%