{"id":25411882,"url":"https://github.com/dan-nolan/delegatecall-proxy-bug","last_synced_at":"2025-08-31T04:06:35.423Z","repository":{"id":117399117,"uuid":"322937637","full_name":"Dan-Nolan/Delegatecall-Proxy-Bug","owner":"Dan-Nolan","description":"An Exploit on the AAVE v2 Contract Vulnerability","archived":false,"fork":false,"pushed_at":"2021-03-11T16:47:11.000Z","size":138,"stargazers_count":28,"open_issues_count":2,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-07T07:36:56.942Z","etag":null,"topics":["security","smart-contracts","solidity"],"latest_commit_sha":null,"homepage":"https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/","language":"Solidity","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dan-Nolan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-19T21:04:09.000Z","updated_at":"2024-06-15T11:18:26.000Z","dependencies_parsed_at":null,"dependency_job_id":"cbdc82bd-2c56-4536-8e9b-bea91b55602f","html_url":"https://github.com/Dan-Nolan/Delegatecall-Proxy-Bug","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Dan-Nolan/Delegatecall-Proxy-Bug","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dan-Nolan%2FDelegatecall-Proxy-Bug","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dan-Nolan%2FDelegatecall-Proxy-Bug/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dan-Nolan%2FDelegatecall-Proxy-Bug/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dan-Nolan%2FDelegatecall-Proxy-Bug/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dan-Nolan","download_url":"https://codeload.github.com/Dan-Nolan/Delegatecall-Proxy-Bug/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dan-Nolan%2FDelegatecall-Proxy-Bug/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272936420,"owners_count":25018160,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-31T02:00:09.071Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","smart-contracts","solidity"],"created_at":"2025-02-16T10:28:01.921Z","updated_at":"2025-08-31T04:06:35.411Z","avatar_url":"https://github.com/Dan-Nolan.png","language":"Solidity","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Delegatecall Proxy Bug\n\nThis repository focused on the vulnerability discovered by [Trail of Bits](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/) on December 4th in the AAVE V2 Contracts. We'll focus on this vulnerability by writing a contract that would have exploited it!\n\nTo successfully pull off the attack we'll fork the mainnet at a block before AAVE initialized their contracts [here](https://etherscan.io/tx/0x98089120cd9b1a83a8c5233f6773ff9c12b7451a12532b7ef103d0a85419aa4e) and [here](https://etherscan.io/tx/0x5e7b4c263d3f764583bd9fbd39bd7276295f033bf42bbcd97bc0e4d8f7d22ed2).\n\nFortunately [Hardhat](https://hardhat.org/) makes it super easy to [fork mainnet](https://hardhat.org/guides/mainnet-forking.html)!\n\n## Getting Setup\n\nThere are a few steps to get setup here:\n\n - Install [install Node.js](https://nodejs.org/en/)\n - Download this repository locally\n - Open the command line and navigate to your local copy of this repository\n - Run `npm install` to download all the dependencies\n\nOnce you've successfully downloaded the dependencies, we'll need to setup our repository fork the mainnet!\n\n## Forking Mainnet\n\nIn order to fork mainnet, we'll be pointing this repository at an [Alchemy API](https://alchemyapi.io/) endpoint. To do this, you'll need to sign up for Alchemy, create a mainnet project and get your HTTP endpoint.\n\nOnce you've done this we'll use [dotenv](https://www.npmjs.com/package/dotenv) to store the endpoint in a local `.env` file that won't accidentally get committed! Since this package is already in your dependencies all you'll need to do is create a new `.env` file at the top level of the repository and add the following entry into it:\n\n```\nFORKING_URL=https://eth-mainnet.alchemyapi.io/v2/\u003cYOUR_API_KEY\u003e\n```\n\nReplacing `\u003cYOUR_API_KEY\u003e` with the API key from Alchemy.\n\n## Running Tests\n\nThe `hardhat.config.js` is already set up to point to a block before the vulnerability was fixed. All we'll need to do to run the exploit is run `npx hardhat test`. This will compile your `contracts/Contract.sol` file and provide it to our `test/test.js` file for testing!\n\nYou'll see in the `test.js` file we are deploying the `Contract` as well as the `Destructor`. The `Contract` will use the `Destructor` to self-destruct the lending pool and then return a successful return code on the lending pool delegate call.\n\nIf the test cases pass when you run `npx hardhat test`, then you've successfully destroyed the lending pool!\n\nCheck out the [Trail of Bits Article](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/) to understand the rammifications of this attack, and what could have happened if it was exploited before they found it.\n\nThanks Trail of Bits!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdan-nolan%2Fdelegatecall-proxy-bug","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdan-nolan%2Fdelegatecall-proxy-bug","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdan-nolan%2Fdelegatecall-proxy-bug/lists"}