The exploit catalog
catalog/exploits.yaml is the single source of truth — the machine-readable manifest the aegis-audit sweep loads. Each entry distills a real studied exploit into a structured detector you can check against a target.
Why a catalog (not a scanner)
Most catalog entries are not statically flaggable — they’re business-logic, oracle, precision, and access bugs that tools can’t read intent for. The catalog encodes what to check and why, each entry justified by a real incident with a loss attached. The durable asset is the catalog; tools just narrow the haystack.
Entry schema
Every entry is a detector with these fields:
| Field | Meaning |
|---|---|
id | kebab-case unique id (matches the case study + PoC) |
class | OWASP SC Top-10 (2026) ids + X-classes |
chains | evm · solana · sui-move · … |
archetypes | target shapes it applies to (scopes the sweep) |
root_cause | one-line variant-analysis statement — the sweep’s true/false-positive judge |
applies_when | preconditions to check against the target’s source (the more hold, the higher the rank) |
probes | concrete ways to confirm (grep / semgrep / manual) |
variant_queries | grep/semgrep family to hunt the bug across a target |
invariant | the property that should hold; the exploit breaks it |
poc / poc_cmd | runnable proof + how to run it |
fork_poc | (optional) a real mainnet-fork replay |
All 40 detectors
The table below is generated from catalog/exploits.yaml by tools/gen_catalog_table.py; CI fails if it drifts.
| # | Detector (id) | Class | Chains | Status | |—|—|—|—|—| | 1 | erc4626-inflation | SC07/SC02 | evm | coded | | 2 | read-only-reentrancy | SC08 | evm | coded | | 3 | balancer-v2-rounding | SC07 | evm/multi | coded | | 4 | cashio-infinite-mint | SC05/SC02 | solana | coded | | 5 | cetus-amm-overflow | SC07/SC09 | sui-move | coded | | 6 | loopscale-oracle-spot-price | SC03/SC02 | solana | coded | | 7 | loopscale-ratex-cpi | SC03/SC02/SC05 | solana | coded | | 8 | mango-oracle-manipulation | SC03/SC02 | solana | coded | | 9 | beanstalk-governance-flashloan | SC02/SC04 | evm | coded | | 10 | rhea-finance-slippage | SC02/SC07 | near/multi | coded | | 11 | trustedvolumes-access-control | SC02 | evm | coded | | 12 | verus-bridge-merkle-forgery | SC02 | evm/multi | coded | | 13 | thorchain-tss-gg20-key-extraction | X04 | multi | studied | | 14 | ekubo-callback-approval-drain | SC02/SC02-CB | evm | studied | | 15 | kelp-dao-layerzero-dvn-1-1 | X01/X01-BRIDGE | evm/multi | coded | | 16 | ctoken-empty-market-exchange-rate | SC07/SC02 | evm | coded | | 17 | approval-drain-arbitrary-call | SC05/SC01 | evm | coded | | 18 | proxy-storage-collision | SC01 | evm | coded | | 19 | signature-replay-malleability | SC01 | evm | coded | | 20 | unprotected-privileged-fn | SC01 | evm | coded | | 21 | insecure-randomness | SC09 | evm | coded | | 22 | weird-erc20-accounting | SC02 | evm | coded | | 23 | incorrect-reward-accounting | SC02 | evm | coded | | 24 | unverified-flashloan-callback | SC05/SC01 | evm | coded | | 25 | bridge-deposit-no-code-token | SC02 | evm | coded | | 26 | first-deposit-amm-skim | SC07 | evm | coded | | 27 | cei-reentrancy | SC08 | evm | coded | | 28 | meta-tx-msgsender-spoof | SC01 | evm | coded | | 29 | calldata-abi-smuggling | SC05/SC01 | evm | coded | | 30 | forced-ether-balance-assumption | SC02 | evm | coded | | 31 | dos-griefing-revert | SC10/SC02 | evm | coded | | 32 | yearn-yeth-solver-underflow | SC07/SC02 | evm | studied | | 33 | transit-finance-legacy-approval-drain | SC02/SC02-LEGACY/X05 | tron/evm | studied | | 34 | hyperbridge-mmr-leaf-index | SC02/SC02-BRIDGE | evm/polkadot | studied | | 35 | ecdsa-nonce-reuse-key-extraction | SC01 | evm | coded | | 36 | tac-bridge-jetton-impersonation | SC02 | ton/evm | coded | | 37 | zeta-chain-gatewayevm | SC02/SC05/SC01 | evm/multi | coded | | 38 | ato-hook-storage-slot-collision | SC-storage-layout | evm | coded | | 39 | drift-oracle-liquidity-manipulation | SC03/X02/X03 | solana | documented | | 40 | wasabi-protocol-uups-upgrade | X03 | evm/multi | documented |
Several detectors were mined from the wargames (DVD v4 Naive Receiver / ABI Smuggling, Ethernaut Force/King/Denial/Switch) — the loop working as intended: a level solved by a general technique becomes a catalog detector.
studiedentries (e.g. Yearn yETH solver underflow, Hyperbridge MMR verifier) are full detectors whose PoC is pending;documentedentries (Drift, Wasabi) are case studies not yet worked into a detector — see their write-ups underdocs/exploits/.See PoCs for what each detector catches and its runnable proof. (EVM model) entries reproduce a non-EVM incident’s broken invariant in Solidity so it runs in the Foundry harness.