L0: Verify audit suite builds + runs locally, fix setup friction#40
L0: Verify audit suite builds + runs locally, fix setup friction#40neohan2026 wants to merge 2 commits into
Conversation
|
Welcome to kcolbchain, @neohan2026 — glad you're here. 🌱 Here's what happens from this PR:
While you wait:
What happens after your first merge
Thanks for writing the code. We're building this to last. |
|
🤖 Audit verdict: Removal of vm.prank() calls in reentrancy test without visible confirmation that performDeposit() handles msg.sender setup internally; test logic correctness should be verified. Risks flagged:
Audited by the kcolbchain PR pipeline. See pipeline docs. |
|
Your PR was selected as the winning submission for this issue — great work! However, it now has merge conflicts with main (from other recently merged PRs). Could you please rebase against main and force-push? We'll merge as soon as the conflicts are resolved. Thank you! |
- ReentrancyCheck: remove redundant vm.prank that caused stacking
error in Foundry >= 1.0 ('cannot overwrite a prank until applied').
- README: add Prerequisites section documenting GLIBC requirement
and Docker fallback for older Linux distros, plus Slither
memory-saving invocation tips.
Verified on Linux x86_64 (glibc 2.32, Foundry 1.7.1 via Docker).
Closes kcolbchain#35.
- ReentrancyCheck.performDeposit: clarify in NatSpec that implementations MUST use vm.prank(depositor) before calling the deposit function - ERC777ReentrancyCheck.performDeposit: same NatSpec clarification - Inline comment explains why no vm.prank before performDeposit call (avoids prank-stacking error in Foundry >= 1.0)
674e28a to
909f5a1
Compare
|
Hi @Pattermesh, just following up — the merge conflicts from my end have been resolved (force-pushed the rebased branch). Has the pipeline had a chance to re-scan? Happy to make any additional adjustments. Thanks! |
Summary
Closes #35
Verified on Linux x86_64 (glibc 2.32, Foundry 1.7.1 via Docker).
Changes
ReentrancyCheck.sol — Remove redundant
vm.prank(attacker)beforeperformDepositto fix Foundry prank-stacking error (cannot overwrite a prank until it is applied at least once). TheperformDeposithook already handlesmsg.senderpranking internally.README.md — Add
Prerequisitessection:GLIBC >= 2.33on LinuxBuild & Test Results
forge buildforge testChecklistBase.targetContractuninitialized (by design — set insetUp())Test failure breakdown
All 12 failures are by design — the example contracts (VulnerableERC4626, VulnerableVault, VulnerableGovernance, VulnerableERC777Vault) contain deliberate vulnerabilities that the audit checks are supposed to catch:
emergencyWithdrawcorrectly callable by non-admin (no modifier)