Wake#
Wake is a Python-based Solidity development and testing framework with built-in vulnerability detectors.
Features#
- testing framework based on pytest
- property-based fuzzer
- deployments & mainnet interactions
- vulnerability and code quality detectors
- printers for extracting useful information from Solidity code
- static analysis framework for implementing custom detectors and printers
- Github actions for setting up Wake and running detectors
- language server (LSP)
- VS Code extension (Tools for Solidity)
- solc version manager
Resources#
- Awesome Wake tests - collection of fuzz tests and unit tests written in Wake
- built-in detectors and printers
Discovered vulnerabilities#
Wake is used by the Ackee team to perform smart contract audits - and it helped to discover a bunch of high and critical vulnerabilities.
| Vulnerability | Severity | Project | Method | Resources |
|---|---|---|---|---|
| Profit & loss accounted twice | Critical | IPOR | Fuzz test | Report, Wake tests |
| Console permanent denial of service | High | Brahma | Fuzz test | Report |
| Swap unwinding formula error | High | IPOR | Fuzz test | Report, Wake tests |
| Swap unwinding fee accounted twice | High | IPOR | Fuzz test | Report, Wake tests |
| Incorrect event data | High | Solady | Integration test | Report, Wake tests |
INTEREST_FROM_STRATEGY_BELOW_ZERO reverts DoS |
Medium | IPOR | Fuzz test | Report, Wake tests |
| Inaccurate hypothetical interest formula | Medium | IPOR | Fuzz test | Report, Wake tests |
| Swap unwinding fee normalization error | Medium | IPOR | Fuzz test | Report, Wake tests |
| Liquidation deposits accounted into LP balance | Medium | IPOR | Fuzz test | Report, Wake tests |
| Missing receive function | Medium | Axelar | Fuzz test | Wake tests |
SafeERC20 not used for approve |
Medium | Lido | Fuzz test | Wake tests |
| Non-optimistic vetting & unbonded keys bad accounting | Medium | Lido | Fuzz test | Report, Wake tests |