Skip to content

gustavo-grieco/quimera

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
quimera
quimera
 
 
tests/erc4626
tests/erc4626
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
keys.sh
keys.sh
 
 
setup.py
setup.py
 
 

Repository files navigation

Quimera

This is exploit-generator that uses large language models (LLMs) to gradually discover smart contract exploits in Foundry by following these steps:

  1. Get the smart contract's source code and write a prompt that describes the goal of the exploit (e.g., the balance should increase after a flashloan).

  2. Ask the LLM to create or improve a Foundry test case that tries to exploit the contract.

  3. Run the test, check the transaction trace, and see if it made a profit.

  4. If it did, stop. If not, go back to step 2 and give the LLM the trace from the failed attempt to help it improve.

Current Status: This is an experimental prototype. We’re still figuring out the best settings (like the right temperature), how to write better prompts, and what the tool is really capable of. Here are the results so far re-discovering known exploits using Gemini Pro 2.5 06-05:

Exploit Complexity Comments
APEMAGA Low Only one step needed.
VISOR Low A few steps needed to build the WETH conversion calls, but overall the root cause is identified quickly.
FIRE Medium It will first build the sequence of calls to exploit it, and then slowly adjust the amounts until profit is found.
[XAI] Low A small number of steps needed, as you can see in the demo
Thunder-Loan Low  This one is part of a CTF?

Demo

Demo

Requirements

  • You will need an RPC provider (e.g. Alchemy) and an Etherscan API key. Both have free options.
  • An LLM service, either a local (e.g. ollama) or remote LLM service (e.g gemini). You do not need to pay for an API access, specially if you use "manual mode"
  • Foundry

Installation

To install, just run:

pip3 install git+https://github.com/gustavo-grieco/quimera

If you want to use different LLM providers, you will need to install them as plugins. For instance, to install gemini and ollama support:

llm install llm-gemini
llm install llm-ollama

Note that in "manual mode", there is no need to install any plugin as the user will be copying and pasting the prompt and responses.

Important: when using an LLM to test with an already known exploit, make sure the web search is not enabled, otherwise they can will have access to the original exploit code.

Getting started

  1. Modify the keys.sh file to add the RPC and Etherscan keys.
  2. Select a block number B and then execute source keys.sh B
  3. Invoke Quimera:
quimera TARGET --model gpt-4o --iterations 5

You can use llm models to show the available models.

Running modes

Quimera can work with either deployed contracts (using Etherscan to fetch the source code) or in local mode with a Foundry codebase. To see an example how to use it locally, check the tests/erc4626 directory. It imports the OpenZepelin ERC4626 vault which is instantiated using WETH in the tests. To use quimera, you must define a QuimeraBase contract in the test/quimera/QuimeraBase.t.sol similar to the example one.

About

Data-driven exploit generation for Ethereum smart contracts using LLMs and Foundry

Topics

solidity fuzzing foundry hacking-tool exploit-development llms

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

50 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

1 tags

Languages