Attestor Labs
Real cases

The engine in production.

Demonstrations on real Ethereum mainnet contracts. Each case shows the grade, the main findings, and the vulnerability class. Addresses are public and verifiable on-chain.

D

CryptoDuel

0x869eb8a1a479a80f9907673eae8336625dc3e526
82/100 21 findings · 4.1 ETH

On-chain dueling game with a "Zero Risk" vulnerability: the loser waits 256 blocks, the blockhash expires, and a refund is unlocked. Predictable blockhash-based RNG. Self-dueling allowed.

Main findings
  • Zero Risk (business logic): loser recovers their bet after blockhash expires
  • Predictable RNG derived from blockhash
  • Self-dueling: same address on both sides
Classes
BUSINESS_LOGICWEAK_PRNG
Proof

Executable PoC validated on Anvil (local mainnet fork)

F

Dice2Win

0xD1CEeeefA68a6aF0A5f6046132D986066c7f9426
100/100 17 findings

Commit-reveal dice game with hybrid RNG (reveal + blockhash). Nine business-logic findings, including selective censorship by the croupier and rugpull via kill().

Main findings
  • Selective bet censorship by the croupier
  • Rugpull via kill(): operator drains the contract
  • Underflow in jackpotSize on refundBet
  • Signature bypass: ECDSA v=27 fixed + secretSigner = address(0)
Classes
BUSINESS_LOGICSIGNATUREARITHMETIC
Proof

Full L3 analysis, 4 independent validators

F

WorldFomo

0xe1f338e069f202f2113d32c8a5d1046d83c92ca4
100/100 64 findings

FOMO3D clone (2018) with high-severity reentrancy, self-referral scheme, and fake airdrop. Demonstrates pipeline depth on complex contracts.

Main findings
  • HIGH reentrancy confirmed by two validators
  • Abusable self-referral (business logic)
  • Fake airdrop
Classes
REENTRANCYBUSINESS_LOGIC
Proof

Full L3, 4 validators

F

RatScam

0x5e7abd3ce3b4aa69d9a8b75810e0388a0d9c65fa
100/100 64 findings

FOMO3D-like contract (2018) known as a scam. Three confirmed ETH reentrancies on withdrawal functions, plus arithmetic bugs and time manipulation.

Main findings
  • 3 HIGH reentrancies (withdraw, buyCore, core)
  • Divide-before-multiply + incorrect-equality
  • Time manipulation in 13 functions
Classes
REENTRANCYARITHMETICTIME
Proof

Static L0+L1

These contracts are engine demonstration samples, not clients. Selected from a universe of 43 contracts analyzed during public calibration.

Want a report like this on your contract?

Request audit