brainblast v0.7.3 — Exploit Pattern Database
Research-to-enforcement on real on-chain incidents. A curated catalog maps public post-mortems to the bundled brainblast rule that statically detects each one's root-cause pattern — the code that lost the funds is the exact code these rules fail on. $381.8M catalogued across 4 patterns.
Flagship: the Wormhole pattern
New rule cpi-target-program-unverified (CRITICAL) answers the provable question behind the Wormhole bridge exploit ($325M, Feb 2022): does this CPI verify its target program ID?
- FAIL — an Anchor handler performs a CPI (
invoke/invoke_signed/CpiContext) against a program-named account typed as rawAccountInfo/UncheckedAccountwith noaddress=constraint and no in-body key check. - PASS — the program account is
Program<'info, T>, has anaddress=constraint, or its.key()is verified in the body.
brainblast exploits [id] [--json]
Lists the catalog or explains one entry:
| Incident | Loss | Detecting rule |
|---|---|---|
| Wormhole | $325M | cpi-target-program-unverified (new) |
| Cashio | $48M | anchor-unchecked-account-type |
| Crema Finance | $8.8M | anchor-unchecked-account-type |
| SPL mint impersonation | — | solana-token-impersonation |
Integrity, not vibes
- An integrity test guarantees every catalog entry's
ruleIdresolves to a real bundled rule — the database can never claim to catch something it can't. - Rules carry an inline
exploit:provenance block, cross-checked against the catalog in tests to prevent drift. - Programmatic exports (
EXPLOIT_PATTERNS,getExploitPattern, renderers) for AI-agent frameworks.
Also
- 16 → 17 bundled rules. 387 tests green. New
/brainblast-exploitsslash command.
npx brainblast@0.7.3 exploits
The brainblast CLI publishes to npm automatically via the brainblast-v0.7.3 tag (publish-cli workflow).