fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
|
pragma solidity ^0.8.19;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @title FitnessEvaluator
|
|
|
|
|
* @notice In-process (revm) batch fitness evaluator for Push3 evolution.
|
|
|
|
|
*
|
|
|
|
|
* Replaces the Anvil+forge-script pipeline with in-process EVM execution.
|
|
|
|
|
* Uses Foundry's native revm backend: vm.snapshot/revertTo are memory operations
|
|
|
|
|
* with no JSON-RPC overhead, giving 100-1000x speedup over per-candidate Anvil.
|
|
|
|
|
*
|
|
|
|
|
* Architecture:
|
|
|
|
|
* batch-eval.sh compiles each candidate (Push3→Solidity→bytecode) and writes a
|
|
|
|
|
* two-file manifest (ids.txt + bytecodes.txt). This test reads the manifest,
|
|
|
|
|
* forks Base mainnet once, deploys the full KRAIKEN stack once, then for each
|
|
|
|
|
* candidate:
|
|
|
|
|
* 1. snapshot → etch candidate bytecode → UUPS upgrade proxy → bootstrap
|
|
|
|
|
* 2. For each attack: snapshot → execute → accumulate lm_eth_total → revert
|
|
|
|
|
* 3. Emit JSON score line
|
|
|
|
|
* 4. Revert to pre-bootstrap snapshot
|
|
|
|
|
*
|
|
|
|
|
* Required env vars:
|
|
|
|
|
* BASE_RPC_URL Base network RPC endpoint (for fork)
|
|
|
|
|
* FITNESS_MANIFEST_DIR Directory containing ids.txt and bytecodes.txt
|
|
|
|
|
*
|
|
|
|
|
* Optional env vars:
|
|
|
|
|
* ATTACKS_DIR Path to *.jsonl attack files (default: script/backtesting/attacks)
|
|
|
|
|
*
|
|
|
|
|
* Run:
|
|
|
|
|
* BASE_RPC_URL=https://mainnet.base.org \
|
|
|
|
|
* FITNESS_MANIFEST_DIR=/tmp/manifest \
|
|
|
|
|
* forge test --match-contract FitnessEvaluator --match-test testBatchEvaluate -vv
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
import "forge-std/Test.sol";
|
|
|
|
|
import { Kraiken } from "../src/Kraiken.sol";
|
|
|
|
|
import { Stake } from "../src/Stake.sol";
|
|
|
|
|
import { Optimizer } from "../src/Optimizer.sol";
|
|
|
|
|
import { LiquidityManager } from "../src/LiquidityManager.sol";
|
|
|
|
|
import { ERC1967Proxy } from "@openzeppelin/proxy/ERC1967/ERC1967Proxy.sol";
|
|
|
|
|
import { UUPSUpgradeable } from "@openzeppelin/proxy/utils/UUPSUpgradeable.sol";
|
|
|
|
|
import { IERC20 } from "@openzeppelin/token/ERC20/IERC20.sol";
|
|
|
|
|
import { IUniswapV3Factory } from "@uniswap-v3-core/interfaces/IUniswapV3Factory.sol";
|
|
|
|
|
import { IUniswapV3Pool } from "@uniswap-v3-core/interfaces/IUniswapV3Pool.sol";
|
|
|
|
|
import { FullMath } from "@aperture/uni-v3-lib/FullMath.sol";
|
|
|
|
|
import { LiquidityAmounts } from "@aperture/uni-v3-lib/LiquidityAmounts.sol";
|
|
|
|
|
import { TickMath } from "@aperture/uni-v3-lib/TickMath.sol";
|
|
|
|
|
import { UniswapHelpers } from "../src/helpers/UniswapHelpers.sol";
|
|
|
|
|
import { IWETH9 } from "../src/interfaces/IWETH9.sol";
|
|
|
|
|
|
|
|
|
|
// ─── External interfaces (mirrors AttackRunner.s.sol) ─────────────────────────
|
|
|
|
|
|
|
|
|
|
interface ISwapRouter02 {
|
|
|
|
|
struct ExactInputSingleParams {
|
|
|
|
|
address tokenIn;
|
|
|
|
|
address tokenOut;
|
|
|
|
|
uint24 fee;
|
|
|
|
|
address recipient;
|
|
|
|
|
uint256 amountIn;
|
|
|
|
|
uint256 amountOutMinimum;
|
|
|
|
|
uint160 sqrtPriceLimitX96;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function exactInputSingle(ExactInputSingleParams calldata params) external returns (uint256);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interface ILM {
|
|
|
|
|
function getVWAP() external view returns (uint256);
|
|
|
|
|
function positions(uint8 stage) external view returns (uint128 liquidity, int24 tickLower, int24 tickUpper);
|
|
|
|
|
function recenter() external returns (bool);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interface IStake {
|
|
|
|
|
function snatch(uint256 assets, address receiver, uint32 taxRate, uint256[] calldata positionsToSnatch)
|
|
|
|
|
external
|
|
|
|
|
returns (uint256 positionId);
|
|
|
|
|
function exitPosition(uint256 positionId) external;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interface INonfungiblePositionManager {
|
|
|
|
|
struct MintParams {
|
|
|
|
|
address token0;
|
|
|
|
|
address token1;
|
|
|
|
|
uint24 fee;
|
|
|
|
|
int24 tickLower;
|
|
|
|
|
int24 tickUpper;
|
|
|
|
|
uint256 amount0Desired;
|
|
|
|
|
uint256 amount1Desired;
|
|
|
|
|
uint256 amount0Min;
|
|
|
|
|
uint256 amount1Min;
|
|
|
|
|
address recipient;
|
|
|
|
|
uint256 deadline;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct DecreaseLiquidityParams {
|
|
|
|
|
uint256 tokenId;
|
|
|
|
|
uint128 liquidity;
|
|
|
|
|
uint256 amount0Min;
|
|
|
|
|
uint256 amount1Min;
|
|
|
|
|
uint256 deadline;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct CollectParams {
|
|
|
|
|
uint256 tokenId;
|
|
|
|
|
address recipient;
|
|
|
|
|
uint128 amount0Max;
|
|
|
|
|
uint128 amount1Max;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function mint(MintParams calldata params) external payable returns (uint256 tokenId, uint128 liquidity, uint256 amount0, uint256 amount1);
|
|
|
|
|
function positions(uint256 tokenId)
|
|
|
|
|
external
|
|
|
|
|
view
|
|
|
|
|
returns (
|
|
|
|
|
uint96 nonce,
|
|
|
|
|
address operator,
|
|
|
|
|
address token0,
|
|
|
|
|
address token1,
|
|
|
|
|
uint24 fee,
|
|
|
|
|
int24 tickLower,
|
|
|
|
|
int24 tickUpper,
|
|
|
|
|
uint128 liquidity,
|
|
|
|
|
uint256 feeGrowthInside0LastX128,
|
|
|
|
|
uint256 feeGrowthInside1LastX128,
|
|
|
|
|
uint128 tokensOwed0,
|
|
|
|
|
uint128 tokensOwed1
|
|
|
|
|
);
|
|
|
|
|
function decreaseLiquidity(DecreaseLiquidityParams calldata params) external payable returns (uint256 amount0, uint256 amount1);
|
|
|
|
|
function collect(CollectParams calldata params) external payable returns (uint256 amount0, uint256 amount1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Main test contract ────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
contract FitnessEvaluator is Test {
|
|
|
|
|
using UniswapHelpers for IUniswapV3Pool;
|
|
|
|
|
|
|
|
|
|
// ─── Base network constants ───────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
uint24 internal constant POOL_FEE = 10_000;
|
|
|
|
|
address internal constant WETH_ADDR = 0x4200000000000000000000000000000000000006;
|
|
|
|
|
address internal constant SWAP_ROUTER = 0x94cC0AaC535CCDB3C01d6787D6413C739ae12bc4;
|
|
|
|
|
address internal constant NPM_ADDR = 0x27F971cb582BF9E50F397e4d29a5C7A34f11faA2;
|
|
|
|
|
address internal constant V3_FACTORY = 0x4752ba5DBc23f44D87826276BF6Fd6b1C372aD24;
|
|
|
|
|
address internal constant FEE_DEST = 0xf6a3eef9088A255c32b6aD2025f83E57291D9011;
|
|
|
|
|
|
|
|
|
|
/// @dev Fixed address used with vm.etch to inject candidate bytecode.
|
|
|
|
|
/// Chosen to be deterministic and not collide with real Base addresses.
|
|
|
|
|
address internal constant IMPL_SLOT = address(uint160(uint256(keccak256("fitness.impl.slot"))));
|
|
|
|
|
|
|
|
|
|
// ─── Anvil test accounts (deterministic mnemonic) ────────────────────────
|
|
|
|
|
|
|
|
|
|
/// @dev Account 8 — adversary (10 000 ETH in Anvil; funded via vm.deal here)
|
|
|
|
|
uint256 internal constant ADV_PK = 0xdbda1821b80551c9d65939329250298aa3472ba22feea921c0cf5d620ea67b97;
|
|
|
|
|
/// @dev Account 2 — recenter caller (granted recenterAccess in bootstrap)
|
|
|
|
|
uint256 internal constant RECENTER_PK = 0x5de4111afa1a4b94908f83103eb1f1706367c2e68ca870fc3fb9a804cdab365a;
|
|
|
|
|
|
|
|
|
|
// ─── Runtime state ────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
address internal lmAddr;
|
|
|
|
|
address internal krkAddr;
|
|
|
|
|
address internal stakeAddr;
|
|
|
|
|
address internal optProxy;
|
|
|
|
|
address internal advAddr;
|
|
|
|
|
address internal recenterAddr;
|
|
|
|
|
IUniswapV3Pool internal pool;
|
|
|
|
|
bool internal token0isWeth;
|
|
|
|
|
|
|
|
|
|
/// @dev Mirrors AttackRunner._stakedPositionIds: position IDs returned by stake ops.
|
|
|
|
|
/// vm.snapshot/revertTo reverts this array's storage between attacks.
|
|
|
|
|
uint256[] internal _stakedPositionIds;
|
|
|
|
|
|
2026-03-12 12:31:11 +00:00
|
|
|
/// @dev NPM tokenIds returned by mint_lp ops (in insertion order).
|
|
|
|
|
/// burn_lp references positions by 1-based index into this array so that
|
|
|
|
|
/// attack files are fork-block-independent (tokenIds vary by fork tip).
|
|
|
|
|
uint256[] internal _mintedNpmTokenIds;
|
|
|
|
|
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
// ─── Entry point ─────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice Batch fitness evaluator: score all candidates in the manifest.
|
|
|
|
|
*
|
|
|
|
|
* Reads FITNESS_MANIFEST_DIR/{ids.txt,bytecodes.txt} line-by-line.
|
|
|
|
|
* Outputs one JSON line per candidate to stdout:
|
|
|
|
|
* {"candidate_id":"gen0_c000","fitness":1234567890}
|
|
|
|
|
*
|
|
|
|
|
* Skipped (with a pass) if BASE_RPC_URL is not set, so CI without a Base
|
|
|
|
|
* RPC key does not fail the test suite.
|
|
|
|
|
*/
|
|
|
|
|
function testBatchEvaluate() public {
|
|
|
|
|
string memory rpcUrl = vm.envOr("BASE_RPC_URL", string(""));
|
|
|
|
|
vm.skip(bytes(rpcUrl).length == 0);
|
|
|
|
|
|
|
|
|
|
string memory manifestDir = vm.envOr("FITNESS_MANIFEST_DIR", string(""));
|
|
|
|
|
require(bytes(manifestDir).length > 0, "FITNESS_MANIFEST_DIR env var required");
|
|
|
|
|
|
|
|
|
|
string memory attacksDir = vm.envOr("ATTACKS_DIR", string("script/backtesting/attacks"));
|
|
|
|
|
|
|
|
|
|
// Fork Base mainnet so Uniswap V3, WETH, etc. exist at canonical addresses.
|
|
|
|
|
vm.createSelectFork(rpcUrl);
|
|
|
|
|
|
|
|
|
|
advAddr = vm.addr(ADV_PK);
|
|
|
|
|
recenterAddr = vm.addr(RECENTER_PK);
|
|
|
|
|
|
|
|
|
|
// Deploy the full KRAIKEN stack once on the fork.
|
|
|
|
|
_deploy();
|
|
|
|
|
|
|
|
|
|
// Snapshot after deployment (pre-bootstrap, pre-candidate-specific state).
|
|
|
|
|
uint256 baseSnap = vm.snapshot();
|
|
|
|
|
|
|
|
|
|
// Discover attack files (sorted alphabetically by path).
|
|
|
|
|
string memory idsFile = string.concat(manifestDir, "/ids.txt");
|
|
|
|
|
string memory bytecodesFile = string.concat(manifestDir, "/bytecodes.txt");
|
|
|
|
|
|
|
|
|
|
// Process candidates one at a time.
|
|
|
|
|
while (true) {
|
|
|
|
|
string memory candidateId = vm.readLine(idsFile);
|
|
|
|
|
string memory bytecodeHex = vm.readLine(bytecodesFile);
|
|
|
|
|
if (bytes(candidateId).length == 0) break;
|
|
|
|
|
|
|
|
|
|
// Revert to clean post-deploy state for each candidate.
|
|
|
|
|
vm.revertTo(baseSnap);
|
|
|
|
|
baseSnap = vm.snapshot();
|
|
|
|
|
|
2026-03-12 19:54:58 +00:00
|
|
|
// Etch candidate optimizer bytecode onto the implementation address
|
|
|
|
|
// and update the ERC1967 implementation slot directly.
|
|
|
|
|
// Skips UUPS upgradeTo() check — candidates are standalone contracts
|
|
|
|
|
// (OptimizerV3Push3) without UUPSUpgradeable inheritance.
|
|
|
|
|
// This is safe because we only care about calculateParams() output.
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
bytes memory candidateBytecode = vm.parseBytes(bytecodeHex);
|
2026-03-12 19:54:58 +00:00
|
|
|
if (candidateBytecode.length == 0) {
|
|
|
|
|
console.log(string.concat('{"candidate_id":"', candidateId, '","fitness":0,"error":"empty_bytecode"}'));
|
2026-03-12 12:31:11 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2026-03-12 19:54:58 +00:00
|
|
|
vm.etch(IMPL_SLOT, candidateBytecode);
|
|
|
|
|
// ERC1967 implementation slot = keccak256("eip1967.proxy.implementation") - 1
|
|
|
|
|
bytes32 ERC1967_IMPL = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc;
|
|
|
|
|
vm.store(optProxy, ERC1967_IMPL, bytes32(uint256(uint160(IMPL_SLOT))));
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
|
|
|
|
|
// Bootstrap: fund LM, set recenterAccess, initial recenter.
|
2026-03-12 19:54:58 +00:00
|
|
|
if (!_bootstrap()) {
|
|
|
|
|
console.log(string.concat('{"candidate_id":"', candidateId, '","fitness":0,"error":"bootstrap_failed"}'));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
|
|
|
|
|
// Score: sum lm_eth_total across all attack sequences.
|
|
|
|
|
uint256 totalFitness = 0;
|
|
|
|
|
Vm.DirEntry[] memory entries = vm.readDir(attacksDir);
|
|
|
|
|
for (uint256 i = 0; i < entries.length; i++) {
|
|
|
|
|
if (entries[i].isDir || !_endsWith(entries[i].path, ".jsonl")) continue;
|
|
|
|
|
|
|
|
|
|
uint256 atkSnap = vm.snapshot();
|
|
|
|
|
uint256 score = _runAttack(entries[i].path);
|
|
|
|
|
totalFitness += score;
|
|
|
|
|
vm.revertTo(atkSnap);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Emit score as a JSON line (parsed by batch-eval.sh).
|
|
|
|
|
console.log(string.concat('{"candidate_id":"', candidateId, '","fitness":', _uint2str(totalFitness), "}"));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Close manifest files.
|
|
|
|
|
vm.closeFile(idsFile);
|
|
|
|
|
vm.closeFile(bytecodesFile);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Deployment ───────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice Deploy the full KRAIKEN stack (mirrors DeployLocal.sol).
|
|
|
|
|
* @dev All contracts are deployed as address(this) (the test contract),
|
|
|
|
|
* which becomes the UUPS admin for the Optimizer proxy.
|
|
|
|
|
*/
|
|
|
|
|
function _deploy() internal {
|
|
|
|
|
// Deploy Kraiken token.
|
|
|
|
|
Kraiken kraiken = new Kraiken("Kraiken", "KRK");
|
|
|
|
|
krkAddr = address(kraiken);
|
|
|
|
|
token0isWeth = WETH_ADDR < krkAddr;
|
|
|
|
|
|
|
|
|
|
// Deploy Stake.
|
|
|
|
|
Stake stake = new Stake(krkAddr, FEE_DEST);
|
|
|
|
|
stakeAddr = address(stake);
|
|
|
|
|
kraiken.setStakingPool(stakeAddr);
|
|
|
|
|
|
|
|
|
|
// Get or create Uniswap V3 pool.
|
|
|
|
|
IUniswapV3Factory factory = IUniswapV3Factory(V3_FACTORY);
|
|
|
|
|
address poolAddr = factory.getPool(WETH_ADDR, krkAddr, POOL_FEE);
|
|
|
|
|
if (poolAddr == address(0)) {
|
|
|
|
|
poolAddr = factory.createPool(WETH_ADDR, krkAddr, POOL_FEE);
|
|
|
|
|
}
|
|
|
|
|
pool = IUniswapV3Pool(poolAddr);
|
|
|
|
|
|
|
|
|
|
// Initialize pool at 1-cent price if not already initialized.
|
|
|
|
|
(uint160 sqrtPriceX96,,,,,,) = pool.slot0();
|
|
|
|
|
if (sqrtPriceX96 == 0) {
|
|
|
|
|
pool.initializePoolFor1Cent(token0isWeth);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Deploy Optimizer implementation + UUPS proxy.
|
|
|
|
|
// address(this) (test contract) becomes the UUPS admin via initialize.
|
|
|
|
|
Optimizer optimizerImpl = new Optimizer();
|
|
|
|
|
bytes memory initData = abi.encodeWithSignature("initialize(address,address)", krkAddr, stakeAddr);
|
|
|
|
|
ERC1967Proxy proxy = new ERC1967Proxy(address(optimizerImpl), initData);
|
|
|
|
|
optProxy = address(proxy);
|
|
|
|
|
|
|
|
|
|
// Deploy LiquidityManager.
|
|
|
|
|
LiquidityManager lm = new LiquidityManager(V3_FACTORY, WETH_ADDR, krkAddr, optProxy);
|
|
|
|
|
lmAddr = address(lm);
|
|
|
|
|
|
|
|
|
|
// Wire contracts together.
|
|
|
|
|
lm.setFeeDestination(FEE_DEST);
|
|
|
|
|
kraiken.setLiquidityManager(lmAddr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Bootstrap ────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice Bootstrap LM state for a candidate evaluation (mirrors fitness.sh bootstrap).
|
|
|
|
|
*
|
|
|
|
|
* Steps (same order as fitness.sh):
|
|
|
|
|
* a. Grant recenterAccess to recenterAddr (impersonate feeDestination).
|
|
|
|
|
* b. Fund adversary account and wrap ETH → WETH.
|
|
|
|
|
* c. Transfer 1000 WETH to LM.
|
|
|
|
|
* d. Wrap 9000 WETH for adversary trades + set approvals.
|
|
|
|
|
* e. Initial recenter (succeeds immediately: recenterAccess set, no ANCHOR liquidity yet).
|
|
|
|
|
*/
|
2026-03-12 19:54:58 +00:00
|
|
|
function _bootstrap() internal returns (bool) {
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
// a. Grant recenterAccess (feeDestination call, no ETH needed with gas_price=0).
|
|
|
|
|
vm.prank(FEE_DEST);
|
|
|
|
|
LiquidityManager(payable(lmAddr)).setRecenterAccess(recenterAddr);
|
|
|
|
|
|
|
|
|
|
// b. Fund adversary with ETH.
|
|
|
|
|
vm.deal(advAddr, 10_000 ether);
|
|
|
|
|
|
|
|
|
|
// c. Wrap 1000 ETH → WETH and send to LM.
|
|
|
|
|
vm.startPrank(advAddr);
|
|
|
|
|
IWETH9(WETH_ADDR).deposit{ value: 1_000 ether }();
|
|
|
|
|
IERC20(WETH_ADDR).transfer(lmAddr, 1_000 ether);
|
|
|
|
|
vm.stopPrank();
|
|
|
|
|
|
|
|
|
|
// d. Wrap remaining 9000 ETH for trade operations + set approvals.
|
|
|
|
|
vm.startPrank(advAddr);
|
|
|
|
|
IWETH9(WETH_ADDR).deposit{ value: 9_000 ether }();
|
|
|
|
|
IERC20(WETH_ADDR).approve(SWAP_ROUTER, type(uint256).max);
|
|
|
|
|
IERC20(WETH_ADDR).approve(NPM_ADDR, type(uint256).max);
|
|
|
|
|
IERC20(krkAddr).approve(SWAP_ROUTER, type(uint256).max);
|
|
|
|
|
IERC20(krkAddr).approve(stakeAddr, type(uint256).max);
|
|
|
|
|
IERC20(krkAddr).approve(NPM_ADDR, type(uint256).max);
|
|
|
|
|
vm.stopPrank();
|
|
|
|
|
|
|
|
|
|
// e. Initial recenter: no ANCHOR position exists yet so amplitude check is skipped;
|
|
|
|
|
// recenterAccess is set so TWAP stability check is also skipped.
|
2026-03-12 12:31:11 +00:00
|
|
|
// If all retries fail, revert with a clear message — silent failure would make every
|
|
|
|
|
// candidate score identically (all lm_eth_total = free WETH only, no positions).
|
|
|
|
|
bool recentered = false;
|
|
|
|
|
for (uint256 _attempt = 0; _attempt < 5; _attempt++) {
|
|
|
|
|
if (_attempt > 0) vm.roll(block.number + 50);
|
|
|
|
|
vm.prank(recenterAddr);
|
|
|
|
|
try ILM(lmAddr).recenter() returns (bool) {
|
|
|
|
|
recentered = true;
|
|
|
|
|
break;
|
2026-03-12 19:54:58 +00:00
|
|
|
} catch (bytes memory reason) {
|
|
|
|
|
console.log(string.concat("recenter attempt ", vm.toString(_attempt), " failed"));
|
|
|
|
|
console.logBytes(reason);
|
|
|
|
|
}
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
}
|
2026-03-12 19:54:58 +00:00
|
|
|
if (!recentered) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Attack execution ─────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice Execute one attack sequence and return the final lm_eth_total.
|
|
|
|
|
* @param attackFile Path to the *.jsonl attack file.
|
|
|
|
|
*/
|
|
|
|
|
function _runAttack(string memory attackFile) internal returns (uint256) {
|
|
|
|
|
// Reset file read position so each call to _runAttack starts from line 1.
|
|
|
|
|
vm.closeFile(attackFile);
|
2026-03-12 12:31:11 +00:00
|
|
|
// vm.revertTo() reverts all EVM state including test contract storage, so these
|
|
|
|
|
// arrays are already empty after revert. Explicit delete is a defensive reset
|
|
|
|
|
// for the first attack (no preceding revert) and any future call-path changes.
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
delete _stakedPositionIds;
|
2026-03-12 12:31:11 +00:00
|
|
|
delete _mintedNpmTokenIds;
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
|
|
|
|
|
string memory line = vm.readLine(attackFile);
|
|
|
|
|
while (bytes(line).length > 0) {
|
|
|
|
|
_executeOp(line);
|
|
|
|
|
line = vm.readLine(attackFile);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return _computeLmEthTotal();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice Execute a single attack operation (mirrors AttackRunner._execute).
|
|
|
|
|
*/
|
|
|
|
|
function _executeOp(string memory line) internal {
|
|
|
|
|
string memory op = vm.parseJsonString(line, ".op");
|
|
|
|
|
|
|
|
|
|
if (_eq(op, "buy")) {
|
|
|
|
|
uint256 amount = vm.parseUint(vm.parseJsonString(line, ".amount"));
|
|
|
|
|
vm.prank(advAddr);
|
2026-03-12 19:54:58 +00:00
|
|
|
try ISwapRouter02(SWAP_ROUTER).exactInputSingle(
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
ISwapRouter02.ExactInputSingleParams({
|
|
|
|
|
tokenIn: WETH_ADDR,
|
|
|
|
|
tokenOut: krkAddr,
|
|
|
|
|
fee: POOL_FEE,
|
|
|
|
|
recipient: advAddr,
|
|
|
|
|
amountIn: amount,
|
|
|
|
|
amountOutMinimum: 0,
|
|
|
|
|
sqrtPriceLimitX96: 0
|
|
|
|
|
})
|
2026-03-12 19:54:58 +00:00
|
|
|
) { } catch { }
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
} else if (_eq(op, "sell")) {
|
|
|
|
|
string memory amtStr = vm.parseJsonString(line, ".amount");
|
|
|
|
|
uint256 amount = _eq(amtStr, "all") ? IERC20(krkAddr).balanceOf(advAddr) : vm.parseUint(amtStr);
|
|
|
|
|
if (amount == 0) return;
|
|
|
|
|
vm.prank(advAddr);
|
2026-03-12 19:54:58 +00:00
|
|
|
try ISwapRouter02(SWAP_ROUTER).exactInputSingle(
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
ISwapRouter02.ExactInputSingleParams({
|
|
|
|
|
tokenIn: krkAddr,
|
|
|
|
|
tokenOut: WETH_ADDR,
|
|
|
|
|
fee: POOL_FEE,
|
|
|
|
|
recipient: advAddr,
|
|
|
|
|
amountIn: amount,
|
|
|
|
|
amountOutMinimum: 0,
|
|
|
|
|
sqrtPriceLimitX96: 0
|
|
|
|
|
})
|
2026-03-12 19:54:58 +00:00
|
|
|
) { } catch { }
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
} else if (_eq(op, "recenter")) {
|
|
|
|
|
vm.prank(recenterAddr);
|
|
|
|
|
try ILM(lmAddr).recenter() { } catch { }
|
|
|
|
|
} else if (_eq(op, "stake")) {
|
|
|
|
|
uint256 amount = vm.parseUint(vm.parseJsonString(line, ".amount"));
|
|
|
|
|
uint32 taxRate = uint32(vm.parseJsonUint(line, ".taxRateIndex"));
|
|
|
|
|
vm.prank(advAddr);
|
2026-03-12 19:54:58 +00:00
|
|
|
try IStake(stakeAddr).snatch(amount, advAddr, taxRate, new uint256[](0)) returns (uint256 posId) {
|
|
|
|
|
_stakedPositionIds.push(posId);
|
|
|
|
|
} catch { }
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
} else if (_eq(op, "unstake")) {
|
|
|
|
|
uint256 posIndex = vm.parseJsonUint(line, ".positionId");
|
2026-03-12 19:54:58 +00:00
|
|
|
if (posIndex < 1 || posIndex > _stakedPositionIds.length) return;
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
vm.prank(advAddr);
|
2026-03-12 19:54:58 +00:00
|
|
|
try IStake(stakeAddr).exitPosition(_stakedPositionIds[posIndex - 1]) { } catch { }
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
} else if (_eq(op, "mine")) {
|
|
|
|
|
uint256 blocks = vm.parseJsonUint(line, ".blocks");
|
|
|
|
|
vm.roll(block.number + blocks);
|
|
|
|
|
} else if (_eq(op, "mint_lp")) {
|
|
|
|
|
int24 tickLower = int24(vm.parseJsonInt(line, ".tickLower"));
|
|
|
|
|
int24 tickUpper = int24(vm.parseJsonInt(line, ".tickUpper"));
|
|
|
|
|
uint256 amount0 = vm.parseUint(vm.parseJsonString(line, ".amount0"));
|
|
|
|
|
uint256 amount1 = vm.parseUint(vm.parseJsonString(line, ".amount1"));
|
|
|
|
|
(address t0, address t1) = token0isWeth ? (WETH_ADDR, krkAddr) : (krkAddr, WETH_ADDR);
|
|
|
|
|
vm.prank(advAddr);
|
2026-03-12 12:31:11 +00:00
|
|
|
// Track the returned tokenId so burn_lp can reference it by 1-based index,
|
|
|
|
|
// making attack files fork-block-independent (NPM tokenIds depend on fork tip).
|
|
|
|
|
(uint256 mintedTokenId,,,) = INonfungiblePositionManager(NPM_ADDR).mint(
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
INonfungiblePositionManager.MintParams({
|
|
|
|
|
token0: t0,
|
|
|
|
|
token1: t1,
|
|
|
|
|
fee: POOL_FEE,
|
|
|
|
|
tickLower: tickLower,
|
|
|
|
|
tickUpper: tickUpper,
|
|
|
|
|
amount0Desired: amount0,
|
|
|
|
|
amount1Desired: amount1,
|
|
|
|
|
amount0Min: 0,
|
|
|
|
|
amount1Min: 0,
|
|
|
|
|
recipient: advAddr,
|
|
|
|
|
deadline: block.timestamp + 3600
|
|
|
|
|
})
|
|
|
|
|
);
|
2026-03-12 12:31:11 +00:00
|
|
|
_mintedNpmTokenIds.push(mintedTokenId);
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
} else if (_eq(op, "burn_lp")) {
|
2026-03-12 12:31:11 +00:00
|
|
|
// .tokenId in the attack file is a 1-based index into _mintedNpmTokenIds
|
|
|
|
|
// (positions created by mint_lp ops in this run), not a raw NPM tokenId.
|
|
|
|
|
// This mirrors the stake/unstake index pattern and avoids fork-block sensitivity.
|
|
|
|
|
uint256 tokenIndex = vm.parseJsonUint(line, ".tokenId");
|
|
|
|
|
require(
|
|
|
|
|
tokenIndex >= 1 && tokenIndex <= _mintedNpmTokenIds.length,
|
|
|
|
|
"FitnessEvaluator: burn_lp tokenId out of range (must be 1-based index of a prior mint_lp op)"
|
|
|
|
|
);
|
|
|
|
|
uint256 tokenId = _mintedNpmTokenIds[tokenIndex - 1];
|
fix: feat: revm-based fitness evaluator for evolution at scale (#604)
Replace per-candidate Anvil+forge-script pipeline with in-process EVM
execution using Foundry's native revm backend, achieving 10-100× speedup
for evolutionary search at scale.
New files:
- onchain/test/FitnessEvaluator.t.sol — Forge test that forks Base once,
deploys the full KRAIKEN stack, then for each candidate uses vm.etch to
inject the compiled optimizer bytecode, UUPS-upgrades the proxy, runs all
attack sequences with in-memory vm.snapshot/revertTo (no RPC overhead),
and emits one {"candidate_id","fitness"} JSON line per candidate.
Skips gracefully when BASE_RPC_URL is unset (CI-safe).
- tools/push3-evolution/revm-evaluator/batch-eval.sh — Wrapper that
transpiles+compiles each candidate sequentially, writes a two-file
manifest (ids.txt + bytecodes.txt), then invokes FitnessEvaluator.t.sol
in a single forge test run and parses the score JSON from stdout.
Modified:
- tools/push3-evolution/evolve.sh — Adds EVAL_MODE env var (anvil|revm).
When EVAL_MODE=revm, batch-scores every candidate in a generation with
one batch-eval.sh call instead of N sequential fitness.sh processes;
scores are looked up from the JSONL output in the per-candidate loop.
Default remains EVAL_MODE=anvil for backward compatibility.
Key design decisions:
- Per-candidate Solidity compilation is unavoidable (each Push3 candidate
produces different Solidity); the speedup is in the evaluation phase.
- vm.snapshot/revertTo in forge test are O(1) memory operations (true
revm), not RPC calls — this is the core speedup vs Anvil.
- recenterAccess is set in bootstrap so TWAP stability checks are bypassed
during attack sequences (mirrors the existing fitness.sh bootstrap).
- Test skips cleanly when BASE_RPC_URL is absent, keeping CI green.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 11:54:41 +00:00
|
|
|
(,,,,,, , uint128 liquidity,,,,) = INonfungiblePositionManager(NPM_ADDR).positions(tokenId);
|
|
|
|
|
if (liquidity == 0) return;
|
|
|
|
|
vm.startPrank(advAddr);
|
|
|
|
|
INonfungiblePositionManager(NPM_ADDR).decreaseLiquidity(
|
|
|
|
|
INonfungiblePositionManager.DecreaseLiquidityParams({
|
|
|
|
|
tokenId: tokenId,
|
|
|
|
|
liquidity: liquidity,
|
|
|
|
|
amount0Min: 0,
|
|
|
|
|
amount1Min: 0,
|
|
|
|
|
deadline: block.timestamp + 3600
|
|
|
|
|
})
|
|
|
|
|
);
|
|
|
|
|
INonfungiblePositionManager(NPM_ADDR).collect(
|
|
|
|
|
INonfungiblePositionManager.CollectParams({
|
|
|
|
|
tokenId: tokenId,
|
|
|
|
|
recipient: advAddr,
|
|
|
|
|
amount0Max: type(uint128).max,
|
|
|
|
|
amount1Max: type(uint128).max
|
|
|
|
|
})
|
|
|
|
|
);
|
|
|
|
|
vm.stopPrank();
|
|
|
|
|
}
|
|
|
|
|
// Unknown ops are silently ignored (mirrors AttackRunner behaviour).
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Score computation ────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice Compute lm_eth_total = free ETH + free WETH + sum(position ETH values).
|
|
|
|
|
* Mirrors AttackRunner._logSnapshot's lm_eth_total calculation.
|
|
|
|
|
*/
|
|
|
|
|
function _computeLmEthTotal() internal view returns (uint256) {
|
|
|
|
|
(uint160 sqrtPriceX96,,,,,,) = pool.slot0();
|
|
|
|
|
|
|
|
|
|
uint256 lmEthFree = lmAddr.balance;
|
|
|
|
|
uint256 lmWethFree = IERC20(WETH_ADDR).balanceOf(lmAddr);
|
|
|
|
|
|
|
|
|
|
(uint128 fLiq, int24 fLo, int24 fHi) = ILM(lmAddr).positions(0); // FLOOR
|
|
|
|
|
(uint128 aLiq, int24 aLo, int24 aHi) = ILM(lmAddr).positions(1); // ANCHOR
|
|
|
|
|
(uint128 dLiq, int24 dLo, int24 dHi) = ILM(lmAddr).positions(2); // DISCOVERY
|
|
|
|
|
|
|
|
|
|
return lmEthFree
|
|
|
|
|
+ lmWethFree
|
|
|
|
|
+ _positionEthValue(sqrtPriceX96, fLo, fHi, fLiq)
|
|
|
|
|
+ _positionEthValue(sqrtPriceX96, aLo, aHi, aLiq)
|
|
|
|
|
+ _positionEthValue(sqrtPriceX96, dLo, dHi, dLiq);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @notice ETH-equivalent value of a Uniswap V3 position at the current price.
|
|
|
|
|
* Copied verbatim from AttackRunner._positionEthValue.
|
|
|
|
|
*/
|
|
|
|
|
function _positionEthValue(
|
|
|
|
|
uint160 sqrtPriceX96,
|
|
|
|
|
int24 tickLower,
|
|
|
|
|
int24 tickUpper,
|
|
|
|
|
uint128 liquidity
|
|
|
|
|
)
|
|
|
|
|
internal
|
|
|
|
|
view
|
|
|
|
|
returns (uint256)
|
|
|
|
|
{
|
|
|
|
|
if (liquidity == 0) return 0;
|
|
|
|
|
uint160 sqrtRatioAX96 = TickMath.getSqrtRatioAtTick(tickLower);
|
|
|
|
|
uint160 sqrtRatioBX96 = TickMath.getSqrtRatioAtTick(tickUpper);
|
|
|
|
|
(uint256 amount0, uint256 amount1) =
|
|
|
|
|
LiquidityAmounts.getAmountsForLiquidity(sqrtPriceX96, sqrtRatioAX96, sqrtRatioBX96, liquidity);
|
|
|
|
|
|
|
|
|
|
uint256 ethAmount = token0isWeth ? amount0 : amount1;
|
|
|
|
|
uint256 krkAmount = token0isWeth ? amount1 : amount0;
|
|
|
|
|
|
|
|
|
|
if (krkAmount == 0 || sqrtPriceX96 == 0) return ethAmount;
|
|
|
|
|
|
|
|
|
|
uint256 krkInEth;
|
|
|
|
|
if (token0isWeth) {
|
|
|
|
|
// token0=WETH, token1=KRK: 1 KRK = 2^192 / sqrtP^2 WETH
|
|
|
|
|
krkInEth = FullMath.mulDiv(FullMath.mulDiv(krkAmount, 1 << 96, sqrtPriceX96), 1 << 96, sqrtPriceX96);
|
|
|
|
|
} else {
|
|
|
|
|
// token0=KRK, token1=WETH: 1 KRK = sqrtP^2 / 2^192 WETH
|
|
|
|
|
krkInEth = FullMath.mulDiv(FullMath.mulDiv(krkAmount, sqrtPriceX96, 1 << 96), sqrtPriceX96, 1 << 96);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ethAmount + krkInEth;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ─── Utilities ────────────────────────────────────────────────────────────
|
|
|
|
|
|
|
|
|
|
function _eq(string memory a, string memory b) internal pure returns (bool) {
|
|
|
|
|
return keccak256(bytes(a)) == keccak256(bytes(b));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function _endsWith(string memory str, string memory suffix) internal pure returns (bool) {
|
|
|
|
|
bytes memory bStr = bytes(str);
|
|
|
|
|
bytes memory bSuf = bytes(suffix);
|
|
|
|
|
if (bStr.length < bSuf.length) return false;
|
|
|
|
|
uint256 offset = bStr.length - bSuf.length;
|
|
|
|
|
for (uint256 i = 0; i < bSuf.length; i++) {
|
|
|
|
|
if (bStr[offset + i] != bSuf[i]) return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function _uint2str(uint256 n) internal pure returns (string memory) {
|
|
|
|
|
if (n == 0) return "0";
|
|
|
|
|
uint256 temp = n;
|
|
|
|
|
uint256 digits;
|
|
|
|
|
while (temp != 0) {
|
|
|
|
|
digits++;
|
|
|
|
|
temp /= 10;
|
|
|
|
|
}
|
|
|
|
|
bytes memory buffer = new bytes(digits);
|
|
|
|
|
while (n != 0) {
|
|
|
|
|
digits--;
|
|
|
|
|
buffer[digits] = bytes1(uint8(48 + (n % 10)));
|
|
|
|
|
n /= 10;
|
|
|
|
|
}
|
|
|
|
|
return string(buffer);
|
|
|
|
|
}
|
|
|
|
|
}
|