# Field Notes from a DeFi Adversary We wrote `economicfuzz` because most of the bugs we kept finding in DeFi protocols were not bugs in the *code*. The code compiled. The code passed its tests. The code did exactly what its authors intended. The bugs lived in the gap between what the authors intended and what the market would actually do at 3am on a holiday with a stale oracle and a flash-loan provider running a 0.05% fee. Closing that gap with code review alone is hard. Closing it with auditors alone is expensive. Closing it with a fuzzer that understands *economic* state — prices, balances, leverage, liquidation queues — turned out to be the lowest-cost option we could find. This book is the manual for that fuzzer. ## How we read this book These chapters are not a reference. They are field notes. Each one walks through one attack we have either modelled or observed, in the order we usually run them when sitting down with a new protocol. The order is deliberate: the early chapters take less setup, and each later chapter assumes vocabulary established in an earlier one. The threat model in chapter 00 is the one to read first. The case studies that follow it can be read out of order once the threat model is in head. Two chapters are not case studies. The cookbook (60) is the YAML reference for everyone who wants to write their own scenarios; the hardening index (80) is the cross-reference from finding to fix. We built the index last and it is the chapter we use most often. ## What the tool actually does `economicfuzz` reads a YAML scenario, replays it against a model of the target protocol's economic invariants, and exits non-zero when an invariant breaks. The scenarios that ship with the tool are the eight we found ourselves running by hand often enough to be worth automating. ``` economicfuzz scan # heuristic checklist economicfuzz attack # replay one scenario economicfuzz fuzz # genetic search over scenario parameters economicfuzz report # dump findings as JSON ``` The `attack` command is the one we use most. The `fuzz` command is what we run overnight on a Friday and look at on Monday morning. ## What this book is not It is not a textbook on DeFi attacks; better books exist. It is not a comprehensive catalogue of every exploit ever observed on Solana; the ones we cover are the ones our fuzzer can model. It is not a substitute for a full audit. It is the manual for a tool, and it tries to be honest about the tool's reach. ## A note on tone We write in the first person plural. The team that wrote this fuzzer has done enough post-mortems together that "I" no longer feels accurate; the conclusions in this book belong to the group. Where a chapter says *we did X*, it means a small team — usually three people, sometimes four — sat in a room and watched the numbers do something the code did not predict. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://economicfuzz.gitbook.io/economicfuzz-docs/readme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.