static analysis Β· substrate honesty
Most hacks make a system do something it shouldn't. A white hack makes it tell more truth β it scans your code for the places it lies about its own state.
node bin/whitehack.js scan .
View on GitHub
MIT Β· no telemetry Β· ~250 lines you can read in a sitting
The failed read that silently becomes 0. The cached value served as if
it were live. The stale price oracle read as current. The token transfer whose failure is dropped on the floor.
The score shown to a person with no way to ask why.
These usually aren't bugs in the ordinary sense β the code runs fine. It just isn't honest about its own state, and someone downstream trusts it anyway.
A read that fails to a falsy default β βcould not readβ becomes a confident wrong value.
A cached / snapshot value returned with no freshness marker β stale read as live.
A score / fee / fraud flag shown to a person with no way to ask why.
Currency in a binary float β an βexactβ amount that silently loses cents.
A price feed read without checking updatedAt β a halted feed served as a live price.
An ERC-20 transfer whose bool result is dropped β a failed transfer looks successful.
A price from instantaneous reserves β flash-loan-movable, presented as fair value.
A require()/revert() with no reason β a refusal nobody can inspect.
Run against faithful reconstructions of documented, money-losing incidents. Small hand-built corpus β a demonstration, not a statistical benchmark.
vulnerable lines flagged
false positives on the fixed code
real incidents reproduced (Sherlock #579 Β· OWASP SC02)
A honesty tool that overstated its own certainty would be the first thing it ought to flag. So:
# clone it β it's small and dependency-free git clone https://github.com/cambridgetcg/whitehack && cd whitehack # scan a directory (default: .) node bin/whitehack.js scan path/to/repo # exit code is non-zero only on medium-high findings β safe for CI