Summary

A hidden enablement of foundry's FFI cheatcode allows the test script to run arbirtrary commands on the host machine.

Vulnerability Details

The hiding of the ffi = true foundry flag far down the foundry.toml file enables further obfuscated test code. ffi is mapped to a cheatcodes variable via a mock contract which allows ffi to be used within the test scripts. Multiple tests then use this to remove the ./lib directory and then "mock" the user with a creation of "You have been Cursed By Ravana" in filenames within the project.

Impact

This only removes foundry lib files which can be reinstalled, but this exposes the possibility that the hosts machine could have been compromised.

Tools Used

Recommendations

Never trust any code that comes from the outside, even from CodeHawks. Verify before running anything and/or run inside a safe virtual environment until you are sure that everything is good. Do not assume familiar tools or processes are what they purport to be.