Collaborative Testing with Phalcon Fork — “Damn Vulnerable DeFi” as an Example

4 min readJul 27, 2023


What’s Phalcon Fork

Phalcon Fork is a specialized tool designed for Web3 developers and security researchers to conduct collaborative testing with private mainnet states. It allows users to create a Fork from any mainnet state and send transactions to the Fork via an RPC endpoint. This innovative tool has two key features that set it apart from other platforms.

  • Firstly, it offers the ability to browse all transactions and, more crucially, debug them using the Phalcon Explorer.
  • Secondly, it boasts an internal block browser named Phalcon Scan, akin to Etherscan, facilitating easier viewing of transactions and accounts within the Fork.

You can access Phalcon Fork at

In essence, Phalcon Fork is a private testnet that syncs with the mainnet. With its integrated features, such as the Phalcon Explorer and internal block browser, it significantly enhances user experience.

The UI of the internal block explorer: Phalcon Scan
The UI of the internal block explorer: Phalcon Scan

Applications of Phalcon Fork

Phalcon Fork is an ideal tool for collaborative testing or demonstrations. This section will describe how it can be utilized effectively in public testing scenarios for better clarity.

Collaboration Among Developers

During protocol development, effective collaboration among developers is key, especially when debugging the protocol. This becomes even more challenging when developers are scattered globally, making it difficult to debug a transaction that triggers a protocol’s corner case. Phalcon Fork simplifies this process by enabling the creation of a private testnet where transactions can be executed. Developers can collectively use Phalcon Explorer to debug transactions, making it a more streamlined process than using local debug environments like Foundry and Hardhat.

Debug a simulated transaction inside a Fork

Collaboration Among Developers and Users

Public testing is essential when introducing a new protocol as it requires thorough testing. This includes user-based testing. One option is to deploy the protocol on a testnet, allowing users to issue transactions to the testnet via MetaMask.

However, using a testnet presents the challenge of unsynchronized states with the mainnet. Furthermore, dependent protocols may not exist in the testnet, complicating the testing process. Phalcon Fork offers a solution to these issues by enabling a protocol to create a Fork from the mainnet and share the RPC with users. Users can then import the RPC into MetaMask to interact with the protocol. All test transactions can be displayed using Phalcon Scan, mirroring Etherscan’s functionality.

Moreover, to prevent abuse of the Fork, protocols can implement measures such as allowing only addresses included in an allow list to issue transactions.

The configuration inside a Fork

Implementing “Damn Vulnerable DeFi” on Phalcon Fork

Damn Vulnerable DeFi serves as a learning platform for understanding the offensive security of DeFi smart contracts in Ethereum. The original version relies on Hardhat (and Foundry) and can only be used locally.

With Phalcon Fork, we can create a Fork for each challenge, thereby enabling an enhanced online learning experience. In the next section, I will use the Foundry version (with some alterations to the deployment script) and the second challenge (Native receiver) to illustrate this.

Creating a Fork and Deploying the Challenge

We initially created a Fork. Next, we deploy the challenge into this Fork, which involves deploying vulnerable contracts. The deployment script is shown in the Github repository.

Then using the following command to deploy the challenge.

forge script script/NaiveReceiver.deploy.sol — broadcast — rpc-url [FORK_RPC] — verify — verifier-url ‘[FORK_RPC_ID]' -vvvv — etherscan-api-key [ACCESS_TOKEN]

The FORK_RPC, RPC_ID and ACCESS_TOKEN can be obtained inside the dashboard.

Note that, I do not make the transactions inside this Fork private. So everyone can browse the transactions and contracts inside this Fork through the following URL.

Of course, the transactions inside a Fork can be private to only project members, by turning on the following configuration in Fork’s Settings.

The option to disable public access of transactions inside a Fork

As we possess the source code of the contract, we can validate the deployed contract.

The list of the deployed contracts

We can visualize the deployed contracts as well as the verified contract’s source code. Moreover, we can view the transaction list within the Fork.

The source code of the verified contract inside a Fork
The transaction list inside a Fork

Solving the Challenge

To solve the challenge, we deploy an Attacker contract, followed by issuing the attack transaction.

The attack tx to solve the challenge shown in Phalcon Explorer

The source code of the Attacker contract and the script to issue the attack transaction is in the Github repository.

forge script script/NaiveReceiver.attack.sol — broadcast — rpc-url [FORK_RPC]


Phalcon Fork allows for the creation of a private testnet synced with the mainnet. The created Fork can be accessed using RPC and is compatible with development frameworks. The inclusion of tools such as the Phalcon Explorer and internal block scanner enables the development of more complex scenarios.




The BlockSec focuses on the security of the blockchain ecosystem and the research of DeFi attack monitoring and blocking.