> For the complete documentation index, see [llms.txt](https://shepherd-1.gitbook.io/shepherd/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shepherd-1.gitbook.io/shepherd/additional-info/hypothesis-templates-and-guidelines.md).

# Hypothesis Templates & Guidelines

### Short Hypothesis

```
Attacker calls withdraw() repeatedly while reentrancy lock is disabled 
to drain user funds through balance accounting bypass.
```

### Detailed Hypothesis

```
Assumptions:
- Attacker controls EOA with 50 ETH
- Can call deposit() and withdraw() on Vault contract
- Vault holds 1000 ETH total user deposits
- No reentrancy guard on withdraw()

Test scenario:
1. Attacker deposits 1 ETH to establish balance
2. Attacker calls withdraw() which sends ETH via external call
3. Attacker's receive() function reenters withdraw() before 
   balance is decremented
4. Reentrant withdraw() sees stale balance and sends another ETH
5. Process repeats until contract drained

Expected result if vulnerable:
Attacker drains full vault balance (1000 ETH) having only 
deposited 1 ETH initially.
```
