Reimplement exploits without using cheat.startPrank(attacker)

[juli]

If adding attacker to an allowlist is necessary then is better to spoof the owner's address and add our random attacker address to the allow list. This way the exploit code will be more real and more valuable for future research projects based on this repository.

[joaquinlpereyra]

Partially implemented in #37.

We are missing two attacks that still rely on prank:

1. Bad Guys NFT: because attacker was authenticated with a merkle proof, we could rebuild merkle proof for arbitrary address
2. Ronin Bridge: because attacker stole keys offchain and could sign arbitrary message, I think this is a reasonable use of prank, the interesting part is off-chain.

[nine-december]

Leaving my POV about these:

Both cases are pretty similar in terms on how the attacker managed to get access to accounts with privileges.

In the first case, the attacker managed to get a whitelist spot (which could be achieved via the Discord channel of the collection). That attack would happen also if the WhitelistMint function was public as the bug is not related with the privilege. So, for Bad Guys NFT could be reasonable showing that anyone included in the Merkle Tree would have been able to perform the attack.

As for Ronin, the juicy part of the attack was how the attacker compromised the keys. The biggest concept there IMO is data and keys hygiene.

[nine-december]

I guess that the topic of this issue has been already solved. Moreover, we could leave this referenced somewhere as a guideline for future reproductions.