Image for post
Image for post
Credit for the image goes to Casey Coauette

A new blog post, Token Interaction Checklist is out. A checklist to help developers and security engineers to navigate the possible issues that could arise from interacting with many different tokens, especially if they want to support user-inputted tokens.

A pretty useful update to our VSCode tool, Solidity Metrics, has been released. In this update we introduced Solidity dopperlganger, a tool to check if a contract is similar to a set of known contracts stored in a Database. The best use case is for smart contract auditors to check if a library (e.g. SafeMath) is a copy of a reputable source (e.g. …


Image for post
Image for post

Tokens have long been a part of the history of blockchain and cryptocurrencies. As far back as the early days of Bitcoin, there were plans of creating ‘ colored coins’ to extend functionality to new use cases. Projects such as Mastercoin, later rebranded as Omni, popped up to fulfill this vision, eventually inspiring Vitalik Buterin to produce the Ethereum whitepaper.

Today’s ecosystem is a highly composable, vast expanse of tokens with a practically endless list of use cases. Although several token standards have been constructed, the very first token standard, ERC-20, remains the most used as a result of the high degree of confidence in its security and simplicity. …


Image for post
Image for post

Last Month at Liquidity2020 we presented two talks (videos below) and coming up next week we will be presenting at Trufflecon, stay tuned for DevSecOps — Shifting left smart contract development by Joran Honig.

Oracles from the Ground Truth to Market Manipulation — Shayan Eskandari
Automated Testing of Smart Contract Systems — Valentin Wüstholz

Also, for VSCode users, there’s an update on Ethereum Vyper language support.

Distilled News

Governance Attacks — MakerDAO

Earlier this week, a flash loan was used to pass a governance vote on MakerDAO:

Essentially, B Protocol’s team wanted to be white-listed in order to access the MakerDAO’s price oracle. …


Image for post
Image for post

We have a few new blog posts for you:

  • Breaking Ethereum Nodes with Teatime: A tool focusing on attacks on the P2P layer and the node software itself, working on ETH1.0 and JSON-RPC interfaces.
  • LibP2P: Multiaddr — Enode — ENR ?! : There are multiple ways to convey a node’s peer-to-peer address and identity. multiaddr, enode, and ENR are the ones used in the Ethereum network stack. In this article, we are going to shed some light on them. Also a web-app for easy conversions between these encodings.
  • Detecting Ownership Takeovers Using Mythril : How to write a detection module for Mythril to detect the unwanted ownership transfers of your smart contract. …


Image for post
Image for post

Distilled News

The Untamed DeFi

In the past few weeks, so much has happened in the DeFi world that it is impossible to follow anymore. Here are some of the rise and falls, and eccentric events that were caught in our radar:

The rise and fall of Yam in 48 hours:

Curve Finance anonymous deployment:

Based Protocol

Synthetix xSNXa False Start: Post Mortem — Samczsun, the killer of DeFi high hopes, found an exploit in the first day of…


[This newsletter is also translated to Korean by Richard Kim]

Image for post
Image for post
Sign up for the newsletter

A new exciting VSCode extension for Ethereum people, ETHover will let you lookup the balance, bytecode, and verified source code of any Ethereum address, in addition, it lets you decompile the bytecode using a variety of tools.

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

Back-running

In the last newsletter we covered a transaction making a million dollars right when BzX listed their token (BZRX) on Uniswap. This phenomenon, to get your transaction in a block right after a targeted transaction, is called Back-Running (opposite to Front-running). …


[This newsletter is also translated to Korean by Richard Kim and to Farsi by CoinIran.]

Image for post
Image for post
(This newsletter was sent out on July 17th, Sign up to receive them on the first day)

Last week we open-sourced one of our tools, Legions, an EVM Node Security Toolkit. With this tool, you can look up ENS details, smart contract storage, and any nodes’ exposed RPC interfaces. Read more about Legions and more functionalities here:

Also we are honored that Status has asked us to serve as the Champion on Nimbus ETH2.0 beacon chain assessment, working alongside NCCGroup and Trail of Bits.

Do you consider yourself a smart contract hacker? Or do you know someone that might be? …


[This newsletter is also translated to Korean by Richard Kim.]

Image for post
Image for post
(This newsletter was sent out on July 2nd, Sign up to receive them on the first day)

This is the last week for Gitcoin CLR matching, Please check out two of our Public Goods Projects:

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

Balancer Pool issue

We previously covered issues caused by flash loans (bZx hack and security implications of flash loans), now combined with non-standard ERC20 deflationary tokens, the plot has thickened. Last week, two different attacks on two Balancer pools resulted in $500K profit for the attackers. …


[This newsletter is also translated to Korean by Richard Kim.]

Image for post
Image for post
Sign up to receive this newsletter in your favourite email client

Here are some of the things we’ve been working on in recent weeks:

  • The Blockchain Security DB is an open-source (and machine-readable) database of security information for blockchain projects, containing information about past audits, bounty programs, and security contact info.

Some laudable efforts have been made recently to evaluate and compare the security of different projects (especially in DeFi). That’s a difficult and controversial undertaking, so we’ve decided to start just by presenting the information we could find without interpretation. …


Image for post
Image for post
Legions — EVM Node Security Toolkit

Have ever thought about doing one of the following things from your terminal?

  • Poke around a public Ethereum node JSON RPC endpoints?
  • See if an Ethereum node is mining or not?
  • Read the storage of a smart contract? And maybe see how the storage changed between different block numbers?
  • Get the bytecode of a smart contract without going to etherscan?
  • List all ENS domains names owned by an address and their expiry dates?
  • List all the subdomains of an ENS domain name?

If so I have a tool for you, and it goes way beyond this functionality.

Legions

During a recent client engagement we felt the need for a tool to help us poke around some forks of Geth Nodes, and we realized there were no tools available to easily connect and query common endpoints for such nodes. Even though you can manage this with libraries like web3.js, they are more like a hammer, when what we needed was a scalpel. …

About

Shayan Eskandari

Blockchain/Security Engineer, PhD Candidate

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store