A big portion of code auditing is staring at the screen at someone else’s code, and asking yourself:

Why did they do it this way? Is there something they know that I don’t know? Why is there nothing about this function in the documentation?”

If you are a lucky auditor, things start to make sense hours or days into the audit. Then you have to start writing up what you learned and what you found as risky behaviour (a.k.a. vulnerability). Then you move on to compiling all of them together in a representable manner into a report.

There is no…


https://smartcontract.coiniran.com/

Six years ago, we set out to empower the “underprivileged” by educating them on how decentralized financial tools can help leverage personal and financial status. In western contexts, we often conceive of the “underprivileged” as a minority cultural or racial group in a particular country and neglect how entire populations across geographical regions also fall into this category.

For instance, In crypto discourse, we hear a lot about the commitment to “banking the unbanked”, yet it is rarely acknowledged who exactly the “unbanked” are. Did you know that most of Iran’s population — regardless of their political views or ideologies…


🎄 Sign up for the newsletter 🎄

In 2020, we sent out 17 issues of this newsletter covering everything on blockchain and smart contract security as they were happening. It’s been a crazy year, maybe more crazy for DeFi than the rest of the world.
Wish you a 2021 full of SafeHealth and SafeWealth.

Last week we open sourced Scribble, a Solidity runtime verification tool for property based testing. You can read more about it on our blog.

Also another update to our VSCode tools, Decompiler extension which you can use to decompile almost anything.

Holiday’s Solidity Boost

This holiday might be the best time to boost your Solidity development…


Credit for the image goes to Casey Coauette

A new blog post, Token Interaction Checklist is out. A checklist to help developers and security engineers to navigate the possible issues that could arise from interacting with many different tokens, especially if they want to support user-inputted tokens.

A pretty useful update to our VSCode tool, Solidity Metrics, has been released. In this update we introduced Solidity dopperlganger, a tool to check if a contract is similar to a set of known contracts stored in a Database. The best use case is for smart contract auditors to check if a library (e.g. SafeMath) is a copy of a reputable…


Tokens have long been a part of the history of blockchain and cryptocurrencies. As far back as the early days of Bitcoin, there were plans of creating ‘ colored coins’ to extend functionality to new use cases. Projects such as Mastercoin, later rebranded as Omni, popped up to fulfill this vision, eventually inspiring Vitalik Buterin to produce the Ethereum whitepaper.

Today’s ecosystem is a highly composable, vast expanse of tokens with a practically endless list of use cases. Although several token standards have been constructed, the very first token standard, ERC-20, remains the most used as a result of the…


Last Month at Liquidity2020 we presented two talks (videos below) and coming up next week we will be presenting at Trufflecon, stay tuned for DevSecOps — Shifting left smart contract development by Joran Honig.

Oracles from the Ground Truth to Market Manipulation — Shayan Eskandari
Automated Testing of Smart Contract Systems — Valentin Wüstholz

Also, for VSCode users, there’s an update on Ethereum Vyper language support.

Distilled News

Governance Attacks — MakerDAO

Earlier this week, a flash loan was used to pass a governance vote on MakerDAO:

Essentially, B Protocol’s team wanted to be white-listed in order to access the MakerDAO’s price oracle. …


We have a few new blog posts for you:


Distilled News

The Untamed DeFi

In the past few weeks, so much has happened in the DeFi world that it is impossible to follow anymore. Here are some of the rise and falls, and eccentric events that were caught in our radar:

The rise and fall of Yam in 48 hours:

Curve Finance anonymous deployment:

Based Protocol

Synthetix xSNXa False Start: Post Mortem — Samczsun, the killer of DeFi high hopes…


[This newsletter is also translated to Korean by Richard Kim]

Sign up for the newsletter

A new exciting VSCode extension for Ethereum people, ETHover will let you lookup the balance, bytecode, and verified source code of any Ethereum address, in addition, it lets you decompile the bytecode using a variety of tools.

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

Back-running

In the last newsletter we covered a transaction making a million dollars right when BzX listed their token (BZRX) on Uniswap. This phenomenon, to get your transaction in a block right…


[This newsletter is also translated to Korean by Richard Kim and to Farsi by CoinIran.]

(This newsletter was sent out on July 17th, Sign up to receive them on the first day)

Last week we open-sourced one of our tools, Legions, an EVM Node Security Toolkit. With this tool, you can look up ENS details, smart contract storage, and any nodes’ exposed RPC interfaces. Read more about Legions and more functionalities here:

Also we are honored that Status has asked us to serve as the Champion on Nimbus ETH2.0 beacon chain assessment, working alongside NCCGroup and Trail of Bits.

Do you consider yourself a smart contract hacker? Or do you know someone that might be? …

Shayan Eskandari

Blockchain/Security Engineer, PhD Candidate

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store