Smart Contract Security Newsletter #31

We will be at the following upcoming events, email us if you’d like to meet up!

• ETHDenver on February 14–16
• The Stanford Blockchain Conference 2020 on February 19–21

Distilled News

Interview with samczsun — ConsenSys Diligence

We don’t normally do interviews on our blog, but Sam Sun has been on such a hot streak lately finding bugs in critical smart contracts, so we needed an excuse to talk to him about what drives him, and what his bug hunting process looks like.

His recent findings findings include critical issues in Curve Finance, and the Registry at the center of the Ethereum Name Service.

When I’m bored and/or procrastinating, I’ll flip through transactions on Etherscan — like, “This looks like an interesting target that it’s going to, I wonder…”

Advanced Smart Contract Security Verification in Remix — Bernhard Mueller

The Remix development environment provides users with a convenient and powerful way of checking the correctness of smart contracts via the MythX plugin. In this article, I’ll explain the basics and provide several examples including security tests of real-world smart contracts.

Critical Flaw in Trezor Hardware Wallets — Kraken

If you have your Trezor in a secure place, don’t worry you are safe. This attack vector requires physical access and modification to the hardware wallet. This attack relies on voltage glitching to extract an encrypted seed.

Tornado.cash vulnerability alert

If you have used Tornado.cash, read this post. There are 98 users affected, only 12 of which have funds currently at risk (the others may have their privacy compromised though). The full disclosure with the details about the bug will be published in 2 weeks on Feb 14, 2020.

DApp Frontend Security — Embarklabs

Dapp developers rightly put a heavy emphasis on smart contract security, this contrasts with frontend security which is rarely discussed. This article is a good review of potential attack vectors in dapp frontends.

Ethereum 2.0 Security Considerations — Sigma Prime

We shared this awesome talk from DevCon5 previously, but it’s worth another watch as we get closer (knock on wood) to ETH 2.0.

Other Links

• CacheOut — Leaking Data on Intel CPUs via Cache Evictions
• The 2020 State of Crypto Crime — Chainalysis
• Launching Aztec — Privacy on Ethereum has arrived — Tom Pocock
• Automated analysis of Ethereum smart contracts — Open Zeppelin
• Bitcoin Gold (BTG) was 51% attacked
• End-to-End Formal Verification of Ethereum 2.0 Deposit Smart Contract — Runtime Verification
• What we learned building Universal Login — Security — Universal Login
• Announcing the first dFusion Bug Bounty — Gnosis