Smart Contract Security Newsletter #33

Distilled News

Flash Loans are here to stay.

Much confusion and disinformation has continued to flow since the BzX “hacks” last month, so maurelian’s tweet from Feb 19 is worth repeating here:

TLDR re: security implications of flash loans:

There are no NEW vulnerability classes known to the world this week.

But security assumptions based on an attacker not having access to large quantities of a token are much weaker with flash loans in the mix.

If you’d like to learn more about the use cases and security considerations of flash loans, our favorite recent sources are:

• Introduction to the Flash Loan Pattern and its security considerations — Open Zeppelin
• Flash Loans: Why Flash Attacks will be the New Normal — Haseeb Qureshi

“After the bZx hacks, being hit by a flash attack will be as embarrassing as getting hit by re-entrancy after the DAO hack: you will get no sympathy. You should have known better.”
- Haseeb Qureshi

Questions DeFi users should be asking DeFi Developers — ConsenSys Diligence

We wanted to step back a bit from the focus on flash loans and oracles, and look more holistically at security challenges in DeFi. Of course we’re more than happy to help developers, but in order for them to place a true priority on security, users need to start asking tough questions, and putting their money into the protocols that can answer them thoughtfully.

We put this list of questions together to help users ask better questions, and make better decisions about their risk tolerance. The question are broken down into these categories

• Admin permissions
• External Dependencies
• Responsible disclosure and bounty programs
• Incident response planning
• Audits and Secure development

DeFi and chain split tweet storm — @cyounessi1

ProgPoW discussions are heating up again, and with that the possibility of another ETC-style fork. Cyrus and many others are discussing the effects of such a fork on DeFi.

Did Binance just help Justin Sun take over the Steem network? — Decrypt

We are seeing a rise in creative attacks on Proof of Stake systems. Justin Sun, CEO of TRON, recently bought the decentralized exchange Steemit.com, and Steem users voted to block him from accessing some money held on the network. It seems that with the help of Binance, Tron is trying to take over Steem. Although Justin Sun describes this as defeating the hackers.

Research Papers

• The Decentralized Financial Crisis: Attacking DeFi
• MadMax: Analyzing the Out-of-Gas World of Smart Contracts
• Remote Side-Channel Attacks on Anonymous Transactions

Tools

• Arbitrary transaction view — Palkeo
• Token Allowance Checker — dfuse
• Solfuzz, Check for assertion violations on Solidity smart contracts — Bernhard Mueller

Other Links

• Ethereum: The Concept of Gas and its Dangers — Ronan Sandford
• Let’s Talk ENS Migration (Post-Mortem) — Dean Eigenmann
• Emergency Shutdown Module: The ESM is the trigger system for the shutdown of the Maker Protocol — MakerDAO docs
• DeFi Watch
• Part 1: DeFi Madness ft Curve, iEarn & Stable-Coin Whales + Part 2 — DeFi Weekly
• Compound protocol Market Risk Assessment — Gauntlet
• Responsible Vulnerability Disclosure — Nexus Mutual
• Moloch v2 Smart Contract Audit Report for The LAO — The LAO
• Samczsun White Hat Hacking — Gitcoin grant
• Directory of security contacts for blockchain companies
• Trinity Attack Incident Part 1: Summary and next steps + Part 2 — IOTA Foundation
• We tracked 133,000 Ethereum names and exposed their secrets — Decrypt
• Deterministic logic on private key generation on walletgenerator[.]net — harrydenley.eth

Sign up for the Smart Contract Security Newsletter to be the first to receive the top security news every two weeks.