Open in app

Sign in

Write

Sign in

Smart Contract Security Newsletter #34

Shayan Eskandari
ConsenSys Diligence
Published in
4 min readMar 20, 2020

--

Hope you are all healthy, at home, with plenty of toilet paper.

Last month was pretty busy with conferences, here are some of our talks:

EthCC [All Videos]

Stanford Blockchain Conference [All Videos]:

Also listen to the latest Epicenter episode EthCC 3 — Flash Loans and Elbow Bumps featuring our one and only Gonçalo Sá

Distilled News

ProgPow bug

Twitter user kikx disclosed a bug in ProgPoW which would have enabled an ASIC operator to find a new advantage over GPU miners.
ProgPoW’s designer, Kristy-Leigh Minehan gave a nice step by step explanation of the bug in this twitter thread.

The MakerDAO Auction Fiasco

On March 12th, in the midst of a market sell-off, someone managed to purchase $4.5 MM worth of ETH from liquidated Maker CDPs (Collateralized Debt Position). GlassNode has the most comprehensive write-up we’ve seen, and we’ll borrow their great TL;DR:

  1. Ethereum Network Overwhelmed, Gas Prices Increased — On 12 March, the Ethereum network was overwhelmed by demand as the price rapidly plummeted. The transaction queue grew as network capacity was reached, and gas prices shot up by an order of magnitude.
  2. Price Oracles Failed — Due to uncharacteristically high gas prices, price oracles including the Maker ‘Medianizer’ failed to update their feeds.
  3. CDP Liquidations Lagged, Then Were Triggered En Masse — When the Medianizer feed was updated, the reported price instantly decreased by over 20%, causing many CDPs to be liquidated immediately.
  4. ETH Was Sold For Free Through Maker — Again due to high gas fees and network congestion, when the ETH collateral in these CDPs was auctioned off, many bids did not get through. This allowed some liquidators to win these auctions with bids of zero DAI by paying high gas fees, extracting over $8 million worth of ETH essentially for free.
  5. CDP Owners Left With Millions In Losses — This exploit means that over $4.5 million of DAI in the MakerDAO system is now unbacked. In addition, users whose CDPs were liquidated (and whose ETH was sold to the zero-bid liquidator) lost 100% of their collateral, resulting in millions of dollars of losses for the DeFi community.

Maker also published a post on the 12th entitled “Recent Market Activity and Next Steps”, as well as plans to run an MKR Debt Auction on the 19th.

On a not-entirely-unrelated note, someone built an interesting smart contract allowing MKR holders to sell their voting power to the highest bidder, read more here.

SmartBugs: An Execution Framework for Automated Analysis of Smart Contracts — João F. Ferreira

This new paper is worth the read. We like that they open sourced their dataset and testing framework.

Over the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research. To address this, we present an empirical evaluation of 9 state-of-the-art automated analysis tools using two new datasets.
We found that only 42% of the vulnerabilities from our annotated dataset are detected by all the tools, with the tool Mythril having the higher accuracy (27%).

Stay Home!

It’s a good opportunity to learn a new skill set or promote some of these resources to your friends and families so they can enjoy their home office with some fun productivity.

Hack these for fun:

Learn:

Earn:

Other Links

Sign up for the Smart Contract Security Newsletter to be the first to receive the top security news every two weeks.

Newsletter
Ethereum
Security
Smart Contracts

--

--

Shayan Eskandari
ConsenSys Diligence

278 Followers
Editor for

https://shayan.es

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams