Smart Contract Security Newsletter #35

Published in

ConsenSys Diligence

3 min readApr 3, 2020

Hope you have stayed home, sane, and productive in these unprecedented times. As you know almost all conferences are cancelled or have moved to the virtual world.

We will, virtually, be at NonCon on April 3–5, join us for some meta fun with many VR after parties.

April 5, 12pm GMT+2: Detecting DeFi bugs and arbitrage opportunities using symbolic execution — Bernhard Mueller
April 5, 4:50pm GMT+2: Transparent Dishonesty: Front-running attacks on blockchain — Shayan Eskandari

Also, check out the latest updates to VSCode Solidity Visual Auditor (useful for developers too)! The new release makes it easier than ever to navigate and understand your solidity contracts in the Cockpit panel, with great features like:

Find Top Level Contracts
List public state-changing methods and modifiers in the current contract
Show the function call trace for the current method

Distilled News

New Offering: 1-Day Security Reviews — ConsenSys Diligence

Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different.

Such a review is an inexpensive way to discover fundamental issues early and have a chance to resolve them before it’s time for a full audit.

Another way clients have started to use these brief security reviews is as an alternative to a full audit. These clients typically don’t have the budget for a full audit but want to do what they can to make their product secure.

Bugs in Aragon Court, Synthetic, and HegicOptions — Samczsun

We are thinking of dedicating a section of this newsletter exclusively to Samczsun’s reported bugs, but until then, here’s what he was up to in the last 2 weeks:

HegicOptions is an On-chain Options Trading protocol, here’s Sam’s exploit for their DAI liquidity pool contract.
Synthetix, a protocol for trading synthetic assets was saved before their 3 months trial ended, in which they were planning to launch a full implementation of Ether Collateral. You can read more about the detail of this bug in their blog post: Ether Collateral Bug Disclosure
Aragon Court also rolled out 3 bug fixes and disclosed the issues in a blog post: Aragon Court V1 Upgrades & Disclosures

Exploring Deep Learning Models for Vulnerabilities Detection in Smart Contracts — [MIT MSc Thesis]

In this project, a Deep Learning model used with a novel source code input representation was created for the line-level vulnerability detection task.

The input structure in combination with a specific DL model can capture intricate data and control dependencies between various program variables. The developed method has successfully classified line-level vulnerabilities using a corpus of Solidity contracts as input.

On increasing complexity in OpenZeppelin — Nick Johnson, Twitter

Nick Johnson tweeted what everyone was thinking:

I love @OpenZeppelin, but I’m a bit concerned at the trend I see towards complexity. Take AccessControl.sol, for instance; it’s evolved from a simple RBAC mechanism to something that incorporates enumerability and the concept of “admin accounts” for each role.

A couple interesting sub-threads worth reading through:

Patrick McCorry chimes in about `_msgSender()` which recently appeared in the most ubiquitous Zepp contract of all, Ownable.sol.
OpenZeppelin developer Nicolas Venturo responds with some background on how they think about adding complexity to the contracts.