Smart Contract Security Newsletter #35

Shayan Eskandari
Apr 3, 2020 · 3 min read

Hope you have stayed home, sane, and productive in these unprecedented times. As you know almost all conferences are cancelled or have moved to the virtual world.

We will, virtually, be at NonCon on April 3–5, join us for some meta fun with many VR after parties.

Also, check out the latest updates to VSCode Solidity Visual Auditor (useful for developers too)! The new release makes it easier than ever to navigate and understand your solidity contracts in the Cockpit panel, with great features like:

  • Find Top Level Contracts
  • List public state-changing methods and modifiers in the current contract
  • Show the function call trace for the current method

Distilled News

Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different.

Such a review is an inexpensive way to discover fundamental issues early and have a chance to resolve them before it’s time for a full audit.

Another way clients have started to use these brief security reviews is as an alternative to a full audit. These clients typically don’t have the budget for a full audit but want to do what they can to make their product secure.

We are thinking of dedicating a section of this newsletter exclusively to Samczsun’s reported bugs, but until then, here’s what he was up to in the last 2 weeks:

  • HegicOptions is an On-chain Options Trading protocol, here’s Sam’s exploit for their DAI liquidity pool contract.
  • Synthetix, a protocol for trading synthetic assets was saved before their 3 months trial ended, in which they were planning to launch a full implementation of Ether Collateral. You can read more about the detail of this bug in their blog post: Ether Collateral Bug Disclosure
  • Aragon Court also rolled out 3 bug fixes and disclosed the issues in a blog post: Aragon Court V1 Upgrades & Disclosures

In this project, a Deep Learning model used with a novel source code input representation was created for the line-level vulnerability detection task.

The input structure in combination with a specific DL model can capture intricate data and control dependencies between various program variables. The developed method has successfully classified line-level vulnerabilities using a corpus of Solidity contracts as input.

Nick Johnson tweeted what everyone was thinking:

I love @OpenZeppelin, but I’m a bit concerned at the trend I see towards complexity. Take AccessControl.sol, for instance; it’s evolved from a simple RBAC mechanism to something that incorporates enumerability and the concept of “admin accounts” for each role.

A couple interesting sub-threads worth reading through:

  • Patrick McCorry chimes in about `_msgSender()` which recently appeared in the most ubiquitous Zepp contract of all, Ownable.sol.
  • OpenZeppelin developer Nicolas Venturo responds with some background on how they think about adding complexity to the contracts.

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter.

ConsenSys Diligence

ConsenSys Diligence has the mission of solving Ethereum…