Smart Contract Security Newsletter #36
Distilled News
DeFi Rollercoaster — imBTC, Uniswap & dForce lendFme
Over the weekend, DeFi saw one of the biggest hacks in DeFi history, more than $25M. However, the hacker returned all the hacked assets at the end. Sorry for the spoiler.
The hack was a result of a re-entrancy attack made possible by the ERC777 token standards callback functionality.
- This attack was actual discussed in our Uniswap audit more than a year ago,
- And a proof of concept exploit was published by Open Zeppelin
Some good overview resources include Peckshield’s very technical writeup of the attack, and DeFi weekly has a very accessible writeup outlining the basics of the attack, and the ensuing negotiations with the hacker.
Collusion in Gitcoin Grants — @owocki on twitter
Gitcoin recently concluded its most recent round of grants, which allows anyone to contribute as much or as little to any of the listed projects. The interesting thing about Gitcoin grants is that donations are matched according to the CLR mechanism.
The amount received by the project is (proportional to) the square of the sum of the square roots of contributions received.
This scheme puts more emphasis on how many people donated, and less on how much each individual donated. So if 4 people each donate 2 DAI to a particular project, it will receive more matching funds than if 1 person donates 8 DAI.
Naturally this creates a strong incentive for collusion and/or sybil attacks. Kevin Owocki’s twitter thread describes a particularly active collusion ring supporting the same project:
47% of contributions to a particular grant were funded by the same account.
We felt this was important to highlight, because as we still see the occasional system designed with the assumption that different addresses are necessarily different people.
Updates on Smart Contract Analysis Tools
Coinmonks wrote an interesting article comparing different Ethereum Security Analysis Tools, focusing on Slither, Mythx, and Securify.
A few updates on the Mythx side, MythX integrated into Embark, using their Embark MythX plugin.
Also Valentin Wustholz from Mythx team, has been working on improving Harvey, a fuzzer tool for Ethereum. Here’s a blog post about the recent developments, Targeted fuzzing using static lookahead analysis, and if you want to get in depth of the tool check out their paper.
Other Links
- Eth2 Phase 0 Pre-Launch Bounty Program — Ethereum Notes
- Solidity Memory Array Creation Overflow Bug — Solidity Team
- Solidity v 0.6.6
- Inspect | Codefi Data — Protocol transparency in DeFi
- Lodestar Initial Audit Passes with Flying Colours — Least Authority
- iExec PoCo (Proof of Contribution) Audit Report — ConsenSys Diligence
- Virtual DeFi Hackathon: HackMoney
- Flash mintable asset backed tokens — Austin-Williams
- Discovering Fake Browser Extensions — MyCrypto
- Beacon Fuzz — Update #03 — Sigma Prime
- CryptoHack — A fun platform for learning modern cryptography
- Apple just killed Local Storage: what that means for Burner Wallets — David Mihal
- EasterHack: the unbreakable Gnosis MultiSig via Multis — Sebastian Bürgel
- Bank run Payment Channel Networks [Paper]
- Hacker Exploits Flaw in Decentralized Bitcoin Exchange Bisq to Steal $250K — CoinDesk
- A Study on Blockchain Key Management Systems — Part 1
- DEFI Security Matching Round | Grants — Gitcoin
If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter.
