Smart Contract Security Newsletter #39
Last week at the Diffusion Digital conference Gonçalo Sá, joined Ben Livshits of Brave Software and Thibauld Favre of Fairmint on a pretty interesting panel:
Also, Sūrya, our Solidity inspector, has been updated to support the most recent Solidity versions using the community-supported Solidity parser and some more tweaks.
Distilled News
Understanding the Risks of TokenSets — Set Labs — Anthony Sassano
There are many risks associated with using the different DeFi/Open Finance protocols on Ethereum and these risks should be considered before a user decides to interact with any of these apps.
In this post, we’ll clearly outline all of the risks that you should be aware of when using the TokenSets platform and interacting with the Set Protocol contracts so that you can make more informed decisions when buying a Set.
This blog post is a really good example of how DeFi developers should list and acknowledge the risks associated with their product. We really encourage other DeFi teams to follow a similar approach of trying to answer the hard questions to help inform their users about the risks.
Alibaba Group Holding, known for their popular e-commerce websites, dabbles in smart contract security — Patent
This was news to us to see Alibaba’s activities in the patent world on blockchain technology. They seem to have filed multiple patents in Dec 2019, such as System and method for digital asset transfer, System and method for blockchain-based notification, and a few more.
This patent seems the most relevant to this newsletter: The System and Method for Improving Security of Smart Contract on Blockchain:
A computer-implemented method for improving security of smart contract understood: obtaining a first and second transactions both invoking a smart contract, where the first transaction is associated with a protection condition; executing the second transaction and updating a current state of the smart contract; determining whether the updated current state of the smart contract satisfies the protection condition; in response to determining that the updated current state satisfies the protection condition, executing the first transaction, and recording the second and the first transactions into a data block for adding to a blockchain; and in response to determining that the updated current state does not satisfy the protection condition, recording the second transaction into another data block for adding to the blockchain.
Malicious bots are scanning GitHub uploads for private crypto keys and seed phrases — Decrypt.co
In the department of “completely obvious things worth being reminded of once in a while”, you shouldn’t push secrets to GitHub.
A hacker got my mnemonic and stole $1,200 in ethereum from my Metamask wallet in under 100 seconds. The hackers were using a bot to scan for the mnemonic phrases across GitHub, and I accidentally left it in my code on a GitHub repo…
Research Papers
- SHA-1 collisions now cost $45k
- EthScope: A Transaction-centric Security Analytics Framework to Detect Malicious Smart Contracts on Ethereum
- LadderLeak: Breaking ECDSA With Less Than One Bit Of Nonce Leakage
- Everything is a Race and Nakamoto Always Wins
- Blockchain is Watching You: Profiling and Deanonymizing Ethereum Users
- A Survey on Blockchain Interoperability: Past, Present, and Future Trends
- Overview of Polkadot and its Design Considerations — Web3 Foundation, Parity
- Game theoretical framework for analyzing Blockchains Robustness
- Zero Knowledge Proofs applied to Auctions (2019)
- Attacking Zcash Protocol For Fun And Profit
Other Links
- Thoughts on DeFi Security — ConsenSys
- Reinventing Vulnerability Disclosure using Zero-knowledge Proofs
- Bug Hunting with Crytic
- Lit by Laser: PIN Code Recovery on Coldcard Mk2 Wallets
- Chainlink VRF: On-chain Verifiable Randomness
- An Update on tBTC’s Launch — Keep Network
- Ethereum Classic had a massive network partition due to faulty FORK_ID generation
- HegicOptions has shut down again — Andrew Kang Twitter thread
- Aragon Drama Pushes On-Chain Governance Idealists to the Meatspace — The Defiant
If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter