Smart Contract Security Newsletter #39

Shayan Eskandari

Follow

Published in

ConsenSys Diligence

3 min readJun 6, 2020

--

(This newsletter was sent out on June 4th, Sign up to receive them on the first day)

Last week at the Diffusion Digital conference Gonçalo Sá, joined Ben Livshits of Brave Software and Thibauld Favre of Fairmint on a pretty interesting panel:

Convergence, economic attacks & composability risks — how to audit cryptoeconomics?

Also, Sūrya, our Solidity inspector, has been updated to support the most recent Solidity versions using the community-supported Solidity parser and some more tweaks.

Distilled News

Understanding the Risks of TokenSets — Set Labs — Anthony Sassano

There are many risks associated with using the different DeFi/Open Finance protocols on Ethereum and these risks should be considered before a user decides to interact with any of these apps.
In this post, we’ll clearly outline all of the risks that you should be aware of when using the TokenSets platform and interacting with the Set Protocol contracts so that you can make more informed decisions when buying a Set.

This blog post is a really good example of how DeFi developers should list and acknowledge the risks associated with their product. We really encourage other DeFi teams to follow a similar approach of trying to answer the hard questions to help inform their users about the risks.

Questions DeFi users should be asking DeFi Developers

Photo by Evan Dennis on Unsplash The DeFi space has had a tumultuous couple months, with a number of attacks as well as…

diligence.consensys.net

Alibaba Group Holding, known for their popular e-commerce websites, dabbles in smart contract security — Patent

This was news to us to see Alibaba’s activities in the patent world on blockchain technology. They seem to have filed multiple patents in Dec 2019, such as System and method for digital asset transfer, System and method for blockchain-based notification, and a few more.

This patent seems the most relevant to this newsletter: The System and Method for Improving Security of Smart Contract on Blockchain:

A computer-implemented method for improving security of smart contract understood: obtaining a first and second transactions both invoking a smart contract, where the first transaction is associated with a protection condition; executing the second transaction and updating a current state of the smart contract; determining whether the updated current state of the smart contract satisfies the protection condition; in response to determining that the updated current state satisfies the protection condition, executing the first transaction, and recording the second and the first transactions into a data block for adding to a blockchain; and in response to determining that the updated current state does not satisfy the protection condition, recording the second transaction into another data block for adding to the blockchain.

Malicious bots are scanning GitHub uploads for private crypto keys and seed phrases — Decrypt.co

In the department of “completely obvious things worth being reminded of once in a while”, you shouldn’t push secrets to GitHub.

A hacker got my mnemonic and stole $1,200 in ethereum from my Metamask wallet in under 100 seconds. The hackers were using a bot to scan for the mnemonic phrases across GitHub, and I accidentally left it in my code on a GitHub repo…