Smart Contract Security Newsletter #42
[This newsletter is also translated to Korean by Richard Kim and to Farsi by CoinIran.]
Last week we open-sourced one of our tools, Legions, an EVM Node Security Toolkit. With this tool, you can look up ENS details, smart contract storage, and any nodes’ exposed RPC interfaces. Read more about Legions and more functionalities here:
Also we are honored that Status has asked us to serve as the Champion on Nimbus ETH2.0 beacon chain assessment, working alongside NCCGroup and Trail of Bits.
Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.
Distilled News
“CryptoForHealth” Twitter take over
Yesterday Twitter got hacked [NYTimes, Verge] which seemed to be a social engineering or an insider job that gave the attackers access to Twitter internal system, a.k.a god mode. You can follow MyCrypto live coverage Twitter thread of the event, or check out their sheets that contain all the details of what happened.
It’s not the first time this event happened, back in 2009, a similar hack occurred and Twitter promised to safeguard the confidentiality of the personally identifiable information to FTC. Also last year the Department of Justice charged two Twitter employees with providing private information from Twitter accounts to Saudi Arabian nationals. It seems that they are on the path to the senate again, based on the letter Senator Josh Hawley sent to Twitter CEO.
There is nothing really to be done by the community than to review your security settings, although we suggest blacklisting the attackers’ Bitcoin addresses if you are involved in any exchanges or trading services:
- bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
- bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l
- 1AXRMCHu2yCTHJGcaaCBmWAzXCWmo7RKFx
- bc1q0kznuxzk6d82e27p7gplwl68zkv40swyy4d24x
To wrap this up, one of the best response trolls was this bitcoin transaction to their address, with a poem to promote Monero:
How did someone make a million dollars in 30 min?
Last week BzX listed their token (BZRX) on Uniswap, and it was fascinating to see on the same block that the listing transaction was included, there was another transaction to buy up 650 ETH worth of BZRX. The buyer gradually sold the acquired BZRX and profited greatly from this timed risky trade.
Roman Storm’s twitter thread explains all the steps:
How someone made a million dollar in 30 min?
1. Wait for BZRX news for uniswap listing.
2. Write a smart contract that buys token on Uniswap
3. Spam eth network to others can’t get in with failed txs
Security implications of Governance Tokens
Eva Beylin generated some interesting discussion on twitter with this assertion:
If the market cap of a DeFi protocol is less than or equal to its TVL (total value locked), it’s undervalued.
The underlying assumption here is that a majority of self-interested token holders can be expected to vote for protocol changes that will benefit them, thus if a protocol holds $1MM, and 50% of that protocol’s governance token can be purchased for less than $1MM, an attacker could quietly accumulate sufficient balance to vote for a protocol change that results in them taking control of the full value locked1.
On top of that, governance tokens also have implications for composability within other protocols. An example taken from Compound is Gauntlet Network’s proposal for a Formal Analysis Period for Larger Proposals:
The COMP issuance rebalancing proposal (CP011) affects not only Compound, but caused externalities that impact borrowing/supply demand such as Dai issuance and the Dai peg. These externalities affect both systems and deserve a more thorough analysis than proposals that are more straightforward.
Another good read that touches on this topic: Stablecoins 2.0: Economic Foundations for DeFi.
1: Of course, there are ways of mitigating such ‘plutocratic’ attacks, such as imposing a delay between when a proposal passes, and when the upgrade is activated. This would allow depositors time to react to protect their funds from a malicious proposal.
Research Papers
- Security Properties of Light Clients on the Ethereum Blockchain
- Hunting for Re-Entrancy Attacks in Ethereum Smart Contracts via Static Analysis
- Decentralized Lightweight Detection of Eclipse Attacks on Bitcoin Clients
- An Ever-evolving Game: Evaluation of Real-world Attacks and Defenses in Ethereum Ecosystem
- A new scheme of vulnerability analysis in smart contract with machine learning
- zk-SNARKs — Analysis and Implementation on Ethereum [MSc Thesis]
- SmartBugs: A Framework to Analyze Solidity Smart Contracts
Other Links
- Solidity 0.6.11 Release Announcement — Solidity Blog
- Formally Verifying Finality in Gasper: The Core of the Beacon Chain — runtime verification
- Crypto Audit Guidelines — JP Aumasson
- The ChainLink fraud exposed — Zeus Capital
- Wallet fingerprinting nearly a third of all Bitcoin transactions — 0xB10C
- Kerlissions — Trivial Collisions in Iota’s Hash Function (Kerl) — Soatok
- $140k Dogethereum bounty to build a $DOGE -> $ETH economic bridge
- Informal Systems Ethan Buchman — Hashing It Out Podcast #87
- CryptoEconSys Conference ’20 Videos
- Ethereum Smart Contract Security Recommendations — ConsenSys
- Malware on the blockchain — exablue
- Infura Joins Maker Community as Light Feed Oracle Provider
- KV-Witness — an alternative approach to block witnesses — Igor Mandrigin
- Solidity v0.1.0 turns 5! A walk down memory lane — Solidity Blog
- Double spend attacks in the PoS network — Coinmonks
- Stateless client witnesses — Vitalik Buterin
- De-anonymization using time sync vulnerabilities — ethresear.ch
- Contract verification made easier — Trail of Bits
- Unveiling BigSpender: Double (and Multiple) Spend Vulnerability in Major Bitcoin Wallets
- Blockchain Village — CFP — DEF CON SAFE MODE
If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter
