Smart Contract Security Newsletter #43

[This newsletter is also translated to Korean by Richard Kim]

Sign up for the newsletter

A new exciting VSCode extension for Ethereum people, ETHover will let you lookup the balance, bytecode, and verified source code of any Ethereum address, in addition, it lets you decompile the bytecode using a variety of tools.

ETHover - Visual Studio Marketplace

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

Back-running

In the last newsletter we covered a transaction making a million dollars right when BzX listed their token (BZRX) on Uniswap. This phenomenon, to get your transaction in a block right after a targeted transaction, is called Back-Running (opposite to Front-running). This strategy is known to have caused the gas auction war and high gasPrices in the network due to high numbers of bots trying the same strategy and filling up the mempool.

Geth (most miners use it) sorts txs by gas price, but also uses a random mapping for txs with the *same gas price*. Hence, to be right after a tx T, you can spam txs from multiple accounts using the *same gas price* such that one of them will be included right after T.
Philippe Castonguay

In short, Random ordering of equally-priced transactions incentivises competitive spam [Discussion on GitHub issue]. The proposed solution (merged) is to sort the transactions by their arrival time other than nonce and gasPrice, however, FIFO in a decentralized network would not result in the same order for each node.

Opyn ETH Put Exploit

This week another interesting (unfortunate) “hack” happened in the DeFi world.

Opyn allows you to protect your DeFi deposits and hedge ETH risk.

The details of the issue are still up for analysis at the time of the writing, but it seems that the attacker used the workflow to add collateral and mint oTokens, then exercise with ETH (the underlying) but twice. Only ETH put contracts were affected by the attack and most of the funds (572,165 USDC) have been secured by whitehat hackers after the initial exploit (371,260 USDC).

Eth2.0 Attacknets

Eth2.0 is just around the corner, but it’s so complex that it needs many and many more stress tests. In this repository you can find Multi-client & Single-client attacknets configuration and how to navigate these projects.

https://twitter.com/dannyryan/status/1285225497966731265

The party has already started and bounties are being paid. There are also some tools that might help you get ahead as well, such as Sigma Prime’s Beacon Fuzzer to automatically find bugs. If you like to get further involved, The Ethereum Foundation is building an internal security team dedicated to Eth2.

Research Papers

• Model Checking Bitcoin and other Proof-of-Work Consensus Protocols
• STAN: Towards Describing Bytecodes of Smart Contract
• A Blockchain-based Iterative Double Auction Protocol using Multiparty State Channels
• Denial-of-Service Vulnerability of Hash-based Transaction Sharding: Attacks and Countermeasures
• Wendy, the Good Little Fairness Widget
• Phishing Scam Detection on Ethereum: Towards Financial Security for Blockchain Ecosystem
• Linux Security using Blockchain
• EShield: Protect Smart Contracts against Reverse Engineering
• WANA: Symbolic Execution of Wasm Bytecode for Cross-Platform Smart Contract Vulnerability Detection
• A Gas-Efficient Superlight Bitcoin Client in Solidity

The Week’s Links

• Solidity 0.6.12 — Solidity Blog
• Solidity 0.7.0 — Solidity Blog
• Ethereum 2.0 Economic Review
• ETH2.0 Specs v0.12.2
• Protecting Validator Keys — Attestant
• Symbolic execution for hevm — Formal Verification Blog
• Evidence of Mempool Manipulation on Black Thursday: Hammerbots, Mempool — blocknative
• Ledger App Isolation Bypass — Monokh
• Working With Binance to Return $10,000 of Stolen Crypto to a Victim — MyCrypto Harry
• Compression, and Spontaneous Stuck Transactions — Blocknative
• Exploring Fully Homomorphic Encryption — Vitalik Buterin
• A mathematical model of a DGTX cryptocurrency exchange. Part 1 — SmartDec
• More than 1,000 people at Twitter had ability to aid hack of accounts — Reuters
• Elliptic Identifies Likely Use of Wasabi Wallet Service to Launder Twitter Hack Bitcoins — Elliptic
• Three people have been charged for Twitter’s huge hack, and a Florida teen is in jail — The Verge
• Bitcoin Softfork Activation Methodology — BitMex
• Accidentally stepping on a DeFi lego — Trail of Bits
• How to protect yourself against hacks with Nexus Mutual — Bankless
• Augur v2 Launches
• Lightning Sucks 2: Electric Boogaloo — Elias Rohrer Talks Timing Attacks
• Attacker Stole 807K ETC in Ethereum Classic 51% Attack — Bitquery
• Can GPT-3 develop or audit smart contracts? — Peteris Erins Twitter Thread
• Philippines’ SEC just denounced the top Ethereum dapp as a Ponzi — Decrypt
• How hackers laundered $3.4 million Bitcoin in plain sight — Decrypt
• 4bytes.info is back up again
• Tor 0day: Stopping Tor Connections — The Hacker Factor Blog

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter