Smart Contract Security Newsletter #43

Shayan Eskandari
ConsenSys Diligence
4 min readAug 7, 2020

[This newsletter is also translated to Korean by Richard Kim]

Sign up for the newsletter

A new exciting VSCode extension for Ethereum people, ETHover will let you lookup the balance, bytecode, and verified source code of any Ethereum address, in addition, it lets you decompile the bytecode using a variety of tools.

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

Back-running

In the last newsletter we covered a transaction making a million dollars right when BzX listed their token (BZRX) on Uniswap. This phenomenon, to get your transaction in a block right after a targeted transaction, is called Back-Running (opposite to Front-running). This strategy is known to have caused the gas auction war and high gasPrices in the network due to high numbers of bots trying the same strategy and filling up the mempool.

Geth (most miners use it) sorts txs by gas price, but also uses a random mapping for txs with the *same gas price*. Hence, to be right after a tx T, you can spam txs from multiple accounts using the *same gas price* such that one of them will be included right after T.
Philippe Castonguay

In short, Random ordering of equally-priced transactions incentivises competitive spam [Discussion on GitHub issue]. The proposed solution (merged) is to sort the transactions by their arrival time other than nonce and gasPrice, however, FIFO in a decentralized network would not result in the same order for each node.

Opyn ETH Put Exploit

This week another interesting (unfortunate) “hack” happened in the DeFi world.

Opyn allows you to protect your DeFi deposits and hedge ETH risk.

The details of the issue are still up for analysis at the time of the writing, but it seems that the attacker used the workflow to add collateral and mint oTokens, then exercise with ETH (the underlying) but twice. Only ETH put contracts were affected by the attack and most of the funds (572,165 USDC) have been secured by whitehat hackers after the initial exploit (371,260 USDC).

Eth2.0 Attacknets

Eth2.0 is just around the corner, but it’s so complex that it needs many and many more stress tests. In this repository you can find Multi-client & Single-client attacknets configuration and how to navigate these projects.

https://twitter.com/dannyryan/status/1285225497966731265

The party has already started and bounties are being paid. There are also some tools that might help you get ahead as well, such as Sigma Prime’s Beacon Fuzzer to automatically find bugs. If you like to get further involved, The Ethereum Foundation is building an internal security team dedicated to Eth2.

The Week’s Links

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter

--

--