Smart Contract Security Newsletter #44
Distilled News
The Untamed DeFi
In the past few weeks, so much has happened in the DeFi world that it is impossible to follow anymore. Here are some of the rise and falls, and eccentric events that were caught in our radar:
The rise and fall of Yam in 48 hours:
- Decentralized Finance, the YAM fiasco and the road to DeFi sustainability
- RIP $YAM code review
- Why YAM is a Nakamoto Scheme — Hasu
Curve Finance anonymous deployment:
Based Protocol
Synthetix xSNXa False Start: Post Mortem — Samczsun, the killer of DeFi high hopes, found an exploit in the first day of xSNXa
YFV.finance Staking never ends Exploit — Anyone can reset the staking clock, creating a situation that anyone can spend gas to extort members, but there is no guarantee
Chicken.Finance is backdoored using Unicode trick (Pub1ic), which based on the function names, seems to be also trolling the DeFi space
All these events emphasize the importance of a better mechanism for DeFi Security, such as DeFi Safety ratings.
Back to Ethereum Nodes
A critical bug was found in the OpenEthereum node and was discussed by Liam Aharon on Twitter.
Also if you followed the discussion from our last newsletter on transaction back-running, Geth new release v1.9.19 ships a more deterministic transaction sort order during mining (FIFO). The goal is to reduce front-runner spam which abused miner randomness for transactions at the same price level.
DEFCON Safe Mode Blockchain Village
Really interesting keynote presentation by Peter Kachergisky on The State of Blockchain Security in 2020.
All other videos can be found on DEF CON Blockchain Village Youtube.
Research Papers
- Security checklists for Ethereum smart contract development: patterns and best practices
- A Jumping Mining Attack and Solution
- Fuzzing to Estimate Gas Costs of Ethereum Contracts
- Towards Automated Verification of Smart Contract Fairness
- TxSpector: Uncovering Attacks in Ethereum from Transactions
- EncELC: Hardening and Enriching Ethereum Light Clients with Trusted Enclaves
- De‐anonymizing Ethereum blockchain smart contracts through code attribution
The Week’s Links
- Formally Verifying the Ethereum 2.0 Phase 0 Specifications — ConsenSys
- Cryptocurrency Money Laundering Explained — Coinmonks
- Chainlink Gitcoin Bounty Program
- The 10 Best Things You Can Do to Not Lose Your Crypto — MyCrypto
- Securing an ERC-20 token for launch on Coinbase
- Solidity Bugs in Yul — Mikerah
- Smart Contract exploitation by Smart Contract Programmer [Video]
- Beacon Fuzz — Update #07 — SigmaPrime
- Steem vs Tron: The rebellion against a cryptocurrency empire — Decrypt
- Opyn ETH Put Exploit Post Mortem — Opyn
- A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks — Zdnet
- Cryptocurrency Money Laundering Explained — BitQuery
- Ethereum Classic Attack, 8 August: Catch me if you can — BitQuery
Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.
If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter