Smart Contract Security Newsletter #44

Distilled News

The Untamed DeFi

In the past few weeks, so much has happened in the DeFi world that it is impossible to follow anymore. Here are some of the rise and falls, and eccentric events that were caught in our radar:

The rise and fall of Yam in 48 hours:

• Decentralized Finance, the YAM fiasco and the road to DeFi sustainability
• RIP $YAM code review
• Why YAM is a Nakamoto Scheme — Hasu

Curve Finance anonymous deployment:

• Adam Cochran Twitter Thread
• MyCrypto Twitter Thread

Based Protocol

• Pool died devops199 style

Synthetix xSNXa False Start: Post Mortem — Samczsun, the killer of DeFi high hopes, found an exploit in the first day of xSNXa

YFV.finance Staking never ends Exploit — Anyone can reset the staking clock, creating a situation that anyone can spend gas to extort members, but there is no guarantee

Chicken.Finance is backdoored using Unicode trick (Pub1ic), which based on the function names, seems to be also trolling the DeFi space

DeFi Chad and EthSecurity Community

All these events emphasize the importance of a better mechanism for DeFi Security, such as DeFi Safety ratings.

Back to Ethereum Nodes

A critical bug was found in the OpenEthereum node and was discussed by Liam Aharon on Twitter.

Also if you followed the discussion from our last newsletter on transaction back-running, Geth new release v1.9.19 ships a more deterministic transaction sort order during mining (FIFO). The goal is to reduce front-runner spam which abused miner randomness for transactions at the same price level.

DEFCON Safe Mode Blockchain Village

Really interesting keynote presentation by Peter Kachergisky on The State of Blockchain Security in 2020.

All other videos can be found on DEF CON Blockchain Village Youtube.

Research Papers

• Security checklists for Ethereum smart contract development: patterns and best practices
• A Jumping Mining Attack and Solution
• Fuzzing to Estimate Gas Costs of Ethereum Contracts
• Towards Automated Verification of Smart Contract Fairness
• TxSpector: Uncovering Attacks in Ethereum from Transactions
• EncELC: Hardening and Enriching Ethereum Light Clients with Trusted Enclaves
• De‐anonymizing Ethereum blockchain smart contracts through code attribution

The Week’s Links

• Formally Verifying the Ethereum 2.0 Phase 0 Specifications — ConsenSys
• Cryptocurrency Money Laundering Explained — Coinmonks
• Chainlink Gitcoin Bounty Program
• The 10 Best Things You Can Do to Not Lose Your Crypto — MyCrypto
• Securing an ERC-20 token for launch on Coinbase
• Solidity Bugs in Yul — Mikerah
• Smart Contract exploitation by Smart Contract Programmer [Video]
• Beacon Fuzz — Update #07 — SigmaPrime
• Steem vs Tron: The rebellion against a cryptocurrency empire — Decrypt
• Opyn ETH Put Exploit Post Mortem — Opyn
• A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks — Zdnet
• Cryptocurrency Money Laundering Explained — BitQuery
• Ethereum Classic Attack, 8 August: Catch me if you can — BitQuery

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Security Engineer/Auditor

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter