Smart Contract Security Newsletter #45

We have a few new blog posts for you:

• Breaking Ethereum Nodes with Teatime: A tool focusing on attacks on the P2P layer and the node software itself, working on ETH1.0 and JSON-RPC interfaces.
• LibP2P: Multiaddr — Enode — ENR ?! : There are multiple ways to convey a node’s peer-to-peer address and identity. multiaddr, enode, and ENR are the ones used in the Ethereum network stack. In this article, we are going to shed some light on them. Also a web-app for easy conversions between these encodings.
• Detecting Ownership Takeovers Using Mythril : How to write a detection module for Mythril to detect the unwanted ownership transfers of your smart contract.
• 2nd Solidity Underhanded Contest : The goal of this contest is to write innocent-looking Solidity code, which pretends to be clear and straightforward, but actually contains malicious behavior or backdoors.

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

Front-running in the dark forest and saving Lien Finance

You may have read the great article by Dan Robinson on the state of front-running bots on Ethereum network. Last week a group of whitehat hackers, including Alex Wade from Diligence, got together to save $9 million from Lien Finance’s vulnerable contract.

Escaping the Dark Forest

On the side note, there are some other interesting analysis on the front-running bots watching the Ethereum mempool:

• Staring Into the Monster’s Eye: Analyzing a Generalized Front-running Arbitrage Bot Attack
• How to munch on pickles from a whale dinner
• Hey bot! Give me all your money…
• Gas Wars: Understanding Ethereum’s Mempool & Miner Extractable Value — Uncommon Core podcast

Is DeFi really decentralized? KuCoin Hack Story

Last week, over $150 million was siphoned out of KuCoin exchange. Shortly after, a few tokens that were affected by this hack started to fork to remove the hacked balance from their pool, and some other DeFi projects froze the hackers address to prevent helping the hacker to launder the stolen funds. Other than USDT, ALEPH was also amongst these DeFi projects that froze the hacker’s assets. The hacker might also have been found.

More on DeFi security incidents

• iToken Duplication Incident Report — BzX
• EMINENCE — Rekt in prod — Rekt
• EMN-Exploit-study — fifikobayashi
• $FEW gets Rekt — Rekt
• Fork Defence Strategies in DeFi — Bankless
• UniCat “SetGovernance” backdoor to steal approved tokens — Alex Manuskin
• 0x team found a bug affecting Swerve, Curve [report]
• Vulnerability disclosure 2020–09–25 — iearn-finance/yearn-security
• Samczsun Incognito shield bug

Research Papers

• Smart Contract Repair
• Liquidations: DeFi on a Knife-edge
• Attacking Threshold Wallets
• ETHPLOIT: From Fuzzing to Efficient Exploit Generation against Smart Contracts
• A General Framework for the Security Analysis of Blockchain Protocols
• Bitcoin–Monero Cross-chain Atomic Swap
• Detection of Vulnerabilities in Smart Contracts Specifications in Ethereum Platforms
• Deep Autoencoder Ensembles for Anomaly Detection on Blockchain
• Defending Against Malicious Reorgs in Tezos Proof-of-Stake
• Testing Ethereum Smart Contracts: A Comparison of Symbolic Analysis and Fuzz Testing Tools
• Design Model for Extensible Architecture of Smart Contract Vulnerability Detection Tool
• DEFECTCHECKER: Automated Smart Contract Defect Detection by Analyzing EVM Bytecode
• Detecting Phishing Scams on Ethereum Based on Transaction Records
• Penetration testing framework for smart contract Blockchain
• A Formal Analysis of the Bitcoin Protocol
• Share Withholding Attack in Blockchain Mining: Technical Report
• A Jumping Mining Attack and Solution
• KVaC: Key-Value Commitments for Blockchains and Beyond
• Deterministic Wallets in a Quantum World
• A formal model of Algorand smart contracts
• High-Frequency Trading on Decentralized On-Chain Exchanges
• EVMPatch: Timely and Automated Patching of Ethereum Smart Contracts

The Week’s Links

• Solidity 0.7.2 Release Announcement
• Verification of the Deposit Smart Contract in Dafny — PegaSys
• My Trip Down the Crypto Rabbit Hole in Search of the DAO Hacker — Matthew Leising
• Fork Defense Strategies in DeFi — Bankless
• Lets poach samczsun and plant the seed for an auditing academy — gov.yearn
• Chainlink nodes were targeted in an attack that cost them at least 700 ETH — The Block
• Enterprise Blockchain Security Specification — Cryptonics
• Coordination, Good and Bad — Vitalik Buterin
• Hardware Wallet Flaw Lets Attackers Hold Crypto for Ransom — CoinDesk
• Fair Sequencing Services: Enabling a Provably Fair DeFi Ecosystem — Chainlink
• Gauntlet’s Tarun Chitra wants to de-risk DeFi with an automated governance platform
• Security Folkways and Deliberate Security Culture — BlackSwanSecurity
• Ethereum transactions overhaul — Ethereum Notes
• Beacon Fuzz — Update #08 — Sigmaprime
• Eth2 attack via time servers — Dankrad (ethresearch)
• Damn Vulnerable DeFi
• Over $500 in ETH Prizes! | Defi Detectives — AnChain.ai

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter