Smart Contract Security Newsletter #46

Last Month at Liquidity2020 we presented two talks (videos below) and coming up next week we will be presenting at Trufflecon, stay tuned for DevSecOps — Shifting left smart contract development by Joran Honig.

Oracles from the Ground Truth to Market Manipulation — Shayan Eskandari

Automated Testing of Smart Contract Systems — Valentin Wüstholz

Also, for VSCode users, there’s an update on Ethereum Vyper language support.

Vyper - Visual Studio Marketplace

Distilled News

Governance Attacks — MakerDAO

Earlier this week, a flash loan was used to pass a governance vote on MakerDAO:

Essentially, B Protocol’s team wanted to be white-listed in order to access the MakerDAO’s price oracle. So, they submitted a proposal to Maker’s governance structure in order to receive that approval on October 23.

Three days later, a multi-step transaction was created and processed that began with a borrowing of synthetic Ether, which was then used as collateral to borrow $7 million worth of MKR tokens, which are used to vote on proposals. The newly-borrowed MKR was used to pass the vote and then returned to the markets from which they were lent.

You can read more about the details and ensuing discussion on the MakerDAO forum, and see the transaction itself on Etherscan. This opens up the discussion to rethink many of the decentralized governance designs.

Harvest Finance Hack

Another drama hits the DeFi world with the Harvest.finance hack. Aside from $1M bounty on the hacker, and some putting the blame on the auditors [audits], the issue was related to the price calculation in Harvest [Exploit example].

Read more on the analysis of the attack:

• Valentin Mihov Tweets
• Harvest Flashloan Economic Attack Post-Mortem | by Harvest Finance

DeFi Security & Hacks

• Sushiswap smart-contract bug and quality of audits in community — Dracula Protocol
• SushiSwap Farming Analysis — Nansen.ai
• Reentering the Reentrancy Bug: Disclosing BurgerSwap’s Vulnerability — Zengo
• Risk Scores for DeFi — Alpha Release — John Morrow | Gauntlet
• Curve Vulnerability Report. Hi, this is Peter Zeitz, an economics — Peter Zeitz
• Hashing It Out #92- DefiSaftey Rex Hygate [Podcast]
• Automated Governance: DeFi’s scientific evolution — Tarun Chitra | Gauntlet
• Saving $200m in DeFi Cover — Azeem Ahmed | ArmorFi
• iearn-finance/yearn-security — Vulnerability disclosure 2020–10–30
• Flash Mint Arbitrage Code sample — fifikobayashi
• Hegic v888 $ETH liquidity pool bug — 0MOLLY
• Uniswap Swindle — Scammer Speaks Out — Rekt

The Week’s Links

• The Solidity Compiler Silently Corrupts Storage — Certora
• CertiK dissects the Axion Network incident and subsequent price crash — CoinTelegraph
• Solidity 0.7.4 Release Announcement — Solidity Blog
• Solidity 0.8.x Preview Release — Solidity Blog
• Fe: a new language for the Ethereum ecosystem — Ethereum
• Chainlink VRF Now Live on Ethereum Mainnet — Chainlink
• Upgrading the Argent Wallet to Solidity 0.6 — Argent
• Ethereum’s Dark Forest is worth cultivating — Trenton Van Epps
• Smart Contract Fuzzing. How to find edge cases with echidna — Coinmonks
• Responsible Vulnerability Disclosure in Cryptocurrencies — CACM ACM
• Efficient audits with machine learning and Slither-simil — Trail of Bits
• Changing Lanes — Samczsun
• How I got hacked, lost crypto and what it says about Apple’s security
• Cryptotux: Linux images for crypto & blockchain education and development
• Data Representation in Solidity
• Binance Android Wallet theft bug
• Introducing OpenZeppelin Defender — OpenZeppelin
• Call me Ishmael — BitMEX
• Deanonymising the Kucoin Hacker — Koh Wei Jie
• Good idea, bad design: How the Diamond standard falls short — Josselin Feist
• Addressing Josselin Feist’s Concern’s of EIP-2535 Diamond Standard
• Detect Ethereum front-runners with honey pot contract — Sergey Potekhin

Research Papers

• Runtime Hook on Blockchain and Smart Contract Systems
• Taming the many EdDSAs
• Two-round trip Schnorr multi-signatures via delinearized witnesses
• Stealthswap : Privacy Preserving Ethereum Transactions [Whitepaper]
• Towards Understanding Flash Loan and Its Applications in DeFi Ecosystem
• On the profitability of selfish blockchain mining under consideration of ruin
• On (multi-stage) Proof-of-Work blockchain protocols
• MuSig2: Simple Two-Round Schnorr Multi-Signatures
• FORTIS: FORgeable TImeStamps Thwart Selfish Mining
• Detecting Malicious Ethereum Entities via Application of Machine Learning Classification
• Formal Verification of Ethereum Smart Contracts Using Isabelle/HOL

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter