Smart Contract Security Newsletter #48

🎄 Sign up for the newsletter 🎄

In 2020, we sent out 17 issues of this newsletter covering everything on blockchain and smart contract security as they were happening. It’s been a crazy year, maybe more crazy for DeFi than the rest of the world.
Wish you a 2021 full of SafeHealth and SafeWealth.

Last week we open sourced Scribble, a Solidity runtime verification tool for property based testing. You can read more about it on our blog.

Also another update to our VSCode tools, Decompiler extension which you can use to decompile almost anything.

Holiday’s Solidity Boost

This holiday might be the best time to boost your Solidity development skills and security knowledge of smart contracts with some fun games and challenges.

Learn:

• CryptoZombies — Learn to Code Blockchain DApps By Building Simple Games
• Eth.Build — An Educational Drag-and-Drop Programming For Web3
• Mastering Ethereum, by Andreas M. Antonopoulos, Gavin Wood [Open Source]
• Watch Selected Talks by ConsenSys Diligence

Hack & Learn:

• The Ethernaut — Hack the contracts with a cool interface
• Capture The Ether — Hack the contracts for educational purposes only
• Damn Vulnerable DeFi — Break some DeFi projects
• Don’t cheat but some nicely written walkthroughs are here & here

The Solidity Underhanded Contest has also ended with some great challenges. There are signs of Paradigm CTF by samczsun as well, details coming soon.

If you enjoyed hacking smart contracts, ConsenSys Diligence is hiring.

Distilled News

WarpFinance

In yet another oracle-related exploit, WarpFinance was drained $~7.7m of DAI from its vault. WarpFinance depended on Uniswap’s current pools for price feeds, which the exploiter manipulated through depositing part of their flash-loaned WETH and DAI into warps’ LP tokens, swapping more flash-loaned WETH into DAI (increasing the price of DAI), then claiming their LP tokens at a higher price. Warp will be able to recover 73% of the users funds. One approach to mitigate these types of attacks is to use a TWAP (Time Weighted Average Price)-based oracle (e.g. uniswap sliding window oracle).

Aave bug

Aave released v2 on mainnet on December 3 after going through 5 different audits. Soon after V2 was deployed a possible attack vector regarding uninitialized contracts was discovered by Josselin Feist. With the vulnerability, an attacker could self-destruct the contract and break the DELEGATECALL connection with another v2 contract, leaving the protocol frozen until a new implementation is set. This brings into question, should code audits additionally review contracts after they are deployed?

Nexus Mutual CEO hacked

In an ironic twist of fate, the CEO of DeFi insurance firm Nexus Mutual was hacked for $8M in NXM tokens. Unlike the typical DeFi hacks we’ve been seeing for the past several months, this was a targeted personal hack, done through gaining remote access to Hugh’s computer to modify Metamask, tricking him into signing a different transaction with his connected hardware wallet. This has brought up more debate on how hardware wallets should display data when signing transactions as users can’t visually decipher the hex data shown for the signature. While Ledger provides a plugin to address this issue, it requires every dapp to build custom software to handle the data Ledger displays, and is not scalable. At the time of writing the situation is still under investigation.

The Week’s Links

• Solidity 0.8.0
• Solidity 0.7.6
• Truffle release v5.1.58
• Saffron bug locking $50m dai for 8 weeks
• Sushiswap saved — Rekt
• Compounder Finance RugPull Post-Mortem Report — Vasa_develop
• Feds Arrest Crypto Founder Behind Multimillion-Dollar ‘Exit Scam’ — Decrypt
• Tornado.Cash Governance Proposal (TORN is coming)
• Immunefi — DeFi Bounties
• New detectors for Slither
• EIP-3156 to standardize flash loans
• Symbolic execution with ds-test — Ethereum
• Finding exploits and saving people’s money w/ samczsun [Video]
• Fraud Proof Security Drill: Will You Be My 1-of-N? — Optimism
• EIP 1559 Analysis
• Solidity Developer Survey 2020
• Mystery puzzle solved or why we gave away 7 ETH to an absolute stranger
• Uniswap’s Financial Alchemy — Paradigm
• Exploiting Smart Contracts in CTF Challenges — Donjon
• A Brief Breakdown of Monero’s Ongoing Network Attacks — sethsimmons
• An iOS zero-click radio proximity exploit odyssey [Interesting Read] — Google Project Zero
• Acoustic keyboard eavesdropping based on language n-gram frequencies — ggerganov/kbd-audio

Research Papers

• Fuzzer to analyze smart contract performance
• Populating the Peephole Optimizer of a Smart Contract Compiler
• Automated Generation of Test Cases for Smart Contract Security Analyzers
• Rogue Key Attack on Gennaro et al. DKG
• Smart contract security verification standard
• Profiling of Malicious Users Targeting Ethereum’s RPC Port Using Simple Honeypots
• Foundations of Ring Sampling
• SoK: Diving into DAG-based Blockchain Systems
• RouTEE: A Secure Payment Network Routing Hub using Trusted Execution Environments
• Proposing Cybersecurity Regulations for Smart Contracts
• Identifying DApps and User Behaviors on Ethereum via Encrypted Traffic
• Perturbing Smart Contract Execution Through the Underlying Runtime
• Selfish Mining Attacks Exacerbated by Elastic Hash Supply
• CLUE: Towards Discovering Locked Cryptocurrencies in Ethereum
• Pricing Security in Proof-of-Work Systems
• Balancing Privacy and Accountability in Blockchain Transactions
• Delegated RingCT: faster anonymous transactions
• Malicious Qr-Code Threats and Vulnerability of Blockchain
• Robust Subgroup Multi-Signatures for Consensus
• On the Serverless Nature of Blockchains and Smart Contracts
• General Purpose Atomic Crosschain Transactions
• Exploiting Smart Contract Bytecode for Classification on Ethereum
• Game Theoretic Analysis of Reputation Approach on Block Withholding Attack
• Security Evaluation of Smart Contract-Based On-chain Ethereum Wallets
• Graph Deep Learning Based Anomaly Detection in Ethereum Blockchain Network
• RandPiper — Reconfiguration-Friendly Random Beacons with Quadratic Communication

This issue of the newsletter is brought to you by Shayan Eskandari and Carl Farterson.

We wish you a merry Christmas and a happy new year.

🎄🎅🎄🤶🎄

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter