Smart Contract Security #37

Smart Contract Security Newsletter #37

(This newsletter was sent out on May 7th, Sign up to receive them on the first day)

More virtual conferences are happening these days, here are some of the talks we did in the past two weeks:

That was absolutely fascinating. Watching auditors dive into a new code base and fire up their tools was so interesting. Auditing code is such a dark art to most of us in the Ethereum community. This session gives you a some insight into how they work:

 — @ricburton

We will be doing live auditing once a month, make sure to follow us on Twitter for more details @ConsenSysAudits

Distilled News

An Experiment In Designing a New Smart Contract Language — Steve Marx (Diligence)

ConsenSys Diligence has the broad mission of “solving smart contract security”. Early on, the team focused almost exclusively on auditing smart contracts that were ready to be deployed. Over time, we published best practices and incubated the tools that became MythX.

As auditors, we have a rather unique perspective on how a programming language can support writing secure smart contracts.

Some opportunities we saw for a new programming language:

  1. Readability could be greatly improved.
  2. Complexity could be better managed.
  3. Common bug classes could be prevented.

The rest of this post will elaborate on each of these points.

Hegic Hack and Audits Drama

If you participate in the Ethereum Security community at all, you probably have heard many stories about the HegicOptions’ “typo” bug, and the Trail of Bits audit. The incident began with Hegic claiming to have a typo in their main-net contract rather than a bug. The upshot for us is a need to to differentiate between full audits and 1-day security reviews and stop using audits as a sales tool.

You can read more about what happened with Hegic here:

tBTC: Navigating the cross-chain conundrum — Alexander Wade (Diligence)

Bitcoin-to-Ethereum cross-chain projects are an area we are seeing more and more activity lately. Earlier this year we completed a significant assessment of the tBTC project, in which we identified an interesting issue that would have made some fraud proofs from the Bitcoin chain impossible to validate on Ethereum. We thought it was interesting, and wanted to share with the community.

Other Links

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter.

Smart Contract Security #37 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.

—Source link—

What do you think?

Nervos CKB Development Update #34

Recap: DeFi Week of May 4 🦄