Smart Contract Security Newsletter #37
More virtual conferences are happening these days, here are some of the talks we did in the past two weeks:
- Visualization of large codebases with the Solidity Visualizer extension for VSCode — Solidity Summit 2020
- Mutation Testing with Vertigo — Solidity Summit 2020
- Live Auditing & Security Best Practices with ConsenSys Diligence — DeFi Discussions
That was absolutely fascinating. Watching auditors dive into a new code base and fire up their tools was so interesting. Auditing code is such a dark art to most of us in the Ethereum community. This session gives you a some insight into how they work: https://t.co/RyIbSVSPJk
We will be doing live auditing once a month, make sure to follow us on Twitter for more details @ConsenSysAudits
Distilled News
An Experiment In Designing a New Smart Contract Language — Steve Marx (Diligence)
ConsenSys Diligence has the broad mission of “solving smart contract security”. Early on, the team focused almost exclusively on auditing smart contracts that were ready to be deployed. Over time, we published best practices and incubated the tools that became MythX.
As auditors, we have a rather unique perspective on how a programming language can support writing secure smart contracts.
Some opportunities we saw for a new programming language:
- Readability could be greatly improved.
- Complexity could be better managed.
- Common bug classes could be prevented.
The rest of this post will elaborate on each of these points.
Hegic Hack and Audits Drama
If you participate in the Ethereum Security community at all, you probably have heard many stories about the HegicOptions’ “typo” bug, and the Trail of Bits audit. The incident began with Hegic claiming to have a typo in their main-net contract rather than a bug. The upshot for us is a need to to differentiate between full audits and 1-day security reviews and stop using audits as a sales tool.
You can read more about what happened with Hegic here:
- Post-Mortem: Hegic Unlock Function Bug or Three DeFi Development MistakesThat I Feel Sorry About (From Hegic)
- Hegic vs Trail of Bits & The Issue with “Audits” (Defi weekly summary)
- Unchained podcast interview on the topic with Dan Guido (ToB) and Taylor Monahan (MyCrypto)
tBTC: Navigating the cross-chain conundrum — Alexander Wade (Diligence)
Bitcoin-to-Ethereum cross-chain projects are an area we are seeing more and more activity lately. Earlier this year we completed a significant assessment of the tBTC project, in which we identified an interesting issue that would have made some fraud proofs from the Bitcoin chain impossible to validate on Ethereum. We thought it was interesting, and wanted to share with the community.
Other Links
- Threshold ECDSA for Decentralized Asset Custody [Paper]
- Storing and Retrieving Secrets on a Blockchain [Paper]
- Doubling down on security — OpenZeppelin
- Bad Things™ (Crypto / Security) — TayVano (MyCrypto)
- Oracles Club All Price Feeds — DragonFly Capital
- Etheroll Security Incident
- Trusted Setup Ceremony — Tornado.cash
- Lendf.Me Resolution, Part II: dForce “Better Future” Proposal
- How NASA does software testing and QA
- Futureswap: Lessons learned from a 3-day alpha
- aToken Withdrawal Vulnerability Disclosure — Trustless Fund
- EIP-2583: Penalty for account trie misses
- SoK: Tools for Game Theoretic Models of Security for Cryptocurrencies — Protocol Labs [Paper]
- ETH2 Staking Calculator — Codefi Networks
- Compound: Tether Integration Audit — OpenZeppelin
- Is a new token standard really to blame for the imBTC/Uniswap and dForce attacks? — Provable Things
If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter.
Smart Contract Security #37 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.