Smart Contract Security Newsletter #32

This issue of the newsletter was sent out on Feb 19, 2020. If you would like to receive the newsletter hot and fresh, sign up here.

Distilled News

bZx / Flashloans Shenanigans Roundup

Over the weekend, someone made a single epic transaction that linked together multiple different defi protocols, taking advantage of a bug in the bZx protocol’s “Fulcrum” margin trading to walk off with a profit of roughly $360k in ETH. Then just yesterday a second transaction exploited bZx for a profit of $645k.

For the first attack, Palkeo’s analysis and walkthrough is the best we’ve seen. Unfortunately there really isn’t much analysis available at the time of writing, we’ll make sure to summarize it in the next letter.

If you’d like to read more, here’s a selection of links to get you going:

One particularly interesting implication here is that a DeFi attack will often be more profitable the more money you put into it. Flashloans make this capital readily available to an attacker, allowing them to get a greater payout for their effort. Haseeb Qureshi outlines this in a twitter thread.

Developers sometimes assume that if an attacker requires $1m to attack a system it would be noticeable on chain, this is particularly true with governance schemes. However with a flash loans the total duration of the attack would be in seconds, and no real resources are needed by the attacker. Here’s a scary thread discussing this scenario applied to MakerDAO.

Vulnerability disclosure — Tornado Cash

Last week, Tornado Cash warned users about a vulnerability on their app. Here’s more detail about it, it was mainly an information leakage to the third-party services used in their UI, which leaked user’s private note if “Share URL” was used by the user.

Anatomy of a Bridge Reserve Smart Contract Vulnerability — Kyber Network

SamCZSun strikes again by discovering a vulnerability in Kyber’s reserve manager smart contract. Read more about the vulnerability affecting Kyber-run DEX bridge reserves and how they fixed it.

Surrogeth: Tricking frontrunners into being transaction relayers — lsankar4033

Why create your own relay network from scratch, when bots are already scanning the mempool for simple transactions they can make money on.

Other Links

Smart Contract Security Newsletter #32 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.

—Source link—

What do you think?

DeFiZap Continues to Ship

Set Protocol Launches New Components