Smart Contract Security Newsletter #36

(This newsletter was sent out on April 22nd, Sign up to receive them on the first day)

Distilled News

DeFi Rollercoaster — imBTC, Uniswap & dForce lendFme

Over the weekend, DeFi saw one of the biggest hacks in DeFi history, more than $25M. However, the hacker returned all the hacked assets at the end. Sorry for the spoiler.
The hack was a result of a re-entrancy attack made possible by the ERC777 token standards callback functionality.

Some good overview resources include Peckshield’s very technical writeup of the attack, and DeFi weekly has a very accessible writeup outlining the basics of the attack, and the ensuing negotiations with the hacker.

Collusion in Gitcoin Grants — @owocki on twitter

Gitcoin recently concluded its most recent round of grants, which allows anyone to contribute as much or as little to any of the listed projects. The interesting thing about Gitcoin grants is that donations are matched according to the CLR mechanism.

The amount received by the project is (proportional to) the square of the sum of the square roots of contributions received.

This scheme puts more emphasis on how many people donated, and less on how much each individual donated. So if 4 people each donate 2 DAI to a particular project, it will receive more matching funds than if 1 person donates 8 DAI.

Naturally this creates a strong incentive for collusion and/or sybil attacks. Kevin Owocki’s twitter thread describes a particularly active collusion ring supporting the same project:

47% of contributions to a particular grant were funded by the same account.

We felt this was important to highlight, because as we still see the occasional system designed with the assumption that different addresses are necessarily different people.

Updates on Smart Contract Analysis Tools

Coinmonks wrote an interesting article comparing different Ethereum Security Analysis Tools, focusing on Slither, Mythx, and Securify.

A few updates on the Mythx side, MythX integrated into Embark, using their Embark MythX plugin.

Also Valentin Wustholz from Mythx team, has been working on improving Harvey, a fuzzer tool for Ethereum. Here’s a blog post about the recent developments, Targeted fuzzing using static lookahead analysis, and if you want to get in depth of the tool check out their paper.

Other Links

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter.

On April 11, John Conway passed away due to COVID-19

Smart Contract Security Newsletter #36 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.

—Source link—

What do you think?

Synthetix launches demo Ethereum DeFi L2 scaling solution

Ethereum by the Numbers — April 2020