Smart Contract Security Newsletter #38

(This newsletter was sent out on May 21st, Sign up to receive them on the first day)

ConsenSys Diligence VSCode guru, Martin Ortner, has some interesting updates on his VSCode extensions:

  • Updated Solidity Metrics: Generate Solidity Source Code Metrics, Complexity and Risk profile reports for your project.
  • Dabble in good old InfoSec tools by Decompiler extension, which enables users to decompile Binary files, Java Jar, and Android APK right from VSCode.

MythX also recently shipped some major upgrades to MythX’s analysis engine, adding support for more vulnerability types. It also adds a new mode that is optimised for checking custom security properties!

Distilled News

Details of the tBTC Deposit Pause on May 18, 2020 — Keep Network

Roughly 48 hours after deploying to the Ethereum and Bitcoin mainnet, The Keep team triggered a 10-day emergency pause of deposits to the tBTC system. The main issue was due to some Bitcoin address types (pay to witness pubkeyhash (p2wpkh)) would result in an error when used in a proof that a redemption has been sufficiently confirmed on the Bitcoin chain. The issue was caught relatively quickly after deployment and the funds are mostly SAFU at this moment.

As mentioned in their post and the ConsenSys Diligence audit report, this issue could have been caught by extensive system simulation and integration tests prior to release.

Any highly-complex system benefits massively from integration testing. tBTC and the Keep Network are no exception: the two products tie together multiple different technologies (Bitcoin, Ethereum, sMPC, …) using mission-critical smart contracts. What’s more, the smart contracts in question implement strict timing windows for operations as well as steep penalties if those windows are missed.

In addition, a must read we recently published for anyone working on cross-chain projects:

tBTC: Navigating the cross-chain conundrum

Solidity 0.6.x features: Saving Storage Costs with Immutables —

Solidity’s new immutable keyword is a simple but very powerful improvement to the language, that can significantly improve safety and gas efficiency:

Immutable state variables can be declared using the immutable keyword. They cannot be read during contract creation, but either have to be written to exactly once in the constructor or initialized directly in their declaration. Runtime code can only read immutables, but not write to them.

Think of immutable like an upgrade to the existing constant keyword. Both will store values directly in the deployed bytecode (which greatly reduces the gas cost of reading them), but whereas constant variables had to be defined in the source code, you can now set the value by passing an argument to the constructor.

Frontrunning in Decentralized Exchanges, Miner Extractable Value, and Consensus Instability — Phil Daian

We additionally show that high fees paid for priority transaction ordering poses a systemic risk to consensus-layer security. We explain that such fees are just one form of a general phenomenon in DEXes and beyond — what we call miner extractable value (MEV) — that poses concrete, measurable, consensus-layer security risks. We show empirically that MEV poses a realistic threat to Ethereum today.

By adding a second layer of incentives (other than gas fees) to each transaction, MEV changes the effective block reward a miner can earn. This changes the security assumptions about how the protocol (Ethereum mining) works and may change miner behavior incentivizing more frequent chain reorgs.

This may be related to what was seen in last month’s Etheroll incident, where the small forks on the chain were not foreseen and resulted in a malicious user’s winnings.

EtherRoll Bug Thread 1/ This attack on Etheroll came across my radar a few weeks ago, the description from the project itself here was a little bit cryptic, but also intriguing:

 — @sbetamc

Other Links

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter

Smart Contract Security Newsletter #38 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.

—Source link—

What do you think?

This Week in DeFi – May 22nd

How Latin American Citizens Are Using Ethereum to Coordinate COVID-19 Deconfinement