Smart Contract Security Newsletter #42

(This newsletter was sent out on July 17th, Sign up to receive them on the first day)

Last week we open-sourced one of our tools, Legions, an EVM Node Security Toolkit. With this tool, you can look up ENS details, smart contract storage, and any nodes’ exposed RPC interfaces. Read more about Legions and more functionalities here:

Legions a Tool for Seekers

Also we are honored that Status has asked us to serve as the Champion on Nimbus ETH2.0 beacon chain assessment, working alongside NCCGroup and Trail of Bits.

 — @ConsenSysAudits

Do you consider yourself a smart contract hacker? Or do you know someone that might be? Good news, ConsenSys Diligence is hiring.

Distilled News

“CryptoForHealth” Twitter take over

Yesterday Twitter got hacked [NYTimes, Verge] which seemed to be a social engineering or an insider job that gave the attackers access to Twitter internal system, a.k.a god mode. You can follow MyCrypto live coverage Twitter thread of the event, or check out their sheets that contain all the details of what happened.

It’s not the first time this event happened, back in 2009, a similar hack occurred and Twitter promised to safeguard the confidentiality of the personally identifiable information to FTC. Also last year the Department of Justice charged two Twitter employees with providing private information from Twitter accounts to Saudi Arabian nationals. It seems that they are on the path to the senate again, based on the letter Senator Josh Hawley sent to Twitter CEO.

There is nothing really to be done by the community than to review your security settings, although we suggest blacklisting the attackers’ Bitcoin addresses if you are involved in any exchanges or trading services:

  • bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
  • bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l
  • bc1q0kznuxzk6d82e27p7gplwl68zkv40swyy4d24x

To wrap this up, one of the best response trolls was this bitcoin transaction to their address, with a poem to promote Monero:

How did someone make a million dollars in 30 min?

Last week BzX listed their token (BZRX) on Uniswap, and it was fascinating to see on the same block that the listing transaction was included, there was another transaction to buy up 650 ETH worth of BZRX. The buyer gradually sold the acquired BZRX and profited greatly from this timed risky trade.

Roman Storm’s twitter thread explains all the steps:

How someone made a million dollar in 30 min?

1. Wait for BZRX news for uniswap listing.
2. Write a smart contract that buys token on Uniswap
3. Spam eth network to others can’t get in with failed txs

Security implications of Governance Tokens

Eva Beylin generated some interesting discussion on twitter with this assertion:

If the market cap of a DeFi protocol is less than or equal to its TVL (total value locked), it’s undervalued.

The underlying assumption here is that a majority of self-interested token holders can be expected to vote for protocol changes that will benefit them, thus if a protocol holds $1MM, and 50% of that protocol’s governance token can be purchased for less than $1MM, an attacker could quietly accumulate sufficient balance to vote for a protocol change that results in them taking control of the full value locked1.

On top of that, governance tokens also have implications for composability within other protocols. An example taken from Compound is Gauntlet Network’s proposal for a Formal Analysis Period for Larger Proposals:

The COMP issuance rebalancing proposal (CP011) affects not only Compound, but caused externalities that impact borrowing/supply demand such as Dai issuance and the Dai peg. These externalities affect both systems and deserve a more thorough analysis than proposals that are more straightforward.

Another good read that touches on this topic: Stablecoins 2.0: Economic Foundations for DeFi.

1: Of course, there are ways of mitigating such ‘plutocratic’ attacks, such as imposing a delay between when a proposal passes, and when the upgrade is activated. This would allow depositors time to react to protect their funds from a malicious proposal.

Research Papers

Other Links

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter

Smart Contract Security Newsletter #42 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.

—Source link—

What do you think?

“Things Tend to Get Better. For Anyone Involved in Crypto, It’s Obvious That This is 1,000x Better,” 1kx’s Lasse Clausen

Balancer Launches BAL Voting to Address Liquidity Mining