Smart Contract Security Newsletter #48 ConsenSys Diligence – Medium

🎄 Sign up for the newsletter 🎄

In 2020, we sent out 17 issues of this newsletter covering everything on blockchain and smart contract security as they were happening. It’s been a crazy year, maybe more crazy for DeFi than the rest of the world.
Wish you a 2021 full of SafeHealth and SafeWealth.

Last week we open sourced Scribble, a Solidity runtime verification tool for property based testing. You can read more about it on our blog.

Also another update to our VSCode tools, Decompiler extension which you can use to decompile almost anything.

Holiday’s Solidity Boost

This holiday might be the best time to boost your Solidity development skills and security knowledge of smart contracts with some fun games and challenges.


Hack & Learn:

The Solidity Underhanded Contest has also ended with some great challenges. There are signs of Paradigm CTF by samczsun as well, details coming soon.

If you enjoyed hacking smart contracts, ConsenSys Diligence is hiring.

Distilled News


In yet another oracle-related exploit, WarpFinance was drained $~7.7m of DAI from its vault. WarpFinance depended on Uniswap’s current pools for price feeds, which the exploiter manipulated through depositing part of their flash-loaned WETH and DAI into warps’ LP tokens, swapping more flash-loaned WETH into DAI (increasing the price of DAI), then claiming their LP tokens at a higher price. Warp will be able to recover 73% of the users funds. One approach to mitigate these types of attacks is to use a TWAP (Time Weighted Average Price)-based oracle (e.g. uniswap sliding window oracle).

Aave bug

Aave released v2 on mainnet on December 3 after going through 5 different audits. Soon after V2 was deployed a possible attack vector regarding uninitialized contracts was discovered by Josselin Feist. With the vulnerability, an attacker could self-destruct the contract and break the DELEGATECALL connection with another v2 contract, leaving the protocol frozen until a new implementation is set. This brings into question, should code audits additionally review contracts after they are deployed?

Nexus Mutual CEO hacked

In an ironic twist of fate, the CEO of DeFi insurance firm Nexus Mutual was hacked for $8M in NXM tokens. Unlike the typical DeFi hacks we’ve been seeing for the past several months, this was a targeted personal hack, done through gaining remote access to Hugh’s computer to modify Metamask, tricking him into signing a different transaction with his connected hardware wallet. This has brought up more debate on how hardware wallets should display data when signing transactions as users can’t visually decipher the hex data shown for the signature. While Ledger provides a plugin to address this issue, it requires every dapp to build custom software to handle the data Ledger displays, and is not scalable. At the time of writing the situation is still under investigation.

The Week’s Links

Research Papers

This issue of the newsletter is brought to you by Shayan Eskandari and Carl Farterson.

We wish you a merry Christmas and a happy new year.


If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter

Smart Contract Security Newsletter #48 was originally published in ConsenSys Diligence on Medium, where people are continuing the conversation by highlighting and responding to this story.

—Source link—

What do you think?

🎙️Taking Ethereum Public | Ether Capital Bankless

Financial Market Lessons Of 2020 Off The Chain