If a protocol uses any of the OpenZeppelin libraries, always check that the latest released version is used. Thus, you will be sure the most optimized version is used.

You can find vulnerabilities associated with previous versions here👇 https://security.snyk.io/package/npm/%40openzeppelin%2Fcontracts @EthSecurity1

someone lost $1.04m by ERC20 Permit phishing 22 minutes ago

https://etherscan.io/token/0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48?a=0x5242dc2114bb40ed7482adcfab07384d069408cc
@EthSecurity1

Core issue behind Trust wallet extension vulnerability:
It used a Mersenne Twister (MT19937) pseudo-random number generator (PRNG) for generating private keys, which is not random "enough" and therefore such private keys can be brute forced by attackers. https://community.trustwallet.com/t/browser-extension-wasm-vulnerability-postmortem/750787

try hack me @EthSecurity1

Announcing Smart Contract Fiesta:🎉

An open-source, high-quality dataset of over over 175M lines of Ethereum smart contract source code! It has about ~150k unique contract sources across 30M smart contracts.

https://huggingface.co/datasets/Zellic/smart-contract-fiesta


Read more: 👇🧵
huggingface.co
Zellic/smart-contract-fiesta · Datasets at Hugging Face @EthSecurity1

zk-apps
This repository is a collection of smart-contract applications based on ZK-SNARKs.

Included:

shielder - shielding and unshielding PSP22 tokens @EthSecurity1 https://github.com/Cardinal-Cryptography/zk-apps

Just published this EPIC Borrowing, Lending & Liquidation Deep Dive!

public c4 & sherlock contest, categorized & systematized the major vulnerability classes found in these #defi systems, and made it all freely available to help YOU. @EthSecurity1 https://dacian.me/lending-borrowing-defi-attacks

🔴Many security vulnerabilities come from faulty assumptions

Identifying the assumptions made by the devs and evaluating if they are correct can uncover big discrepancies between what the code does vs what it is intended to do

Here are examples of common faulty assumptions: 📔

1. Initialization functions will only be called ONCE and/or can be called only by the contract deployer

2. Only admins can call certain functions(access control issues)

3. Functions will always be called in a certain order as expected by the system

Ex. what if there's a function that closes a position but expects that you opened one in the 1st place?

A function that checks if your payment is on time but expects you got a loan before that?

4. Parameters can only have non-zero values or values within a certain threshold

addresses will never be zero-valued
sender will always be different from the receiver
an element of a struct array will always exist so the values won't be the default ones

5. Certain addresses or data values can never be attacker-controlled

6. Function calls will always be successful and so checking for return values is not required
These are just a few examples of common assumptions that don't always hold true
Always try to identify what assumptions are made when writing the code and compare that to how the system could actually behave
@EthSecurity1

nonReentrant modifiers might potentially cause a DoS attack.
https://medium.com/@bloqarl/uncovering-real-life-examples-of-denial-of-service-attacks-on-smart-contracts-8bc220c2cdd0
@EthSecurity1

This paper presents a dynamic, real-time approach to detecting anomalous blockchain transactions.

https://arxiv.org/abs/2304.12749
@EthSecurity1

A number of Comp forks have been hacked, chiefly Hundred Finance

compoundfinance
V2 forks, satisfying conditions, e.g., cToken.totalSupply == 0, can be drained @EthSecurity1

the person who stole 20m from sandwitch bots by unbundling sandwiches reported another bug that would allow the same attack again, in exchange of being called "low-carb-crusader" https://collective.flashbots.net/t/disclosure-mitigation-of-block-equivocation-strategy-with-early-getpayload-calls-for-proposers/1705 @EthSecurity1

Detect real-time threats on your blockchain stack is more important these days and i want to go deeper. Comment me all thing you know about topic https://github.com/base-org/pessimism
@EthSecurity1

A Practical, AI-Generated Phishing PoC with ChatGPT

https://curtbraz.medium.com/a-practical-ai-generated-phishing-poc-f81d3c3da76b
@EthSecurity1

Good web3sec checklist behind these
https://gist.github.com/CloudEllie/213965a3448230f5b615e7046f9dd26d

https://news.1rj.ru/str/EthSecurity1/403
https://news.1rj.ru/str/EthSecurity1/421
@EthSecurity1

Web3 Dev
1)How do you construct a lending protocol that supports arbitrary collateral, has no oracles, and has no expirations?

Read the whitepaper to find out:
paradigm.xyz/2023/05/blend

2) Web3education.dev brought by patrick collins

@EthSecurity1

web3 security tips: 1)Some of the high/medium submitted issues in the last Sherlock contest was:

1. Access control
2. Input validation
3. Fee-on-transfer
2)4 ways for receiving unexpected Ethers

1. via payable functions
2. selfdestruct()
3. coinbase transaction
4. pre-sent before creation

Contract logic should not depend on this.balance because can be manipulated @EthSecurity1

If you see a Solidity method that has an argument of type array, always check for 3 things:

1. What if the array length is 0?
2. What if there are duplicated elements in the array?
3. What if there are zero value elements in the array?
@EthSecurity1