common Smart contract vulnerabilities by Raiders
https://blog.web3sec.news/posts/common-smart-contract-vulnerabilities-audit-checklist/
https://crosschainriskframework.github.io
Crosschain Risk Framework @EthSecurity1
https://blog.web3sec.news/posts/common-smart-contract-vulnerabilities-audit-checklist/
https://crosschainriskframework.github.io
Crosschain Risk Framework @EthSecurity1
❤6👍1
How to diff contracts against Etherscan verified code https://blog.theredguild.org/how-to-diff-smart-contracts-etherscan/
https://github.com/lidofinance/diffyscan
@EthSecurity1
https://github.com/lidofinance/diffyscan
@EthSecurity1
The Red Guild
How to diff contracts against Etherscan verified code
How to compare smart contracts in GitHub against verified code in Etherscan using Diffyscan.
🔥6
The zero-knowledge attack of the year might just have happened, or how Nova got broken @EthSecurity1
www.zksecurity.xyz
The zero-knowledge attack of the year might just have happened, or how Nova got broken - ZKSECURITY
Last week, a strange paper (by Wilson Nguyen et al.) came out: Revisiting the Nova Proof System on a Cycle of Curves. Its benign noscript might have escaped the attention of many, but within its pages lied one of the most impressive and devastating attack on…
Forwarded from Rektoff
Gm Rektoffians!
We’ve prepared an alpha-only web3 security telegram pack so you can always stay up to date with market trends, cool articles and useful groups 👥
Add it with the following link:
https://news.1rj.ru/str/addlist/b0NZzSm3Q9gxYTMy
And feel free to share your gem channels under this post in case we missed something.
Stay Rektoff😀
We’ve prepared an alpha-only web3 security telegram pack so you can always stay up to date with market trends, cool articles and useful groups 👥
Add it with the following link:
https://news.1rj.ru/str/addlist/b0NZzSm3Q9gxYTMy
And feel free to share your gem channels under this post in case we missed something.
Stay Rektoff
Please open Telegram to view this post
VIEW IN TELEGRAM
🫡5
BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack.
2 Hours Web3 Smart Contract Security Interview with Dravee.
@EthSecurity1
2 Hours Web3 Smart Contract Security Interview with Dravee.
@EthSecurity1
YouTube
2 Hours Web3 Smart Contract Security Interview with Dravee
Join the Blockchain Security Academy,
GET 100$ Discount on the Smart Contract Hacking Course:
https://johnnytime.xyz/smart-contract-hacker
An awesome interview with our special guest, Dravee. In this interview, we'll delve deep into Dravee's experiences…
GET 100$ Discount on the Smart Contract Hacking Course:
https://johnnytime.xyz/smart-contract-hacker
An awesome interview with our special guest, Dravee. In this interview, we'll delve deep into Dravee's experiences…
❤3
still stuck using csv? well there’s a new tool for anyone that enjoys rust, parquet, or crypto data…
❄️🧊cryo🧊❄️
you can use cryo to easily extract:
- blocks
- txs
- logs
- call traces
- slot traces
- balance traces
- nonce traces
- code traces
- vm traces
cryo can extract all historical uniswap trades with this command:
cryo logs --topic0 0xc42079f94a6350d7e6235f29174924f928cc2ac818eb64fed8004e115fbcca67
@EthSecurity1
❄️🧊cryo🧊❄️
you can use cryo to easily extract:
- blocks
- txs
- logs
- call traces
- slot traces
- balance traces
- nonce traces
- code traces
- vm traces
cryo can extract all historical uniswap trades with this command:
cryo logs --topic0 0xc42079f94a6350d7e6235f29174924f928cc2ac818eb64fed8004e115fbcca67
@EthSecurity1
GitHub
GitHub - paradigmxyz/cryo: cryo is the easiest way to extract blockchain data to parquet, csv, json, or python dataframes
cryo is the easiest way to extract blockchain data to parquet, csv, json, or python dataframes - paradigmxyz/cryo
🔥6👍2
Patch Thursday — Security risks due to exchange rate manipulation of ibToken
From Exploit to Recovery: Unraveling DeFi Incidents with Spreek
Secrets of Successful Bug Hunting: Insights from Pro Whitehats and Immunefi with Mackenzie
@EthSecurity1
From Exploit to Recovery: Unraveling DeFi Incidents with Spreek
Secrets of Successful Bug Hunting: Insights from Pro Whitehats and Immunefi with Mackenzie
@EthSecurity1
Medium
Patch Thursday — Security risks due to exchange rate manipulation of ibToken
This article introduces the concept and principles of ibToken and sheds light on the security risks of ibToken exchange rate manipulation.
🔥2
Guide To Advanced Calldata | Everything You Need To Know
Behind the Scenes of Smart Contract Security Reviews - Engn33r
smart contract audit tools
@EthSecurity1
Behind the Scenes of Smart Contract Security Reviews - Engn33r
smart contract audit tools
@EthSecurity1
YouTube
Guide To Advanced Calldata | Everything You Need To Know
Are you a security researcher looking to join a world-class team? Apply to open positions at Guardian here: https://guardianaudits.com
Interested in getting hands-on training to become an expert security researcher in a matter of months?
Get the guide to…
Interested in getting hands-on training to become an expert security researcher in a matter of months?
Get the guide to…
👍7
Differential Fuzzing On Solidity Fixed-Point Libraries link
Pre-deployment Analysis of Smart Contracts -- A Survey link
With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum. link
@EthSecurity1
Pre-deployment Analysis of Smart Contracts -- A Survey link
With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum. link
@EthSecurity1
ventraldigital
Fuzzing Vyper Contracts Using Foundry • Ventral Digital
Ventral Digital LLC is a research and consultancy firm specializing in Information Security and Privacy.
👍3
Arbiter - EVM logic simulator for security and performance testing @EthSecurity1
YouTube
Arbiter - EVM logic simulator for security and performance testing
Arbiter is a tool build by Primitivefinance in order to rigorously test the performance and security of their own protocol. Arbiter is pure Rust. It uses a Rust-based EVM called revm in order to run smart contracts directly (revm is used inside of the Anvil…
👍4❤2
Do not miss officercia articles
Short types in solidity: Rare tricks
http://officercia.mirror.xyz/SnmH8v6QV6jHa64boANXySxBZsem8oiSP7zxgss_BEU
Amm integration
http://blog.pessimistic.io/amm-automatic-market-makers-integration-tips-e42fe275e13c?1
@EthSecurity1
Short types in solidity: Rare tricks
http://officercia.mirror.xyz/SnmH8v6QV6jHa64boANXySxBZsem8oiSP7zxgss_BEU
Amm integration
http://blog.pessimistic.io/amm-automatic-market-makers-integration-tips-e42fe275e13c?1
@EthSecurity1
👏2❤1🔥1
Forwarded from Daily Security
What is Caracal?
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
GitHub
GitHub - crytic/caracal: Static Analyzer for Starknet smart contracts
Static Analyzer for Starknet smart contracts. Contribute to crytic/caracal development by creating an account on GitHub.
❤2🔥2
Variaty in Role of Access Control in Solidity Smart Contracts. (this is cool)
Protecting the Decentralized Future: An Exploration of Common Blockchain Attacks and their Countermeasures
@EthSecurity1
Protecting the Decentralized Future: An Exploration of Common Blockchain Attacks and their Countermeasures
@EthSecurity1
Smart Contract Audits - Composable Security
The Role of Access Control in Solidity Smart Contracts - Smart Contract Audits - Composable Security
Once upon a time, in the mythical land of Soliditium, a courageous knight named Sir Codelot embarked on a grand mission.
🔥3❤1👍1👏1
Unveiling Transaction Simulation Challenges: Blowfish Case Study by Tiago Assumpcao (Coinspect).
An Empirical Study of Impact of Solidity Compiler Updates on Vulnerabilities in Ethereum Smart Contracts.
Typical vulnerabilities in LSD protocols by kasimonagasaki (Decurity)
@EthSecurity1
An Empirical Study of Impact of Solidity Compiler Updates on Vulnerabilities in Ethereum Smart Contracts.
Typical vulnerabilities in LSD protocols by kasimonagasaki (Decurity)
@EthSecurity1
Coinspect Security
Unveiling Transaction Simulation Challenges: Blowfish Case Study
Phantom wallet vulnerability: Exploiting transaction simulation in Solana
🔥3❤2👍1
Smashing bugs using Certora Prover: A hands on approach to Formal Verification of Smart Contracts
What's inside a node? Malicious IPFS nodes under the magnifying glass
@EthSecurity1
What's inside a node? Malicious IPFS nodes under the magnifying glass
@EthSecurity1
mirror.xyz
Smashing bugs using Certora Prover: A hands on approach to Forma…
To get your hands buffed up and get started with smashing bugs, you need to keep the following in in your mind:
🔥5👏1
Pink drainer learned new tricks such as using private sales on Blur to prevent frontrunning by 0xQuit.
https://drops.scamsniffer.io/post/pink-drainer-steals-3m-from-multiple-hack-events-including-openai-cto-orbiter-finance/
Learn EVM Course by 0xMacro
Blockchain Censorship
Signature Malleability PoC by pcaversaccio.
@EthSecurity1
https://drops.scamsniffer.io/post/pink-drainer-steals-3m-from-multiple-hack-events-including-openai-cto-orbiter-finance/
Learn EVM Course by 0xMacro
Blockchain Censorship
Signature Malleability PoC by pcaversaccio.
@EthSecurity1
Scam Sniffer
Pink Drainer steals $3M from multiple hack events including OpenAI CTO, Orbiter Finance - Scam Sniffer
Overview Recently, there have been a large number of Discord and Twitter hacked events, including Evomos, Pika Protocol, OpenAI CTO, and Orbiter Finance. Hackers send phishing links through Discord accounts they’ve gained access to. Many users have opened…
EVM CFG - a fast and accurate CFG generator for EVM bytecode using symbolic stack analysis
CheckTheChain - a ChatGPT plugin that lets AI do blockchain analysis.
Uniswap V3 TWAP: Assessing TWAP Market Risk by Omer Goldberg.
Immunefi Bug Bounty Writeups List by sayan011.
@EthSecurity1
CheckTheChain - a ChatGPT plugin that lets AI do blockchain analysis.
Uniswap V3 TWAP: Assessing TWAP Market Risk by Omer Goldberg.
Immunefi Bug Bounty Writeups List by sayan011.
@EthSecurity1
GitHub
GitHub - plotchy/evm-cfg: Symbolic stack CFG generator for EVM
Symbolic stack CFG generator for EVM. Contribute to plotchy/evm-cfg development by creating an account on GitHub.
👍3🔥3
Price & Reward Manipulation Attacks Distilled by Officercia
Numerical Analysis - Security Tips and Tricks for DeFi Audits by Spearbit.
Saving $100M at risk in KyberSwap Elastic by 100 Proof.
Election Fraud? Double Voting in Celer’s State Guardian Network by Felix Wilhelm.
@EthSecurity1
Numerical Analysis - Security Tips and Tricks for DeFi Audits by Spearbit.
Saving $100M at risk in KyberSwap Elastic by 100 Proof.
Election Fraud? Double Voting in Celer’s State Guardian Network by Felix Wilhelm.
@EthSecurity1
Medium
Price & Reward Manipulation Attacks Distilled
Today, we’re going to take a look at a variety of different attacks, dissect the ways in which they differ from one another, and discuss…
🔥2🦄2❤1
Satacom delivers browser extension that steals cryptocurrency by Kaspersky
Towards Understanding Crypto Money Laundering in Web3 Through the Lenses of Ethereum Heists
@EthSecurity1
Towards Understanding Crypto Money Laundering in Web3 Through the Lenses of Ethereum Heists
@EthSecurity1
Securelist
Recent Satacom campaign delivers cryptocurrency-stealing addon
A recent campaign by Satacom downloader is delivering a cryptocurrency-stealing extension for Chromium-based browsers, such as Chrome, Brave and Opera.