Differential Fuzzing On Solidity Fixed-Point Libraries link
Pre-deployment Analysis of Smart Contracts -- A Survey link
With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum. link
@EthSecurity1
Pre-deployment Analysis of Smart Contracts -- A Survey link
With Trail to Follow: Measurements of Real-world Non-fungible Token Phishing Attacks on Ethereum. link
@EthSecurity1
ventraldigital
Fuzzing Vyper Contracts Using Foundry • Ventral Digital
Ventral Digital LLC is a research and consultancy firm specializing in Information Security and Privacy.
👍3
Arbiter - EVM logic simulator for security and performance testing @EthSecurity1
YouTube
Arbiter - EVM logic simulator for security and performance testing
Arbiter is a tool build by Primitivefinance in order to rigorously test the performance and security of their own protocol. Arbiter is pure Rust. It uses a Rust-based EVM called revm in order to run smart contracts directly (revm is used inside of the Anvil…
👍4❤2
Do not miss officercia articles
Short types in solidity: Rare tricks
http://officercia.mirror.xyz/SnmH8v6QV6jHa64boANXySxBZsem8oiSP7zxgss_BEU
Amm integration
http://blog.pessimistic.io/amm-automatic-market-makers-integration-tips-e42fe275e13c?1
@EthSecurity1
Short types in solidity: Rare tricks
http://officercia.mirror.xyz/SnmH8v6QV6jHa64boANXySxBZsem8oiSP7zxgss_BEU
Amm integration
http://blog.pessimistic.io/amm-automatic-market-makers-integration-tips-e42fe275e13c?1
@EthSecurity1
👏2❤1🔥1
Forwarded from Daily Security
What is Caracal?
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
GitHub
GitHub - crytic/caracal: Static Analyzer for Starknet smart contracts
Static Analyzer for Starknet smart contracts. Contribute to crytic/caracal development by creating an account on GitHub.
❤2🔥2
Variaty in Role of Access Control in Solidity Smart Contracts. (this is cool)
Protecting the Decentralized Future: An Exploration of Common Blockchain Attacks and their Countermeasures
@EthSecurity1
Protecting the Decentralized Future: An Exploration of Common Blockchain Attacks and their Countermeasures
@EthSecurity1
Smart Contract Audits - Composable Security
The Role of Access Control in Solidity Smart Contracts - Smart Contract Audits - Composable Security
Once upon a time, in the mythical land of Soliditium, a courageous knight named Sir Codelot embarked on a grand mission.
🔥3❤1👍1👏1
Unveiling Transaction Simulation Challenges: Blowfish Case Study by Tiago Assumpcao (Coinspect).
An Empirical Study of Impact of Solidity Compiler Updates on Vulnerabilities in Ethereum Smart Contracts.
Typical vulnerabilities in LSD protocols by kasimonagasaki (Decurity)
@EthSecurity1
An Empirical Study of Impact of Solidity Compiler Updates on Vulnerabilities in Ethereum Smart Contracts.
Typical vulnerabilities in LSD protocols by kasimonagasaki (Decurity)
@EthSecurity1
Coinspect Security
Unveiling Transaction Simulation Challenges: Blowfish Case Study
Phantom wallet vulnerability: Exploiting transaction simulation in Solana
🔥3❤2👍1
Smashing bugs using Certora Prover: A hands on approach to Formal Verification of Smart Contracts
What's inside a node? Malicious IPFS nodes under the magnifying glass
@EthSecurity1
What's inside a node? Malicious IPFS nodes under the magnifying glass
@EthSecurity1
mirror.xyz
Smashing bugs using Certora Prover: A hands on approach to Forma…
To get your hands buffed up and get started with smashing bugs, you need to keep the following in in your mind:
🔥5👏1
Pink drainer learned new tricks such as using private sales on Blur to prevent frontrunning by 0xQuit.
https://drops.scamsniffer.io/post/pink-drainer-steals-3m-from-multiple-hack-events-including-openai-cto-orbiter-finance/
Learn EVM Course by 0xMacro
Blockchain Censorship
Signature Malleability PoC by pcaversaccio.
@EthSecurity1
https://drops.scamsniffer.io/post/pink-drainer-steals-3m-from-multiple-hack-events-including-openai-cto-orbiter-finance/
Learn EVM Course by 0xMacro
Blockchain Censorship
Signature Malleability PoC by pcaversaccio.
@EthSecurity1
Scam Sniffer
Pink Drainer steals $3M from multiple hack events including OpenAI CTO, Orbiter Finance - Scam Sniffer
Overview Recently, there have been a large number of Discord and Twitter hacked events, including Evomos, Pika Protocol, OpenAI CTO, and Orbiter Finance. Hackers send phishing links through Discord accounts they’ve gained access to. Many users have opened…
EVM CFG - a fast and accurate CFG generator for EVM bytecode using symbolic stack analysis
CheckTheChain - a ChatGPT plugin that lets AI do blockchain analysis.
Uniswap V3 TWAP: Assessing TWAP Market Risk by Omer Goldberg.
Immunefi Bug Bounty Writeups List by sayan011.
@EthSecurity1
CheckTheChain - a ChatGPT plugin that lets AI do blockchain analysis.
Uniswap V3 TWAP: Assessing TWAP Market Risk by Omer Goldberg.
Immunefi Bug Bounty Writeups List by sayan011.
@EthSecurity1
GitHub
GitHub - plotchy/evm-cfg: Symbolic stack CFG generator for EVM
Symbolic stack CFG generator for EVM. Contribute to plotchy/evm-cfg development by creating an account on GitHub.
👍3🔥3
Price & Reward Manipulation Attacks Distilled by Officercia
Numerical Analysis - Security Tips and Tricks for DeFi Audits by Spearbit.
Saving $100M at risk in KyberSwap Elastic by 100 Proof.
Election Fraud? Double Voting in Celer’s State Guardian Network by Felix Wilhelm.
@EthSecurity1
Numerical Analysis - Security Tips and Tricks for DeFi Audits by Spearbit.
Saving $100M at risk in KyberSwap Elastic by 100 Proof.
Election Fraud? Double Voting in Celer’s State Guardian Network by Felix Wilhelm.
@EthSecurity1
Medium
Price & Reward Manipulation Attacks Distilled
Today, we’re going to take a look at a variety of different attacks, dissect the ways in which they differ from one another, and discuss…
🔥2🦄2❤1
Satacom delivers browser extension that steals cryptocurrency by Kaspersky
Towards Understanding Crypto Money Laundering in Web3 Through the Lenses of Ethereum Heists
@EthSecurity1
Towards Understanding Crypto Money Laundering in Web3 Through the Lenses of Ethereum Heists
@EthSecurity1
Securelist
Recent Satacom campaign delivers cryptocurrency-stealing addon
A recent campaign by Satacom downloader is delivering a cryptocurrency-stealing extension for Chromium-based browsers, such as Chrome, Brave and Opera.
Struggling with codebases? Try this:
1) Manage workload in bite-size sections daily
2) Interact with code through comments
3) Understand the code before the docs
4) Use state machines to track variable changes. Stay organized, stay efficient.
@EthSecurity1
1) Manage workload in bite-size sections daily
2) Interact with code through comments
3) Understand the code before the docs
4) Use state machines to track variable changes. Stay organized, stay efficient.
@EthSecurity1
🔥4
huff vs yul
inline assembly???
In a way, yes. Yul is an assembly language, but it is designed to be used in conjunction with Solidity as a lower-level alternative to Solidity's high-level syntax. but Huff is not inline assembly
optimization???
Huff provides even greater efficiency and optimization at the cost of more complex programming. it is great to manage jumps and stacks
@EthSecurity1
inline assembly???
In a way, yes. Yul is an assembly language, but it is designed to be used in conjunction with Solidity as a lower-level alternative to Solidity's high-level syntax. but Huff is not inline assembly
optimization???
Huff provides even greater efficiency and optimization at the cost of more complex programming. it is great to manage jumps and stacks
@EthSecurity1
❤5
6 security sins of Web3 bridges by Damian Rusinek.
Catch me if you can! Learning about edge cases of Solidity's try/catch while I explored Account Abstraction by matta.
@EthSecurity1
Catch me if you can! Learning about edge cases of Solidity's try/catch while I explored Account Abstraction by matta.
@EthSecurity1
Smart Contract Audits - Composable Security 🇵🇱⛓
Bridge exploits account for ~50% of all decentralized finance exploits since September 2020, totaling ~$2.5B in lost assets, according to…
❤5
All things reentrancy! workshop by Jsec Security.
Intro to Smart Contract Security Audit — Front Running by SlowMist
ArbiNet is the MEV detection model that doesn't require knowledge about DeFi smart contracts.
@EthSecurity1
Intro to Smart Contract Security Audit — Front Running by SlowMist
ArbiNet is the MEV detection model that doesn't require knowledge about DeFi smart contracts.
@EthSecurity1
GitHub
GitHub - jcsec-security/all-things-reentrancy: Workshop about the different types of reentrancy attacks
Workshop about the different types of reentrancy attacks - jcsec-security/all-things-reentrancy
👍5
Forwarded from Vladimir S. | Officer's Channel (officercia)
GM! Check out my latest piece!
I'll describe Web3 audits, CTFs, and compare the corresponding security methodologies in it.
Also presenting a new project from my friend’s team r(dot)xyz - go check it out as well fam!
• officercia.mirror.xyz/VmSJDoV3c8xKDMRjTOl4DQ7KPgBTlb8cVdcTlOJxj1g
#security #web3
I'll describe Web3 audits, CTFs, and compare the corresponding security methodologies in it.
Also presenting a new project from my friend’s team r(dot)xyz - go check it out as well fam!
• officercia.mirror.xyz/VmSJDoV3c8xKDMRjTOl4DQ7KPgBTlb8cVdcTlOJxj1g
#security #web3
intro to zkp Security.this promoted by spearbit
https://www.youtube.com/watch?v=8wsR7o0rOxU&feature=youtu.be
@EthSecurity1
https://www.youtube.com/watch?v=8wsR7o0rOxU&feature=youtu.be
@EthSecurity1
🔥3