Forwarded from Vladimir S. | Officer's Channel (officercia)
solidity Decompilers
https://github.com/eveem-org/panoramix — another decompiler
ethervm.io — online decompiler
ABI for unverified contracts
https://github.com/Jon-Becker/heimdall-rs — also includes a decompiler Solidity data representation https://ethdebug.github.io/solidity-data-representation/ Working in Web3: The Handbook https://web3.smsunarto.com/ solidity style Guide https://www.rareskills.io/post/solidity-style-guide /
@ethsecurity1
https://github.com/eveem-org/panoramix — another decompiler
ethervm.io — online decompiler
ABI for unverified contracts
https://github.com/Jon-Becker/heimdall-rs — also includes a decompiler Solidity data representation https://ethdebug.github.io/solidity-data-representation/ Working in Web3: The Handbook https://web3.smsunarto.com/ solidity style Guide https://www.rareskills.io/post/solidity-style-guide /
@ethsecurity1
GitHub
GitHub - eveem-org/panoramix: Decompiler at the heart of Eveem.org
Decompiler at the heart of Eveem.org. Contribute to eveem-org/panoramix development by creating an account on GitHub.
👍4⚡1❤1
Officercia new post
https://blog.pessimistic.io/auditors-notes-initializing-proxy-oracles-multi-chain-e314ec0694b2
Curve Finance Analysis and Post-mortem
Theft of collateral tokens with fewer than 18 decimals
@EthSecurity1
https://blog.pessimistic.io/auditors-notes-initializing-proxy-oracles-multi-chain-e314ec0694b2
Curve Finance Analysis and Post-mortem
Theft of collateral tokens with fewer than 18 decimals
@EthSecurity1
Medium
Auditor’s Notes: Initializing, Proxy, Oracles & Multi-Chain
We’ll look at some specific advice for/when working with initializing, proxy, oracles and auditing during the development of smart…
❤4🫡2
ZKP vulnerabilities
Zcash hash collision
https://www.youtube.com/watch?v=W4zAbEnJQUw
Frozen heart
https://www.youtube.com/watch?v=ffPI0B2l2dY
@EthSecurity1
Zcash hash collision
https://www.youtube.com/watch?v=W4zAbEnJQUw
Frozen heart
https://www.youtube.com/watch?v=ffPI0B2l2dY
@EthSecurity1
YouTube
ZK Vulnerability - Zcash Hash Collision
Today on our zero-knowledge-proof learning journey we’re focusing on a ZK hash collision that led to a double-spending vulnerability impacting Zcash (2016)
If you’re interested in crypto security you should subscribe to my weekly newsletter here - http:…
If you’re interested in crypto security you should subscribe to my weekly newsletter here - http:…
🔥3
Time to shit on some proxy patterns.
- Beacon: it sucks in performance, antipattern that got psyoped into relevance.
- UUPS: devs need to pollute their implementations.
- Transparent: devs need to deploy 2 extra contracts and verify them everytime. Much captcha.@EthSecurity1
- Beacon: it sucks in performance, antipattern that got psyoped into relevance.
- UUPS: devs need to pollute their implementations.
- Transparent: devs need to deploy 2 extra contracts and verify them everytime. Much captcha.@EthSecurity1
😁5🔥2👍1
X users manipulated by ChatGPT bots to visit malicious crypto sites.
Dark days incoming
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
DeFi Hacks Analysis - Root Cause Analysis Part 2 SunSec
@EthSecyrity1
Dark days incoming
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
DeFi Hacks Analysis - Root Cause Analysis Part 2 SunSec
@EthSecyrity1
Protos
X users manipulated by ChatGPT bots to visit malicious crypto sites
The 'Fox8' botnet comprises 1,140 X accounts designed to share tweets, retweeted posts, and images to drive traffic to these fake websites.
🔥4
Web2 Bug Repellant Instructions
Exploring Tornado Cash In-Depth to Reveal Malleability Attacks in ZKP Projects
@EthSecurity1
Exploring Tornado Cash In-Depth to Reveal Malleability Attacks in ZKP Projects
@EthSecurity1
OtterSec
Web2 Bug Repellant Instructions
An analysis of security risks that don’t get enough attention - web2 bugs in web3 apps. We take a deep and practical look at vulnerabilities across various applications.
❤1⚡1🔥1
Typical vulnerabilities in AMM protocols
https://blog.decurity.io/typical-vulnerabilities-in-amm-protocols-9006f7986ba0
How Does Ethereum Manage Data?
https://blog.smlxl.io/how-does-ethereum-manage-data-3ee85263134b?
@EthSecurity1
https://blog.decurity.io/typical-vulnerabilities-in-amm-protocols-9006f7986ba0
How Does Ethereum Manage Data?
https://blog.smlxl.io/how-does-ethereum-manage-data-3ee85263134b?
@EthSecurity1
Medium
Typical vulnerabilities in AMM protocols
This article discusses the fundamental security aspects of the AMM (automatic market maker) protocols.
👍4
1-💡Foundry tips
Have you ever tried deploying contracts with different solidity versions with Foundry? https://twitter.com/GiuseppeDeLaZa/status/1699394882941395416
2-Month long DeFi security alpha thread
3-Common Cross-Chain Bridge Vulnerabilities
@Ethsecurity1
Have you ever tried deploying contracts with different solidity versions with Foundry? https://twitter.com/GiuseppeDeLaZa/status/1699394882941395416
2-Month long DeFi security alpha thread
3-Common Cross-Chain Bridge Vulnerabilities
@Ethsecurity1
X (formerly Twitter)
GiuseppeDeLaZara on X
💡Foundry tips💡
Have you ever tried deploying contracts with different solidity versions with Foundry?
It can be a nightmare to set up🤬
I wish I had known about this cheat earlier 🧵
Have you ever tried deploying contracts with different solidity versions with Foundry?
It can be a nightmare to set up🤬
I wish I had known about this cheat earlier 🧵
🔥3⚡1
TSS Vulnerability Thread by Hein Alberts. A more accessible explanation of the above vulnerability and how it affected THORChain
A summary from the perspective of Sigma Prime on the security GigaSpace: The Future of Web3 Security Reviews.
@EthSecurity1
A summary from the perspective of Sigma Prime on the security GigaSpace: The Future of Web3 Security Reviews.
@EthSecurity1
X (formerly Twitter)
Hein Alberts (@HeinAlberts) on X
THORChain's $RUNE Lending update Paused 🚨🚨 . Delve into the intricate details behind the TSS vulnerability affecting the crypto landscape. Stay informed, navigate the noise.
👍3
Enso Transaction Simulator - Ethereum transaction simulator leveraging Foundry's codebase.
BrokenToken - a tool designed to automatically test smart contracts that interact with ERC20 tokens for unexpected behavior that may result in exploits.
mev-share-rs - ust utils for MEV-share.
Alloy - Fast, battle-tested and well-documented building blocks for Ethereum, in Rust.
Releasing Reth! by Georgios Konstantopoulos (Paradigm).
SmartBugs - A Framework for Analysing Ethereum Smart Contracts.
Titanoboa - A Vyper interpreter with pretty tracebacks, forking, debugging
@EthSecurity1
BrokenToken - a tool designed to automatically test smart contracts that interact with ERC20 tokens for unexpected behavior that may result in exploits.
mev-share-rs - ust utils for MEV-share.
Alloy - Fast, battle-tested and well-documented building blocks for Ethereum, in Rust.
Releasing Reth! by Georgios Konstantopoulos (Paradigm).
SmartBugs - A Framework for Analysing Ethereum Smart Contracts.
Titanoboa - A Vyper interpreter with pretty tracebacks, forking, debugging
@EthSecurity1
GitHub
GitHub - EnsoBuild/temper: Temper your expectations - Ethereum Transaction Simulator
Temper your expectations - Ethereum Transaction Simulator - GitHub - EnsoBuild/temper: Temper your expectations - Ethereum Transaction Simulator
👍4⚡1🔥1
Haggling With Hackers: Surprising Lessons From 50 Negotiations With Ransomware Gangs.
Advanced Wizard Guide to Dune SQL and Ethereum Data Analytics
• LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab
Beware cool-looking beta crypto-apps. They may be money-stealing fakes.
@EthSecurity1
Advanced Wizard Guide to Dune SQL and Ethereum Data Analytics
• LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab
Beware cool-looking beta crypto-apps. They may be money-stealing fakes.
@EthSecurity1
Cryptodatabytes
Advanced Wizard Guide to Dune SQL and Ethereum Data Analytics
Giving you the frameworks and functions you need to become an archwizard
❤5
Breaking down the Top 50 DeFi hacks 2016-2022
Reports of fake crypto job posting used to spread wallet stealer malware.
Magnate Finance disappears with over $6 million in apparent 'rug pull'.
Sort of professionals creating a web3sec community.Check out the DeFiHackLabs Partnership Application:
forms.gle/M7WiCJiuGkdBxP…
DeFiHackLabs Discord: discord.gg/Akky65mbz9
@EthSecurity1
Reports of fake crypto job posting used to spread wallet stealer malware.
Magnate Finance disappears with over $6 million in apparent 'rug pull'.
Sort of professionals creating a web3sec community.Check out the DeFiHackLabs Partnership Application:
forms.gle/M7WiCJiuGkdBxP…
DeFiHackLabs Discord: discord.gg/Akky65mbz9
@EthSecurity1
👍1
I want to do more in web3Security space
If you have a proposal or partnerships ideas you can Dm @EthDev1
If you have a proposal or partnerships ideas you can Dm @EthDev1
Hello mates i decided share daily Ethereum developer Q&A in interviews beside ordinary secuirty Knowledge sharing.from zero to hero
1-What is the difference between private, internal, public, and external functions?
Here are the main differences between private, internal, public and external functions in Solidity:
Private: Can only be called within the currently executing contract, not externally or inherited. Not part of the ABI.
Internal: Can be called internally from current contract or inherited contracts/libraries. Not part of the ABI.
Public: Part of the ABI and contract interface. Can be called externally or internally.
External: Part of the ABI but cannot access contract state. Can only be called externally from other contracts.
In summary:
Private: callable only within current contract
Internal: callable internally or by inheriting contracts
Public: callable internally or externally via ABI
External: callable externally via ABI but not state-changing
The visibility degrees follow this order:
private < internal < public < external
With private being the most restrictive and external the most accessible from outside the contract and inheriting contracts. 2-Approximately, how large can a smart contract be?
There is no hard limit on the size of smart contracts in Ethereum, but there are some practical constraints:
Code size: Contract bytecode (compiled code) is typically limited to around 24KB due to EVM limitations. Larger code requires optimization.
Deployment cost: Deploying large contracts can be prohibitively expensive due to high upfront gas costs of several million gas or more.
Complexity: Very large contracts with many operations slow down node verification times and can impact decentralization.
Updating: Updating logic in deployed contracts is complex/costly for large codebases, favoring smaller focused updates.
Testing: Thoroughly testing contracts with many operations and edge cases becomes intractable at larger sizes.
In general, contracts larger than around 5KB start facing significant constraints. Most real-world contracts are below 1KB.
As a rough guideline:
Up to 5KB: Typical size for production contracts
5-20KB: Possible but requiring careful optimization
20-24KB: Theoretical limit, extremely large
Over 24KB: Not viable, would require optimization techniques like splitting across multiple contracts.
So in summary, while theoretically unbounded - practical constraints of deployment costs, complexity and maintainability favor targeting smaller contract sizes below 5KB whenever possible. @EthSecurity1
1-What is the difference between private, internal, public, and external functions?
Here are the main differences between private, internal, public and external functions in Solidity:
Private: Can only be called within the currently executing contract, not externally or inherited. Not part of the ABI.
Internal: Can be called internally from current contract or inherited contracts/libraries. Not part of the ABI.
Public: Part of the ABI and contract interface. Can be called externally or internally.
External: Part of the ABI but cannot access contract state. Can only be called externally from other contracts.
In summary:
Private: callable only within current contract
Internal: callable internally or by inheriting contracts
Public: callable internally or externally via ABI
External: callable externally via ABI but not state-changing
The visibility degrees follow this order:
private < internal < public < external
With private being the most restrictive and external the most accessible from outside the contract and inheriting contracts. 2-Approximately, how large can a smart contract be?
There is no hard limit on the size of smart contracts in Ethereum, but there are some practical constraints:
Code size: Contract bytecode (compiled code) is typically limited to around 24KB due to EVM limitations. Larger code requires optimization.
Deployment cost: Deploying large contracts can be prohibitively expensive due to high upfront gas costs of several million gas or more.
Complexity: Very large contracts with many operations slow down node verification times and can impact decentralization.
Updating: Updating logic in deployed contracts is complex/costly for large codebases, favoring smaller focused updates.
Testing: Thoroughly testing contracts with many operations and edge cases becomes intractable at larger sizes.
In general, contracts larger than around 5KB start facing significant constraints. Most real-world contracts are below 1KB.
As a rough guideline:
Up to 5KB: Typical size for production contracts
5-20KB: Possible but requiring careful optimization
20-24KB: Theoretical limit, extremely large
Over 24KB: Not viable, would require optimization techniques like splitting across multiple contracts.
So in summary, while theoretically unbounded - practical constraints of deployment costs, complexity and maintainability favor targeting smaller contract sizes below 5KB whenever possible. @EthSecurity1
👍5🎉1
Minimal Proxy Compendium https://banteg.xyz/posts/minimal-proxies/
Cryogen - blockchain dataset management tool by banteg
Huff breakpoints for Foundry debugger
Reports of Google Adwords used to redirect users to crypto phishing sites which already cost one user $900k after visiting a malicious Celer Bridge Dapp
@EthSecurity1
Cryogen - blockchain dataset management tool by banteg
Huff breakpoints for Foundry debugger
Reports of Google Adwords used to redirect users to crypto phishing sites which already cost one user $900k after visiting a malicious Celer Bridge Dapp
@EthSecurity1
banteg.xyz
banteg - Minimal Proxy Compendium
The history of minimal proxies and how to scan the blockchain on your laptop in seconds