Forwarded from EthSecurity
nonReentrant modifiers might potentially cause a DoS attack.
https://medium.com/@bloqarl/uncovering-real-life-examples-of-denial-of-service-attacks-on-smart-contracts-8bc220c2cdd0
@EthSecurity1
https://medium.com/@bloqarl/uncovering-real-life-examples-of-denial-of-service-attacks-on-smart-contracts-8bc220c2cdd0
@EthSecurity1
Medium
How to identify Denial of Service attacks on Smart Contracts?
If you have been trying to learn about potential cases of DoS attacks and end up always with the same examples (as I did), you might be…
Forwarded from EthSecurity
Are you familiar with the challenges borrowing and lending protocols face?
#web3sec #defi
Dive into:
- Illiquid liquidations
- Collateral Safeness
- The dangers of governance
- Oracle risk and cost of manipulation
https://tokeninsight.com/en/research/market-analysis/the-7-deadly-sins-of-lending-protocols
@EthSecurity1
#web3sec #defi
Dive into:
- Illiquid liquidations
- Collateral Safeness
- The dangers of governance
- Oracle risk and cost of manipulation
https://tokeninsight.com/en/research/market-analysis/the-7-deadly-sins-of-lending-protocols
@EthSecurity1
Tokeninsight
The 7 Deadly Sins of Lending Protocols
Lending protocols have been a major target for hacks and attacks over the last few years, as many platforms often fail to ensure the security of their code, while others overestimate the safety of their economic designs. However, the industry has been learning…
Forwarded from EthSecurity
Web3 Dev
1)How do you construct a lending protocol that supports arbitrary collateral, has no oracles, and has no expirations?
Read the whitepaper to find out:
paradigm.xyz/2023/05/blend
2) Web3education.dev brought by patrick collins
@EthSecurity1
1)How do you construct a lending protocol that supports arbitrary collateral, has no oracles, and has no expirations?
Read the whitepaper to find out:
paradigm.xyz/2023/05/blend
2) Web3education.dev brought by patrick collins
@EthSecurity1
Paradigm
Blend: Perpetual Lending With NFT Collateral - Paradigm
Paradigm is a research-driven crypto investment firm that funds companies and protocols from their earliest stages.
👍1
Forwarded from EthSecurity
If you see a Solidity method that has an argument of type array, always check for 3 things:
1. What if the array length is 0?
2. What if there are duplicated elements in the array?
3. What if there are zero value elements in the array?
@EthSecurity1
1. What if the array length is 0?
2. What if there are duplicated elements in the array?
3. What if there are zero value elements in the array?
@EthSecurity1
Forwarded from EthSecurity
Heads up! Some Curve ETH pools have a major bug that allows an attacker to manipulate the virtual_price.
https://twitter.com/danielvf/status/1657019677544001536?s=19
@EthSecurity1
https://twitter.com/danielvf/status/1657019677544001536?s=19
@EthSecurity1
X (formerly Twitter)
Daniel Von Fange (@danielvf) on X
Heads up! Some Curve ETH pools have a major bug that allows an attacker to manipulate the virtual_price.
This includes the largest pool on Curve.
1/5
This includes the largest pool on Curve.
1/5
👍1
Audit checklists for CDP( Collaterized Debt Positions)
Give it a star🙏
https://github.com/Decurity/audit-checklists/blob/master/cdp.md
Give it a star🙏
https://github.com/Decurity/audit-checklists/blob/master/cdp.md
👌1
Multichain Auditor
Observations and tips for auditing protocols on multiple chains 🧐
https://github.com/0xJuancito/multichain-auditor
Observations and tips for auditing protocols on multiple chains 🧐
https://github.com/0xJuancito/multichain-auditor
GitHub
GitHub - 0xJuancito/multichain-auditor: Observations and tips checklist for auditing protocols on multiple chains 🧐
Observations and tips checklist for auditing protocols on multiple chains 🧐 - 0xJuancito/multichain-auditor
👍5
Solidity Security: Comprehensive list of known attack vectors and common anti-patterns
This is an in-depth and up-to-date introductory post detailing the past mistakes that have been made by Solidity developers in an effort to prevent future devs from repeating history.
https://blog.sigmaprime.io/solidity-security.html
@ethers_security
This is an in-depth and up-to-date introductory post detailing the past mistakes that have been made by Solidity developers in an effort to prevent future devs from repeating history.
https://blog.sigmaprime.io/solidity-security.html
@ethers_security
Sigma Prime
Solidity Security: Comprehensive list of known attack vectors and common anti-patterns
This post aims to be a relatively in-depth and up-to-date introductory post detailing the past mistakes that have been made by Solidity...
❤3👍2
Typical vulnerabilities in LSD(not a drug, but Liquid Staking Derivatives) protocols. Check it out 😁🙏
https://blog.decurity.io/typical-vulnerabilities-in-lsd-protocols-e52ffe4ee175
https://mixbytes.io/blog/liquid
@ethers_security
https://blog.decurity.io/typical-vulnerabilities-in-lsd-protocols-e52ffe4ee175
https://mixbytes.io/blog/liquid
@ethers_security
Medium
Typical vulnerabilities in LSD protocols
In this article, we will examine the security aspects of widely used Liquid Staking Derivatives (LSD) protocols.
🤣5🔥2👍1
Daily Security pinned «Typical vulnerabilities in LSD(not a drug, but Liquid Staking Derivatives) protocols. Check it out 😁🙏 https://blog.decurity.io/typical-vulnerabilities-in-lsd-protocols-e52ffe4ee175 https://mixbytes.io/blog/liquid @ethers_security»
Forwarded from Vladimir S. | Officer's Channel (officercia)
GM!
This article is a thorough examination of the subject that will teach you what Read-only Reentrancy is, how to detect it, and how to effectively defend your project and users against it!
Check it out:
• blog.pessimistic.io/read-only-reentrancy-in-depth-6ea7e9d78e85?1
#security #audit #web3
This article is a thorough examination of the subject that will teach you what Read-only Reentrancy is, how to detect it, and how to effectively defend your project and users against it!
Check it out:
• blog.pessimistic.io/read-only-reentrancy-in-depth-6ea7e9d78e85?1
#security #audit #web3
Medium
Read-only Reentrancy: In-Depth
This manual is a thorough examination of the subject that will teach you what Read-only Reentrancy is, how to detect it, and how to…
❤1👍1
Forwarded from Vladimir S. | Officer's Channel (officercia)
^ We just optimized the read-only reentrancy detector: github.com/pessimistic-io/slitherin/blob/master/docs/readonly_reentrancy.md!
According to our benchmark the FP rate decreased down to 1%!
#security
According to our benchmark the FP rate decreased down to 1%!
#security
GitHub
slitherin/docs/readonly_reentrancy.md at master · pessimistic-io/slitherin
Slither Detectors by Pessimistic.io. Contribute to pessimistic-io/slitherin development by creating an account on GitHub.
Forwarded from EthSecurity
Here are some key auditing tips and insights :
1. Understand the System: Before starting the audit, it's important to understand the
system you're auditing. This includes understanding the high-level overview of the system, how it works, and what makes it unique. In the case of Asteria, understanding the roles of different players in the system, how vaults exist, how loans are represented, and how liquidations work was crucial.
2. Identify Complexities: Identify the complexities in the system. For example Asteria, the
complexities included calls going back and forth between contracts, the system being almost entirely stateless, and the need for accurate total assets of the vault.
3. Look for Vulnerabilities: Look for vulnerabilities in the system. In the case of Asteria, vulnerabilities were found in the delegate role, the stateless system, the Seaport auctions, and the ERC4626 calculations.
4. Learn from Mistakes: Learn from the mistakes made in the system. For Asteria, mistakes were made in not using EC recover properly, having a lot of data inputted, having many different entry points using shared back-end logic, and not resetting variables when changing hands.
5. Implement Fixes: Implement fixes for the vulnerabilities found. For Asteria, fixes included adding checks, getting rid of certain functions, adding unchecked blocks, and changing the way the Seaport liquidations work.
6. Test Thoroughly: Ensure thorough testing is done to cover all edge cases. In the case of Asteria, while they had done the hard parts of testing, they could have done more thorough testing to ensure all edge cases were covered.
7. Rebuild if Necessary: If the product has evolved a lot and more features have been added, it might be beneficial to rebuild or rethink the system from first principles. This
can help ensure that all functionalities are encoded in shared logic and that all validations are rock solid.
8. Stay Updated: Stay updated with the latest vulnerabilities and fixes in the blockchain and smart contract space. This can help you identify potential vulnerabilities in the system you're auditing.
Remember, auditing is a complex process that requires a deep understanding of the system, a keen eye for detail, and a thorough approach to testing. @EthSecurity1
1. Understand the System: Before starting the audit, it's important to understand the
system you're auditing. This includes understanding the high-level overview of the system, how it works, and what makes it unique. In the case of Asteria, understanding the roles of different players in the system, how vaults exist, how loans are represented, and how liquidations work was crucial.
2. Identify Complexities: Identify the complexities in the system. For example Asteria, the
complexities included calls going back and forth between contracts, the system being almost entirely stateless, and the need for accurate total assets of the vault.
3. Look for Vulnerabilities: Look for vulnerabilities in the system. In the case of Asteria, vulnerabilities were found in the delegate role, the stateless system, the Seaport auctions, and the ERC4626 calculations.
4. Learn from Mistakes: Learn from the mistakes made in the system. For Asteria, mistakes were made in not using EC recover properly, having a lot of data inputted, having many different entry points using shared back-end logic, and not resetting variables when changing hands.
5. Implement Fixes: Implement fixes for the vulnerabilities found. For Asteria, fixes included adding checks, getting rid of certain functions, adding unchecked blocks, and changing the way the Seaport liquidations work.
6. Test Thoroughly: Ensure thorough testing is done to cover all edge cases. In the case of Asteria, while they had done the hard parts of testing, they could have done more thorough testing to ensure all edge cases were covered.
7. Rebuild if Necessary: If the product has evolved a lot and more features have been added, it might be beneficial to rebuild or rethink the system from first principles. This
can help ensure that all functionalities are encoded in shared logic and that all validations are rock solid.
8. Stay Updated: Stay updated with the latest vulnerabilities and fixes in the blockchain and smart contract space. This can help you identify potential vulnerabilities in the system you're auditing.
Remember, auditing is a complex process that requires a deep understanding of the system, a keen eye for detail, and a thorough approach to testing. @EthSecurity1
👍7❤1