New toys
ZK Bugs Tracker.
"A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto"
https://github.com/0xPARC/zk-bug-tracker
Auditing zkEVM and it's attack surfaces
https://www.youtube.com/watch?v=cxx7PJ4vhZM
Algebraic attacks on zk hash functions
https://www.zellic.io/blog/algebraic-attacks-on-zk-hash-functions
@ethers_security
ZK Bugs Tracker.
"A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto"
https://github.com/0xPARC/zk-bug-tracker
Auditing zkEVM and it's attack surfaces
https://www.youtube.com/watch?v=cxx7PJ4vhZM
Algebraic attacks on zk hash functions
https://www.zellic.io/blog/algebraic-attacks-on-zk-hash-functions
@ethers_security
GitHub
GitHub - 0xPARC/zk-bug-tracker: A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto.
A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto. - 0xPARC/zk-bug-tracker
👍5
A Diffusc tool from TrailOfBits for Differential fuzzing
"It's a differential fuzzer built on top of Echidna and Slither to ease the review of smart contracts upgrades"
https://blog.trailofbits.com/2023/07/07/differential-fuzz-testing-upgradeable-smart-contracts-with-diffusc/
@ethers_security
"It's a differential fuzzer built on top of Echidna and Slither to ease the review of smart contracts upgrades"
https://blog.trailofbits.com/2023/07/07/differential-fuzz-testing-upgradeable-smart-contracts-with-diffusc/
@ethers_security
The Trail of Bits Blog
Differential fuzz testing upgradeable smart contracts with Diffusc
On March 28, 2023, SafeMoon, a self-styled “community-focused DeFi token” on Binance Smart Chain, lost the equivalent of $8.9 million in Binance Coin BNB to an exploit in a liquidity pool. The exploit leveraged a simple error introduced in an upgrade to SafeMoon’s…
🔥6🍌2
Arbiter is a tool build by Primitivefinance in order to rigorously test the performance and security of their own protocol. Arbiter is pure Rust. It uses a Rust-based EVM called revm in order to run smart contracts directly (revm is used inside of the Anvil testnet and RETH client).
They use revm without any overhead of a network, thus providing a speed benefit and allowing to directly test contracts so that you:
- Do not have to re-implement a copy protocol in another language
- Can test every aspect of the protocol with EVM parity
- See how contracts behave in a realistic on-chain-like scenarios with agents and other contracts
@ethers_security
The tool: https://github.com/primitivefinance/arbiter
They use revm without any overhead of a network, thus providing a speed benefit and allowing to directly test contracts so that you:
- Do not have to re-implement a copy protocol in another language
- Can test every aspect of the protocol with EVM parity
- See how contracts behave in a realistic on-chain-like scenarios with agents and other contracts
@ethers_security
The tool: https://github.com/primitivefinance/arbiter
GitHub
GitHub - harnesslabs/arbiter: Multi-agent framework for design, simulation, and auditing.
Multi-agent framework for design, simulation, and auditing. - harnesslabs/arbiter
👍2
Forwarded from EthSecurity
Arbiter - EVM logic simulator for security and performance testing @EthSecurity1
YouTube
Arbiter - EVM logic simulator for security and performance testing
Arbiter is a tool build by Primitivefinance in order to rigorously test the performance and security of their own protocol. Arbiter is pure Rust. It uses a Rust-based EVM called revm in order to run smart contracts directly (revm is used inside of the Anvil…
It is a mutation testing tool designed for the circom programming language.
This tool primarily revolves around the source-based rewrite of circom code lines to generate mutations.
Currently, it operates by utilizing regular expressions to treat the code as text. This methodology may evolve in the future, potentially incorporating the transpiling of circom circuits into an intermediate representation to enable deeper analyses.
The majority of mutators are based on:
- 0xPARC's ZK Bug Tracker
- Circomspect's analysis passes
- yAcademy ZK Fellowship audits
For instance, certain circuits may permit an attacker to create fake witnesses by randomly selecting edge cases (such as zero point, points at infinity, or additions with p & -p). These circuits will expect app developers to perform these verifications.
Nevertheless, it remains important to verify that failures detected by circom-mutator are indeed false positives, rather than a result of insufficient test coverage
@ethers_security
https://github.com/aviggiano/circom-mutator#readme
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - 0xPARC/zk-bug-tracker: A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto.
A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto. - 0xPARC/zk-bug-tracker
❤3
What is Caracal?
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
GitHub
GitHub - crytic/caracal: Static Analyzer for Starknet smart contracts
Static Analyzer for Starknet smart contracts. Contribute to crytic/caracal development by creating an account on GitHub.
Forwarded from Sun (Will never DM first)
Web3 DevSecOps is very important!
https://twitter.com/1nf0s3cpt/status/1684573117765898242
https://twitter.com/1nf0s3cpt/status/1684573117765898242
X (formerly Twitter)
SunSec (@1nf0s3cpt) on X
Web3 DevSecOps is very important!
I have learned a lot during the process of deploying the Protocol to the Mainnet recently.
I will share some thoughts on how to protect your protocol in🧵
#web3sec #devops #sre
I have learned a lot during the process of deploying the Protocol to the Mainnet recently.
I will share some thoughts on how to protect your protocol in🧵
#web3sec #devops #sre
❤3
Some people are still unaware of this masterpiece. Hopefully, you ain't one of them. If you are, it's not too late to start using it 🙏
https://medium.com/cyfrin/the-best-security-education-tool-in-web3-dd23717fbe58
@ethers_security
https://medium.com/cyfrin/the-best-security-education-tool-in-web3-dd23717fbe58
@ethers_security
Medium
The Best Security Education Tool in Web3
The Birth of Solodit, the best smart contract security audit tool in Web3
NFTek News 🗞️ NFTek.eth
https://nftnow.com/news/sim-swap-attacks-rising-in-web3/
GitHub
GitHub - OffcierCia/Crypto-OpSec-SelfGuard-RoadMap: Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec…
Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec researches and data terminals - contributions are welcome. - OffcierCia/Crypto-OpSec-SelfGuard-RoadMap
🔥2❤1👍1
Forwarded from Vladimir S. | Officer's Channel (officercia)
2nd part is out 👀
Link: officercia.mirror.xyz/AoRdvL3Lp5K5JHjlgpWaOHo_CehH-amZSAm9pxuFdwQ
More at @officercia 🫡️️
#security #audit
Link: officercia.mirror.xyz/AoRdvL3Lp5K5JHjlgpWaOHo_CehH-amZSAm9pxuFdwQ
More at @officercia 🫡️️
#security #audit
👍3
Forwarded from Officer’s Articles
❤2👍1