Forwarded from EthSecurity
Arbiter - EVM logic simulator for security and performance testing @EthSecurity1
YouTube
Arbiter - EVM logic simulator for security and performance testing
Arbiter is a tool build by Primitivefinance in order to rigorously test the performance and security of their own protocol. Arbiter is pure Rust. It uses a Rust-based EVM called revm in order to run smart contracts directly (revm is used inside of the Anvil…
It is a mutation testing tool designed for the circom programming language.
This tool primarily revolves around the source-based rewrite of circom code lines to generate mutations.
Currently, it operates by utilizing regular expressions to treat the code as text. This methodology may evolve in the future, potentially incorporating the transpiling of circom circuits into an intermediate representation to enable deeper analyses.
The majority of mutators are based on:
- 0xPARC's ZK Bug Tracker
- Circomspect's analysis passes
- yAcademy ZK Fellowship audits
For instance, certain circuits may permit an attacker to create fake witnesses by randomly selecting edge cases (such as zero point, points at infinity, or additions with p & -p). These circuits will expect app developers to perform these verifications.
Nevertheless, it remains important to verify that failures detected by circom-mutator are indeed false positives, rather than a result of insufficient test coverage
@ethers_security
https://github.com/aviggiano/circom-mutator#readme
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - 0xPARC/zk-bug-tracker: A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto.
A community-maintained collection of bugs, vulnerabilities, and exploits in apps using ZK crypto. - 0xPARC/zk-bug-tracker
❤3
What is Caracal?
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
Caracal is a static analyzer tool over the SIERRA representation for Starknet smart contracts.
What about its Features?
👉Detectors to detect vulnerable Cairo code
👉Printers to report information
👉Taint analysis
👉Data flow analysis framework
👉Easy to run in Scarb projects
Any overview of its detectors?
1) controlled-library-call
Library calls with a user controlled class hash
2) unchecked-l1-handler-from
Detect L1 handlers without from address check
3) reentrancy
Detect when a storage variable is read before an external call and written after
4) unused-events
Events defined but not emitted
5) unused-return
Unused return values
6) unenforced-view
Function has view decorator but modifies state
7) unused-arguments
Unused arguments
8) reentrancy-benign
Detect when a storage variable is written after an external call but not read before
9) reentrancy-events
Detect when an event is emitted after an external call leading to out-of-order events
10) dead-code
Private functions never used
More info on how to install it and its limitations can be found in the repo below 👇
https://github.com/crytic/caracal
@ethers_security
GitHub
GitHub - crytic/caracal: Static Analyzer for Starknet smart contracts
Static Analyzer for Starknet smart contracts. Contribute to crytic/caracal development by creating an account on GitHub.
Forwarded from Sun (Will never DM first)
Web3 DevSecOps is very important!
https://twitter.com/1nf0s3cpt/status/1684573117765898242
https://twitter.com/1nf0s3cpt/status/1684573117765898242
X (formerly Twitter)
SunSec (@1nf0s3cpt) on X
Web3 DevSecOps is very important!
I have learned a lot during the process of deploying the Protocol to the Mainnet recently.
I will share some thoughts on how to protect your protocol in🧵
#web3sec #devops #sre
I have learned a lot during the process of deploying the Protocol to the Mainnet recently.
I will share some thoughts on how to protect your protocol in🧵
#web3sec #devops #sre
❤3
Some people are still unaware of this masterpiece. Hopefully, you ain't one of them. If you are, it's not too late to start using it 🙏
https://medium.com/cyfrin/the-best-security-education-tool-in-web3-dd23717fbe58
@ethers_security
https://medium.com/cyfrin/the-best-security-education-tool-in-web3-dd23717fbe58
@ethers_security
Medium
The Best Security Education Tool in Web3
The Birth of Solodit, the best smart contract security audit tool in Web3
NFTek News 🗞️ NFTek.eth
https://nftnow.com/news/sim-swap-attacks-rising-in-web3/
GitHub
GitHub - OffcierCia/Crypto-OpSec-SelfGuard-RoadMap: Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec…
Here we collect and discuss the best DeFi, Blockchain and crypto-related OpSec researches and data terminals - contributions are welcome. - OffcierCia/Crypto-OpSec-SelfGuard-RoadMap
🔥2❤1👍1
Forwarded from Vladimir S. | Officer's Channel (officercia)
2nd part is out 👀
Link: officercia.mirror.xyz/AoRdvL3Lp5K5JHjlgpWaOHo_CehH-amZSAm9pxuFdwQ
More at @officercia 🫡️️
#security #audit
Link: officercia.mirror.xyz/AoRdvL3Lp5K5JHjlgpWaOHo_CehH-amZSAm9pxuFdwQ
More at @officercia 🫡️️
#security #audit
👍3
Forwarded from Officer’s Articles
❤2👍1
Forwarded from EthSecurity
Kebabsec
Squashing a Pesky Bug in UniswapX
About a week after the launch of UniswapX I submitted a bug report to Uniswap Labs’ bug bounty program. The bug was regarding an unsafe user balance check performed during order settlement. This was a high risk vulnerability that put any user creating an…
🤯4