Diligence Blog

Latest

Reproducing the DeusDao exploit with Diligence Fuzzing

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.
August 01, 2023

Why Your Web3 Project Needs A Bug Bounty Program

Crypto hacks are costing projects millions in user funds. Bug bounty programs can help prevent exploits and secure the Web3 ecosystem. Bug bounties provide financial incentives for hackers and researchers to disclose flaws in applications to development teams. In the tech industry, where minor software errors can lead to catastrophic losses, bug bounties provide a cost-effective method for detecting vulnerabilities in code. Bug bounties have a long history: In 1983, microprocessor manufacturer Hunter & Ready launched the “Bug for a Bug” program—finding flaws in its VRTX operating system earned the finder a Volkswagen Beetle, commonly called the “Bug”.
ConsenSys Diligence
June 21, 2023

ConsenSys Diligence and Socket partner for secure Socket Liquidity Layer smart contracts

While smart contract systems of today have the capability to be deployed with permissions, upgradeable proxies, and ways to add extra logic to them, the unique selling point of this technology has always been its ability to remain immutable and predictable after the initial deployment. Systems with these properties can be used reliably by integrators with strong expectations that they will continue working as expected. From a smart contract security perspective, this allows users and builders to rest easy knowing that the code they are transacting with now will not change and surprise them.
ConsenSys Diligence
April 25, 2023

Analysis

Best Practice

Feature

tBTC: Navigating the cross-chain conundrum

We recently conducted a security assessment of Thesis’ tBTC. In this post, we explore a fundamental limitation of Bitcoin transaction verification within Ethereum smart contracts.
Alexander Wade
May 01, 2020

Destroying the Indestructible

This morning, I saw a link to Dharma’s IndestructibleRegistry. The idea behind this registry is that it keeps track of contracts that cannot be destroyed. It does this by verifying the contract’s bytecode on chain. In this post, I’ll show you how I managed to trick that verification and destroy an “indestructible” contract.
Steve Marx
December 11, 2019

MythX

Project 0x Case Study

Abstract Smart contracts facilitate the transfer of value and help determine digital asset behavior. This results in a higher need for formal proofs and computer-aided checks compared to traditional software which does not typically perform these functions. 0x is an open protocol that enables the peer-to-peer exchange of assets on the Ethereum blockchain. It is one of the largest open protocols with over 30 projects building on top of it, amassing over 713,000 total transactions, and a volume of $750 million.
Sharon Byrne-Cotter
April 17, 2020

Catching Weird Security Bugs in Solidity Smart Contracts with Invariant Checks

Contract invariants are properties of the program program state that are expected to always be true. In my previous article I discussed the use of Solidity assertions to check contract invariants. This article expands on the use of invariants and provides a couple of additional examples. An interesting feature of invariant checking on the bytecode level is that it allows you to detect low-level issues, including issues caused by compiler optimisation or idiosyncrasies of the programming language, by defining high-level rules.
Bernhard Mueller
April 06, 2020

Targeted fuzzing using static lookahead analysis: how to guide fuzzers using online static analysis

In previous posts, we introduced Harvey, a fuzzer for Ethereum smart contracts, and presented two techniques to boost its effectiveness: input prediction and multi-transaction fuzzing. Harvey is being developed by MythX in collaboration with Maria Christakis from MPI-SWS. It is one of the tools that powers our smart contract analysis service. Sign up for our free plan to give it a try! In this post, we summarize our upcoming ICSE 2020 paper and provide a high-level overview of how we use online static analysis to guide Harvey.
Valentin Wustholz
March 31, 2020

News

Paradigm CTF Winner

ConsenSys Diligence team, a.k.a Dilicious, won the first place at Paradigm Capture the Flag competition. Paradigm CTF was one of the most anticipated security competitions in the Ethereum space.
Shayan Eskandari
February 28, 2021

Newsletter

Smart Contract Languages

Welcome Back! Security for the EIP Process

The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum’s core change management process. Good thing, this finally changed.
Martin Ortner
January 05, 2020

Tools

Reproducing the DeusDao exploit with Diligence Fuzzing

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.
August 01, 2023

Year in Review