Diligence Blog

Consensys Diligence provides actionable tips on building secure and robust smart contracts in web3.

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.

Announcing Diligence Fuzzing support for all Foundry developers to ensure easy and efficient smart contract security.

Consensys Diligence explains the Halo2 zero-knowledge prover and highlights bugs that can affect security of Halo2 circuits.

Crypto hacks are costing projects millions in user funds. Bug bounty programs can help prevent exploits and secure the Web3 ecosystem. Bug bounties provide financial incentives for hackers and researchers to disclose flaws in applications to development teams. In the tech industry, where minor software errors can lead to catastrophic losses, bug bounties provide a cost-effective method for detecting vulnerabilities in code. Bug bounties have a long history: In 1983, microprocessor manufacturer Hunter & Ready launched the “Bug for a Bug” program—finding flaws in its VRTX operating system earned the finder a Volkswagen Beetle, commonly called the “Bug”.

An overview of the emerging web3 security stack and industry.

While smart contract systems of today have the capability to be deployed with permissions, upgradeable proxies, and ways to add extra logic to them, the unique selling point of this technology has always been its ability to remain immutable and predictable after the initial deployment. Systems with these properties can be used reliably by integrators with strong expectations that they will continue working as expected. From a smart contract security perspective, this allows users and builders to rest easy knowing that the code they are transacting with now will not change and surprise them.

Helping users with selecting a suitable fuzzer

Use this helpful checklist to prepare your smart contacts for an audit

Step-by-step tutorial to get started using Fuzzing for your smart contract security

Diligence Fuzzing is now available for developers for testing smart contract systems.

How you can record fuzzing lessons in Diligence Fuzzing

In 2021 we privately disclosed multiple vulnerabilities in the InterPlanetary File System but never really talked about it. Let’s change that 😊!

Earlier this year, ConsenSys Diligence announced its partnership with StarkWare to expand its security audit capabilities for smart contracts written in Cairo and deployed on StarkWare. “We were very impressed by the team’s in-depth analysis and understanding of Cairo, overcoming the fact that this is a new language. Consensys Diligence has already contributed to the safety of StarkEx by detecting a bug that was promptly fixed.” said Uri Kolodny, Co-founder and CEO at StarkWare about the partnership.

These four features make Scribble a more expressive specification language to help make testing your smart contract simpler.

A look at the state of the blockchain security industry and our plans in 2022.

Learn how provers can exploit under-constrained Cairo programs! Introduction Cairo is a programming language for building zero-knowledge programs. These programs allow you to prove the result of a computation without asking other people to re-run the computation. Proofs of correct computation are awesome! Let’s assume you have a Cairo program to compute all prime numbers up to 1,000. When you run Cairo, you’ll get both the prime numbers and proof that those prime numbers are the result of running the program.

Buidling, breaking, hacking, making! 🥷⚔️ Testing boundaries and playing with experimental technology is what we love at Diligence. In this spirit, “HackWek” was born. A recurring Diligence internal five-day hacking party 🥳. In this episode, I set out building a Solidity source code writing robot 😵‍💫🤖. Hallucinating Solidity Source Code Some time ago I’ve started to collect smart contract samples from public block explorers with the smart-contract-sanctuary project. Initially, for no special reason, but it quickly turned into a treasure trove for all kinds of activities.

Fuzzing ERC20 contracts Learn how you can use Scribble to define a complete and checkable ERC20 specification. As a bonus, we show how you can use fuzzing to check the specification automatically! I’m willing to bet that you’re familiar with the ERC20 standard, the best-known standard for tokens (next to ERC721). You might be less familiar with Scribble and fuzzing, which provide the easiest way to test ERC20 implementations exhaustively.

The ConsenSys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | ConsenSys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.