Diligence Blog

Latest

Diving deep into Audit Contests Analytics and Economics

It’s been a couple of years since code4rena has introduced competitive audits into the smart contract security landscape, and it looks like audit contests are here to stay. In the meanwhile several other platforms have popped up with the same forumula. Audit contests are simple. A project publishes a set of smart contracts that they would like to have audited, and promises a prize pool for security related findings. A contest is ran for a couple of weeks during which participants can submit their findings.
Joran Honig
April 12, 2024

You're missing out! If you're not writing detection modules.

We recently released a new tool called napalm, a detection module IDE. Napalm makes it easy to set-up a multi-tool custom detector project. Not stopping there, napalm provides an all-out quality of life upgrade for security researchers that like to write their own detection modules. A tool that helps you develop detection modules is great, but it occurred to me that lots of people are not writing their own detection modules yet.
Joran Honig
February 21, 2024

Unleashing Napalm

Attention, all auditors and security researchers! We’ve got a new tool for you! You’re a security researcher and you hate repetitive work. So what do you do? You’ve compiled a nice collection of analysis rules and detection modules that automatically do all the repetitive work for you. Life is great, until, …. You’ve got 100+ modules, some for slither, others for semgrep and things are getting out of hand! You have to spend time writing scripts to run the right modules at the right time, and it’s impossible to even keep track of what you can automatically detect.
Joran Honig
January 31, 2024

EthTrust - The Frontier of Smart Contract Security Standards

Enterprise Ethereum Alliance (EEA) shapes the most mature standard for smart contract security. Consensys Diligence contributes to the EthTrust Security Levels Specification, spearheaded by the EEA EthTrust Security Levels Working Group.
Consensys Diligence
December 18, 2023

Reproducing the DeusDao exploit with Diligence Fuzzing

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.
August 01, 2023

Why Your Web3 Project Needs A Bug Bounty Program

Crypto hacks are costing projects millions in user funds. Bug bounty programs can help prevent exploits and secure the Web3 ecosystem. Bug bounties provide financial incentives for hackers and researchers to disclose flaws in applications to development teams. In the tech industry, where minor software errors can lead to catastrophic losses, bug bounties provide a cost-effective method for detecting vulnerabilities in code. Bug bounties have a long history: In 1983, microprocessor manufacturer Hunter & Ready launched the “Bug for a Bug” program—finding flaws in its VRTX operating system earned the finder a Volkswagen Beetle, commonly called the “Bug”.
Consensys Diligence
June 21, 2023

Consensys Diligence and Socket partner for secure Socket Liquidity Layer smart contracts

While smart contract systems of today have the capability to be deployed with permissions, upgradeable proxies, and ways to add extra logic to them, the unique selling point of this technology has always been its ability to remain immutable and predictable after the initial deployment. Systems with these properties can be used reliably by integrators with strong expectations that they will continue working as expected. From a smart contract security perspective, this allows users and builders to rest easy knowing that the code they are transacting with now will not change and surprise them.
Consensys Diligence
April 25, 2023

The forgotten IPFS vulnerabilities

In 2021 we privately disclosed multiple vulnerabilities in the InterPlanetary File System but never really talked about it. Let’s change that 😊!
tintinweb
September 28, 2022

Consensys Diligence Partners with StarkWare To Expand Auditing Services

Earlier this year, Consensys Diligence announced its partnership with StarkWare to expand its security audit capabilities for smart contracts written in Cairo and deployed on StarkWare. “We were very impressed by the team’s in-depth analysis and understanding of Cairo, overcoming the fact that this is a new language. Consensys Diligence has already contributed to the safety of StarkEx by detecting a bug that was promptly fixed.” said Uri Kolodny, Co-founder and CEO at StarkWare about the partnership.
Consensys Diligence
September 20, 2022

Under-constrained computation, a new kind of bug

Learn how provers can exploit under-constrained Cairo programs! Introduction Cairo is a programming language for building zero-knowledge programs. These programs allow you to prove the result of a computation without asking other people to re-run the computation. Proofs of correct computation are awesome! Let’s assume you have a Cairo program to compute all prime numbers up to 1,000. When you run Cairo, you’ll get both the prime numbers and proof that those prime numbers are the result of running the program.
Joran honig
January 17, 2022

Hackwek - Hallucinating Solidity Source Code

Buidling, breaking, hacking, making! 🥷⚔️ Testing boundaries and playing with experimental technology is what we love at Diligence. In this spirit, “HackWek” was born. A recurring Diligence internal five-day hacking party 🥳. In this episode, I set out building a Solidity source code writing robot 😵‍💫🤖. Hallucinating Solidity Source Code Some time ago I’ve started to collect smart contract samples from public block explorers with the smart-contract-sanctuary project. Initially, for no special reason, but it quickly turned into a treasure trove for all kinds of activities.
tintinweb
December 12, 2021

Fuzzing ERC20 contracts with Diligence Fuzzing

Fuzzing ERC20 contracts Learn how you can use Scribble to define a complete and checkable ERC20 specification. As a bonus, we show how you can use fuzzing to check the specification automatically! I’m willing to bet that you’re familiar with the ERC20 standard, the best-known standard for tokens (next to ERC721). You might be less familiar with Scribble and fuzzing, which provide the easiest way to test ERC20 implementations exhaustively.
Joran Honig
September 30, 2021

Introducing Diligence Fuzzing

The Consensys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | Consensys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.
Joran Honig
September 16, 2021

Annotating State Variables with Scribble

Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we’ve added. Our first post showcases state variable annotations with if_updated. The problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables.
Dimitar Bounov
July 29, 2021

Hackathons are fantastic!

There’s nothing more enjoyable than gathering a group of friends, eating pizza, and hack on something you’ve always wanted to build but haven’t had time for. When we learned that Consensys is organizing an internal hackathon, it didn’t take us long to find projects to hack on. A couple of friends started hacking on “TURN”, a revolutionary token-based solution that could simplify our day-to-day operations. More on this in a future post.
Martin Ortner, João Santos, Gonçalo Sá, Oliver Terbu
July 22, 2021

Introducing Scribble Generator

Some vendors use an effective sales strategy called “lock-in”. Once you’re in the vendors’ ecosystem, it can be challenging to get out. You’ll have made a big investment into various products that work great together but suck once you use them with anything else. A similar thing can happen (often unintentionally) with tech stacks. You invest big-time in tool X and are then locked into using it because you don’t want to start from scratch with a new tool Y.
Joran Honig
July 14, 2021

IPFS Gateway Security

TL;DR: Path-based IPFS gateways have a critical flaw: They effectively disable one of the essential security features of modern browsers: the same-origin policy. Note Update: June 16, 2021 We’d like to thank the team at security[at]ipfs.io for picking up and addressing our concerns. It is a pleasure seeing security being taken seriously and we’d like to share their updates and feedback with you. The following statements were provided by the IPFS security team and have not been validated by Consensys Diligence.
Martin Ortner, Dominik Muhs
June 07, 2021

Tackling Cross Site Scripting with Smart Contracts

Writing Smart Contracts can be fraught with dangers stemming from multiple vectors, but one you may not have considered is Cross Site Scripting attacks initiated by the Smart Contract itself! How is this possible? Let’s explore and solve.
Grant Southey (Guest Author)
March 10, 2021

Paradigm CTF Winner

Consensys Diligence team, a.k.a Dilicious, won the first place at Paradigm Capture the Flag competition. Paradigm CTF was one of the most anticipated security competitions in the Ethereum space.
Shayan Eskandari
February 28, 2021

Fault Localisation with Tarantula

Sometimes unit-tests fail, and you don’t know why. That’s when you want to use fault localisation; to find the fault that’s causing the tests to fail. Tarantula is such an algorithm and finds which lines are most suspect of breaking the tests. I implemented this algorithm and used solidity-coverage results to localise bugs in Ethereum smart contracts. Let’s start at the beginning; the motivation for fault localisation. Imagine you’re just developing a new feature and you run your test suite.
Joran Honig
February 10, 2021

4 effective strategies to come up with Scribble annotations

Coming up with properties can be a difficult task! In this previous post we talked about starting to write Scribble properties. Here I’m going to explore four strategies to accelerate annotating your smart contracts! As you might already know, Scribble enables you to write properties that you can then test automatically using methods such as fuzzing and symbolic execution. Sounds awesome, doesn’t it? But how do you come up with those properties?
Joran Honig
February 02, 2021

Writing Properties - A new approach to testing

Writing smart contract properties - A new approach to testing Scribble allows you to write smart contract properties that can be automatically tested using fuzzing and symbolic execution techniques. Writing properties requires a bit of a mindset shift. This article will talk about that shift, to go from unit testing to property-based testing with Scribble. If you’re a developer then I’m sure you’re familiar with unit testing, an approach where you write small (unit) test cases to see if a component behaves as expected.
Joran Honig
January 19, 2021

Introducing Scribble

Making sure that smart contracts are secure and bug-free has never been more critical. Unfortunately, it remains a difficult task. While there are helpful tools for automatic testing and formal verification, ensuring the correctness of smart contracts continues to be a time-intensive and challenging task. To make things worse, each tool often has a steep learning curve, and it is often uncertain whether it’s even right for the job. That is why we’ve developed Scribble: a verification language and runtime verification tool.
Joran Honig
December 07, 2020

Token Interaction Checklist

A checklist for developers and security engineers to make use of when working with contracts that interact with many different tokens, especially if they want to support user-inputted tokens.
Shayan Eskandari
November 16, 2020

Detecting Ownership Takeovers Using Mythril

Mythril is an analysis tool which uses symbolic execution to find vulnerabilities in smart contracts. Mythril even generates exploits for the vulnerabilities that it finds 🚀. In a previous article, I wrote about Mythril internals and symbolic execution. In this article, I’ll show how I use Mythril to detect Ownership takeover vulnerabilities. I’ll also use Mythril’s new plugin system install and release plugins with ease! Introduction Out of the box, Mythril comes with several zero-setup detection modules.
Joran Honig
September 22, 2020

LibP2P: Multiaddr - Enode - ENR ?!

Ethereum Node addressing can be confusing. We’re looking into three ways to convey an Ethereum node’s address and provide a convenient web-tool to extract a node’s address from an ENR.
Martin Ortner
September 08, 2020

Legions a Tool for Seekers

Legions is a handy toolkit for (security) researchers poking around EVM (Ethereum Virtual Machine) nodes and smart contracts, now with a slick command-line interface, with auto complete commands and history.
Shayan Eskandari
June 09, 2020

tBTC: Navigating the cross-chain conundrum

We recently conducted a security assessment of Thesis’ tBTC. In this post, we explore a fundamental limitation of Bitcoin transaction verification within Ethereum smart contracts.
Alexander Wade
May 01, 2020

Project 0x Case Study

Abstract Smart contracts facilitate the transfer of value and help determine digital asset behavior. This results in a higher need for formal proofs and computer-aided checks compared to traditional software which does not typically perform these functions. 0x is an open protocol that enables the peer-to-peer exchange of assets on the Ethereum blockchain. It is one of the largest open protocols with over 30 projects building on top of it, amassing over 713,000 total transactions, and a volume of $750 million.
Sharon Byrne-Cotter
April 17, 2020

Catching Weird Security Bugs in Solidity Smart Contracts with Invariant Checks

Contract invariants are properties of the program program state that are expected to always be true. In my previous article I discussed the use of Solidity assertions to check contract invariants. This article expands on the use of invariants and provides a couple of additional examples. An interesting feature of invariant checking on the bytecode level is that it allows you to detect low-level issues, including issues caused by compiler optimisation or idiosyncrasies of the programming language, by defining high-level rules.
Bernhard Mueller
April 06, 2020

Targeted fuzzing using static lookahead analysis: how to guide fuzzers using online static analysis

In previous posts, we introduced Harvey, a fuzzer for Ethereum smart contracts, and presented two techniques to boost its effectiveness: input prediction and multi-transaction fuzzing. Harvey is being developed by MythX in collaboration with Maria Christakis from MPI-SWS. It is one of the tools that powers our smart contract analysis service. Sign up for our free plan to give it a try! In this post, we summarize our upcoming ICSE 2020 paper and provide a high-level overview of how we use online static analysis to guide Harvey.
Valentin Wustholz
March 31, 2020

New Offering: 1-Day Security Reviews

Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different. In this post, I’ll share what these engagements are like and why you might want to hire us for one.
Steve Marx
March 31, 2020

Part 3: MythX ❤️ Continuous Integration (DIY)

This is the third and last post in the MythX series on integrating security analysis of smart contracts into your Continuous Integration (CI) system. In the first part we built a CircleCI configuration. In the second part we built a small and beautiful Travis CI configuration. “But I am using a completely different CI system!” - You, maybe. Fret not. The avid reader might have noticed a common pattern in the past two posts: In setups we used the MythX CLI and a basic Python runtime.
Dominik Muhs
March 16, 2020

Easy multi-contract security analysis using Mythril

The MythX platform leverages several internal components to provide the best possible analysis results. One of these components is available open-source; the symbolic executor Mythril. In this article, I’ll demonstrate how you can use Mythril to analyze a set-up of multiple smart contracts. By default, Mythril will analyze a contract in isolation. Interactions with external contracts are generalized so that we capture all possible vulnerabilities. Sometimes, this means we find a weakness in your smart contract that might not affect your particular setup.
Joran Honig
March 09, 2020

Questions DeFi users should be asking DeFi Developers

The DeFi space has had a tumultuous couple months, with a number of attacks as well as unexploited vulnerabilities being reported. Bugs are unavoidable, but there are many things that can be done to reduce their frequency, and mitigate their negative effects. As auditors, we want to help, but in order to really get developers to truly prioritize security, users need to start asking tough questions, and putting their money into the protocols that can answer them thoughtfully.
John Mardlin
March 02, 2020

MythX and Continuous Integration (Part 2): Travis

In the second part of this series on continuous integration, we will build an easy first integration of the MythX API into the Travis continuous integration platform. Other posts in this series: Part 1: CircleCI Part 2: Travis Part 3: (Coming soon) This three-part series is about integrating MythX into Continuous Integration systems. In the first part of this series I have shown how to automatically check for smart contract vulnerabilities in CircleCI.
Dominik Muhs
February 04, 2020

Interview with samczsun

If you keep up with Ethereum security-related postings, you’ve no doubt heard of samczsun: security researcher and white hat extraordinaire. In this interview, we discuss his process as well as a few of his well-known findings.
Alexander Wade
January 30, 2020

MythX and Continuous Integration (Part 1): CircleCI

In the first post of a new series, we discuss integrating security considerations to a continuous integration pipeline, starting with CircleCI. Conveyor belts. Because continuity. Get it? Continuous testing of applications can be hard to figure out. While it is difficult to measure CI/CD adoption, the blockchain ecosystem offers a great opportunity to adopt in-depth testing and continuous delivery pipelines where they make sense: right from the start. At MythX we don’t mind which technologies you are using to get things done.
Dominik Muhs
January 28, 2020

More ways to stay secure: Announcing two new plans and another way to pay

We’re introducing new plans offering the highest confidence in the correctness of your code, and allowing payment via credit/debit cards for the first time. We’re excited to announce some changes to our MythX plans that will be going live on January 31, 2020. Now, whenever a team announces “exciting changes” it’s often code word for something bad, but in this case, these changes should positively affect (as far as we can predict) absolutely all of our known users.
Mike Pumphrey
January 21, 2020

Verifying smart contract security with Remix and MythX

Leveraging security tools for verification can help you increase confidence in the correctness of smart contract code. Examples are given here using the MythX plugin for Remix. Whether you are a smart contract developer or auditor you might wonder if there’s any value in using an automatic smart contract analysis tool. Assuming you know what you’re doing, will these tools tell you anything you don’t already know? In this article I’ll describe how you can leverage security tools to increase confidence in the correctness of smart contract code and potentially detect issues that are not easily apparent.
Bernhard Mueller
January 14, 2020

MythX is for all stages of smart contract development

We recommend using MythX through every stage of the smart contract development life-cycle, before, during, and after deployment. (Note: This post was originally published in June 2019 and has been updated.) We talk a lot here on the MythX team about the importance of regular, routine analysis of your smart contracts prior to deployment onto the blockchain. The reason for this is simple: once the contract is deployed, it is immutable.
Mike Pumphrey
January 07, 2020

Welcome Back! Security for the EIP Process

The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum’s core change management process. Good thing, this finally changed.
Martin Ortner
January 05, 2020

MythX Tech: Behind the Scenes of Smart Contract Security Analysis

The tech behind MythX smart contract analysis, including the microservices Maru, Harvey, and Mythril, and how they work together. When I first introduced Mythril in 2017, I didn’t expect it to be very useful to smart contract developers. It was a simple symbolic analyzer for Ethereum bytecode with tacked-on Solidity support. Mythril was OK for detecting some security issues and solving CTFs, but it wasn’t written with the needs of developers in mind.
Bernhard Mueller
December 17, 2019

Destroying the Indestructible

This morning, I saw a link to Dharma’s IndestructibleRegistry. The idea behind this registry is that it keeps track of contracts that cannot be destroyed. It does this by verifying the contract’s bytecode on chain. In this post, I’ll show you how I managed to trick that verification and destroy an “indestructible” contract.
Steve Marx
December 11, 2019

All smart contract security issues in one place: An introduction to the SWC Registry

The SWC Registry is an indispensable resource for securing your smart contracts. Here we show how you can use it most effectively. In our last post, we showed you how you can use Remix with the MythX plugin to detect weaknesses in smart contract code. Now, let’s talk about those weaknesses. Smart contract weaknesses are classified into many different types, allowing for easier management and discussion. The code that generates the weakness may vary widely, but the type of weakness is the same.
Mike Pumphrey
December 10, 2019

A beginner’s guide to MythX

A detailed, step-by-step howto guide on how to use MythX with Remix, showing as well as the differences between MythX and MythX Pro. MythX is a tool for finding smart contract weaknesses. For our single developers and dev teams, we offer two plans: MythX and MythX Pro. (We also offer custom plans too; contact us for details.) We recently posted about the differences between MythX and MythX Pro. But you may find it more useful to see an actual scenario involving testing a smart contract using MythX.
Mike Pumphrey
November 26, 2019

MythX Pro Security Analysis Explained

MythX recently went live with a new Pro upgrade that offers more powerful analysis features than the free version. In this article I’ll explain how the new “full” analysis mode affects the performance of MythX. MythX is a smart contract security service that integrates multiple analysis techniques. The MythX Pro plan comes with a new analysis mode called Full mode. In this mode, submitted contracts are subjected to a thorough fuzzing campaign and deep inspection using symbolic analysis.
Bernhard Mueller
November 19, 2019

Solidity, the Young Adult

Solidity is getting bigger! We are doing a series to present you with the language’s future plans and hopefully spark a conversation on merits and use cases.
Gonçalo Sá
November 15, 2019

Stepping into the light

MythX comes into its own, and creates a partnership with Consensys Diligence. I would like to introduce you to the new MythX blog. This is the place for the whole MythX team, including our researchers, developers, and (yes) marketing folks to be able to share news, tips, ideas, and consolation/hope for the state of security on the Ethereum platform. (Looking for our old blog? It’s here.) But first, some orientation, and how we got here.
Mike Pumphrey
November 12, 2019

Analysis

Best Practice

Feature

MythX

Project 0x Case Study

Abstract Smart contracts facilitate the transfer of value and help determine digital asset behavior. This results in a higher need for formal proofs and computer-aided checks compared to traditional software which does not typically perform these functions. 0x is an open protocol that enables the peer-to-peer exchange of assets on the Ethereum blockchain. It is one of the largest open protocols with over 30 projects building on top of it, amassing over 713,000 total transactions, and a volume of $750 million.
Sharon Byrne-Cotter
April 17, 2020

Catching Weird Security Bugs in Solidity Smart Contracts with Invariant Checks

Contract invariants are properties of the program program state that are expected to always be true. In my previous article I discussed the use of Solidity assertions to check contract invariants. This article expands on the use of invariants and provides a couple of additional examples. An interesting feature of invariant checking on the bytecode level is that it allows you to detect low-level issues, including issues caused by compiler optimisation or idiosyncrasies of the programming language, by defining high-level rules.
Bernhard Mueller
April 06, 2020

Targeted fuzzing using static lookahead analysis: how to guide fuzzers using online static analysis

In previous posts, we introduced Harvey, a fuzzer for Ethereum smart contracts, and presented two techniques to boost its effectiveness: input prediction and multi-transaction fuzzing. Harvey is being developed by MythX in collaboration with Maria Christakis from MPI-SWS. It is one of the tools that powers our smart contract analysis service. Sign up for our free plan to give it a try! In this post, we summarize our upcoming ICSE 2020 paper and provide a high-level overview of how we use online static analysis to guide Harvey.
Valentin Wustholz
March 31, 2020

News

Unleashing Napalm

Attention, all auditors and security researchers! We’ve got a new tool for you! You’re a security researcher and you hate repetitive work. So what do you do? You’ve compiled a nice collection of analysis rules and detection modules that automatically do all the repetitive work for you. Life is great, until, …. You’ve got 100+ modules, some for slither, others for semgrep and things are getting out of hand! You have to spend time writing scripts to run the right modules at the right time, and it’s impossible to even keep track of what you can automatically detect.
Joran Honig
January 31, 2024

EthTrust - The Frontier of Smart Contract Security Standards

Enterprise Ethereum Alliance (EEA) shapes the most mature standard for smart contract security. Consensys Diligence contributes to the EthTrust Security Levels Specification, spearheaded by the EEA EthTrust Security Levels Working Group.
Consensys Diligence
December 18, 2023

Newsletter

Smart Contract Languages

Welcome Back! Security for the EIP Process

The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum’s core change management process. Good thing, this finally changed.
Martin Ortner
January 05, 2020

Tools

Reproducing the DeusDao exploit with Diligence Fuzzing

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.
August 01, 2023

Year in Review