Category: Tools

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.

Helping users with selecting a suitable fuzzer

Step-by-step tutorial to get started using Fuzzing for your smart contract security

Diligence Fuzzing is now available for developers for testing smart contract systems.

How you can record fuzzing lessons in Diligence Fuzzing

Fuzzing ERC20 contracts Learn how you can use Scribble to define a complete and checkable ERC20 specification. As a bonus, we show how you can use fuzzing to check the specification automatically! I’m willing to bet that you’re familiar with the ERC20 standard, the best-known standard for tokens (next to ERC721). You might be less familiar with Scribble and fuzzing, which provide the easiest way to test ERC20 implementations exhaustively.

The ConsenSys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | ConsenSys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.

Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we’ve added. Our first post showcases state variable annotations with if_updated. The problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables.

Some vendors use an effective sales strategy called “lock-in”. Once you’re in the vendors’ ecosystem, it can be challenging to get out. You’ll have made a big investment into various products that work great together but suck once you use them with anything else. A similar thing can happen (often unintentionally) with tech stacks. You invest big-time in tool X and are then locked into using it because you don’t want to start from scratch with a new tool Y.

Writing Smart Contracts can be fraught with dangers stemming from multiple vectors, but one you may not have considered is Cross Site Scripting attacks initiated by the Smart Contract itself! How is this possible? Let’s explore and solve.