Category: Tools

Reproducing the DeusDao exploit with Diligence Fuzzing

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.
August 01, 2023

Fuzzing ERC20 contracts with Diligence Fuzzing

Fuzzing ERC20 contracts Learn how you can use Scribble to define a complete and checkable ERC20 specification. As a bonus, we show how you can use fuzzing to check the specification automatically! I’m willing to bet that you’re familiar with the ERC20 standard, the best-known standard for tokens (next to ERC721). You might be less familiar with Scribble and fuzzing, which provide the easiest way to test ERC20 implementations exhaustively.
Joran Honig
September 30, 2021

Introducing Diligence Fuzzing

The ConsenSys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | ConsenSys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.
Joran Honig
September 16, 2021

Annotating State Variables with Scribble

Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we’ve added. Our first post showcases state variable annotations with if_updated. The problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables.
Dimitar Bounov
July 29, 2021

Introducing Scribble Generator

Some vendors use an effective sales strategy called “lock-in”. Once you’re in the vendors’ ecosystem, it can be challenging to get out. You’ll have made a big investment into various products that work great together but suck once you use them with anything else. A similar thing can happen (often unintentionally) with tech stacks. You invest big-time in tool X and are then locked into using it because you don’t want to start from scratch with a new tool Y.
Joran Honig
July 14, 2021

Tackling Cross Site Scripting with Smart Contracts

Writing Smart Contracts can be fraught with dangers stemming from multiple vectors, but one you may not have considered is Cross Site Scripting attacks initiated by the Smart Contract itself! How is this possible? Let’s explore and solve.
Grant Southey (Guest Author)
March 10, 2021