Diligence Blog

How you can record fuzzing lessons in Diligence Fuzzing

In 2021 we privately disclosed multiple vulnerabilities in the InterPlanetary File System but never really talked about it. Let’s change that 😊!

Earlier this year, ConsenSys Diligence announced its partnership with StarkWare to expand its security audit capabilities for smart contracts written in Cairo and deployed on StarkWare. “We were very impressed by the team’s in-depth analysis and understanding of Cairo, overcoming the fact that this is a new language. Consensys Diligence has already contributed to the safety of StarkEx by detecting a bug that was promptly fixed.” said Uri Kolodny, Co-founder and CEO at StarkWare about the partnership.

These four features make Scribble a more expressive specification language to help make testing your smart contract simpler.

A look at the state of the blockchain security industry and our plans in 2022.

Learn how provers can exploit under-constrained Cairo programs! Introduction Cairo is a programming language for building zero-knowledge programs. These programs allow you to prove the result of a computation without asking other people to re-run the computation. Proofs of correct computation are awesome! Let’s assume you have a Cairo program to compute all prime numbers up to 1,000. When you run Cairo, you’ll get both the prime numbers and proof that those prime numbers are the result of running the program.

Buidling, breaking, hacking, making! 🥷⚔️ Testing boundaries and playing with experimental technology is what we love at Diligence. In this spirit, “HackWek” was born. A recurring Diligence internal five-day hacking party 🥳. In this episode, I set out building a Solidity source code writing robot 😵‍💫🤖. Hallucinating Solidity Source Code Some time ago I’ve started to collect smart contract samples from public block explorers with the smart-contract-sanctuary project. Initially, for no special reason, but it quickly turned into a treasure trove for all kinds of activities.

Fuzzing ERC20 contracts Learn how you can use Scribble to define a complete and checkable ERC20 specification. As a bonus, we show how you can use fuzzing to check the specification automatically! I’m willing to bet that you’re familiar with the ERC20 standard, the best-known standard for tokens (next to ERC721). You might be less familiar with Scribble and fuzzing, which provide the easiest way to test ERC20 implementations exhaustively.

The ConsenSys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | ConsenSys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.

Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we’ve added. Our first post showcases state variable annotations with if_updated. The problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables.