Diligence Blog

Latest

Introducing Diligence Fuzzing

The ConsenSys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | ConsenSys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.
Joran Honig
September 16, 2021

Annotating State Variables with Scribble

Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we’ve added. Our first post showcases state variable annotations with if_updated. The problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables.
Dimitar Bounov
July 29, 2021

Hackathons are fantastic!

There’s nothing more enjoyable than gathering a group of friends, eating pizza, and hack on something you’ve always wanted to build but haven’t had time for. When we learned that ConsenSys is organizing an internal hackathon, it didn’t take us long to find projects to hack on. A couple of friends started hacking on “TURN”, a revolutionary token-based solution that could simplify our day-to-day operations. More on this in a future post.
Martin Ortner, João Santos, Gonçalo Sá, Oliver Terbu
July 22, 2021

Introducing Scribble Generator

Some vendors use an effective sales strategy called “lock-in”. Once you’re in the vendors’ ecosystem, it can be challenging to get out. You’ll have made a big investment into various products that work great together but suck once you use them with anything else. A similar thing can happen (often unintentionally) with tech stacks. You invest big-time in tool X and are then locked into using it because you don’t want to start from scratch with a new tool Y.
Joran Honig
July 14, 2021

IPFS Gateway Security

TL;DR: Path-based IPFS gateways have a critical flaw: They effectively disable one of the essential security features of modern browsers: the same-origin policy. Note Update: June 16, 2021 We’d like to thank the team at security[at]ipfs.io for picking up and addressing our concerns. It is a pleasure seeing security being taken seriously and we’d like to share their updates and feedback with you. The following statements were provided by the IPFS security team and have not been validated by Consensys Diligence.
Martin Ortner, Dominik Muhs
June 07, 2021

Tackling Cross Site Scripting with Smart Contracts

Writing Smart Contracts can be fraught with dangers stemming from multiple vectors, but one you may not have considered is Cross Site Scripting attacks initiated by the Smart Contract itself! How is this possible? Let’s explore and solve.
Grant Southey (Guest Author)
March 10, 2021

Paradigm CTF Winner

ConsenSys Diligence team, a.k.a Dilicious, won the first place at Paradigm Capture the Flag competition. Paradigm CTF was one of the most anticipated security competitions in the Ethereum space.
Shayan Eskandari
February 28, 2021

Fault Localisation with Tarantula

Sometimes unit-tests fail, and you don’t know why. That’s when you want to use fault localisation; to find the fault that’s causing the tests to fail. Tarantula is such an algorithm and finds which lines are most suspect of breaking the tests. I implemented this algorithm and used solidity-coverage results to localise bugs in Ethereum smart contracts. Let’s start at the beginning; the motivation for fault localisation. Imagine you’re just developing a new feature and you run your test suite.
Joran Honig
February 10, 2021

4 effective strategies to come up with Scribble annotations

Coming up with properties can be a difficult task! In this previous post we talked about starting to write Scribble properties. Here I’m going to explore four strategies to accelerate annotating your smart contracts! As you might already know, Scribble enables you to write properties that you can then test automatically using methods such as fuzzing and symbolic execution. Sounds awesome, doesn’t it? But how do you come up with those properties?
Joran Honig
February 02, 2021

Writing Properties - A new approach to testing

Writing smart contract properties - A new approach to testing Scribble allows you to write smart contract properties that can be automatically tested using fuzzing and symbolic execution techniques. Writing properties requires a bit of a mindset shift. This article will talk about that shift, to go from unit testing to property-based testing with Scribble. If you’re a developer then I’m sure you’re familiar with unit testing, an approach where you write small (unit) test cases to see if a component behaves as expected.
Joran Honig
January 19, 2021

Analysis

Best Practice

Token Interaction Checklist

A checklist for developers and security engineers to make use of when working with contracts that interact with many different tokens, especially if they want to support user-inputted tokens.
Shayan Eskandari
November 16, 2020

Questions DeFi users should be asking DeFi Developers

The DeFi space has had a tumultuous couple months, with a number of attacks as well as unexploited vulnerabilities being reported. Bugs are unavoidable, but there are many things that can be done to reduce their frequency, and mitigate their negative effects. As auditors, we want to help, but in order to really get developers to truly prioritize security, users need to start asking tough questions, and putting their money into the protocols that can answer them thoughtfully.
John Mardlin
March 02, 2020

Eliminating Smart Contract Special Cases

Special cases lead to code complexity, which leads to bugs. In this post, I’ll share some examples of eliminating special cases to reduce code complexity and improve maintainability.
Steve Marx
September 23, 2019

News

Paradigm CTF Winner

ConsenSys Diligence team, a.k.a Dilicious, won the first place at Paradigm Capture the Flag competition. Paradigm CTF was one of the most anticipated security competitions in the Ethereum space.
Shayan Eskandari
February 28, 2021

New Offering: 1-Day Security Reviews

Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different. In this post, I’ll share what these engagements are like and why you might want to hire us for one.
Steve Marx
March 31, 2020

Newsletter

Smart Contract Languages

Welcome Back! Security for the EIP Process

The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum’s core change management process. Good thing, this finally changed.
Martin Ortner
January 05, 2020

Solidity, the Young Adult

Solidity is getting bigger! We are doing a series to present you with the language’s future plans and hopefully spark a conversation on merits and use cases.
Gonçalo Sá
November 15, 2019

Tools

Introducing Diligence Fuzzing

The ConsenSys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer). Check out all our tools here: Blockchain Security Tools | ConsenSys Diligence A few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques.
Joran Honig
September 16, 2021

Annotating State Variables with Scribble

Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we’ve added. Our first post showcases state variable annotations with if_updated. The problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables.
Dimitar Bounov
July 29, 2021

Introducing Scribble Generator

Some vendors use an effective sales strategy called “lock-in”. Once you’re in the vendors’ ecosystem, it can be challenging to get out. You’ll have made a big investment into various products that work great together but suck once you use them with anything else. A similar thing can happen (often unintentionally) with tech stacks. You invest big-time in tool X and are then locked into using it because you don’t want to start from scratch with a new tool Y.
Joran Honig
July 14, 2021

Writeup

tBTC: Navigating the cross-chain conundrum

We recently conducted a security assessment of Thesis’ tBTC. In this post, we explore a fundamental limitation of Bitcoin transaction verification within Ethereum smart contracts.
Alexander Wade
May 01, 2020

Destroying the Indestructible

This morning, I saw a link to Dharma’s IndestructibleRegistry. The idea behind this registry is that it keeps track of contracts that cannot be destroyed. It does this by verifying the contract’s bytecode on chain. In this post, I’ll show you how I managed to trick that verification and destroy an “indestructible” contract.
Steve Marx
December 11, 2019