Token Interaction Checklist
A checklist for developers and security engineers to make use of when working with contracts that interact with many different tokens, especially if they want to support user-inputted tokens.
Blog
2nd Solidity Underhanded Contest
The second Solidity Underhanded Contest is here. This is your call to arms.
Breaking Ethereum Nodes with Teatime
Announcing the first version of an RPC attack framework for blockchain nodes.
Detecting Ownership Takeovers Using Mythril
Mythril is an analysis tool which uses symbolic execution to find vulnerabilities in smart contracts. Mythril even generates exploits for the vulnerabilities that it finds 🚀. In a previous article, I wrote about Mythril internals and symbolic execution. In this article, I’ll show how I use Mythril to detect Ownership takeover vulnerabilities. I’ll also use Mythril’s new plugin system install and release plugins with ease! Introduction Out of the box, Mythril comes with several zero-setup detection modules.
LibP2P: Multiaddr - Enode - ENR ?!
Ethereum Node addressing can be confusing. We’re looking into three ways to convey an Ethereum node’s address and provide a convenient web-tool to extract a node’s address from an ENR.
Actionable Smart Contract Addresses for VSCode
ETHover is a hover provider for Microsoft VSCode that provides actions for Ethereum Addresses at your fingertips.
Legions a Tool for Seekers
Legions is a handy toolkit for (security) researchers poking around EVM (Ethereum Virtual Machine) nodes and smart contracts, now with a slick command-line interface, with auto complete commands and history.
tBTC: Navigating the cross-chain conundrum
We recently conducted a security assessment of Thesis’ tBTC. In this post, we explore a fundamental limitation of Bitcoin transaction verification within Ethereum smart contracts.
An Experiment In Designing a New Smart Contract Language
We’ve been building a new experimental smart contract programming language. This post will share what we came up with.
New Offering: 1-Day Security Reviews
Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different. In this post, I’ll share what these engagements are like and why you might want to hire us for one.
Questions DeFi users should be asking DeFi Developers
The DeFi space has had a tumultuous couple months, with a number of attacks as well as unexploited vulnerabilities being reported. Bugs are unavoidable, but there are many things that can be done to reduce their frequency, and mitigate their negative effects. As auditors, we want to help, but in order to really get developers to truly prioritize security, users need to start asking tough questions, and putting their money into the protocols that can answer them thoughtfully.
Interview with samczsun
If you keep up with Ethereum security-related postings, you’ve no doubt heard of samczsun: security researcher and white hat extraordinaire. In this interview, we discuss his process as well as a few of his well-known findings.
Welcome Back! Security for the EIP Process
The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum’s core change management process. Good thing, this finally changed.
Destroying the Indestructible
This morning, I saw a link to Dharma’s IndestructibleRegistry. The idea behind this registry is that it keeps track of contracts that cannot be destroyed. It does this by verifying the contract’s bytecode on chain. In this post, I’ll show you how I managed to trick that verification and destroy an “indestructible” contract.
Solidity, the Young Adult
Solidity is getting bigger! We are doing a series to present you with the language’s future plans and hopefully spark a conversation on merits and use cases.
AraGraph - DAO Permissions Visualized
A Tool to visualize permission relationships and other details of Aragon DAOs
Vyper Preliminary Security Review
ConsenSys Diligence conducted a preliminary review of the Vyper compiler.
Solidity Visual Auditor Extension for VS Code
A VS Code extension for developing secure smart contract systems.
Meet our Ethereum Security Experts in Japan at Devcon 5!
There are lots of opportunities to come meet our team in Japan.
Vyper: Here be Snakes!
A cautionary tale of a young serpent in a big world
Eliminating Smart Contract Special Cases
Special cases lead to code complexity, which leads to bugs. In this post, I’ll share some examples of eliminating special cases to reduce code complexity and improve maintainability.
How to Prepare for a Smart Contract Audit
A guide to the simple steps you can take beforehand, to get the best result out of the audit process
Factories Improve Smart Contract Security
Using the factory pattern can simplify your code and reduce the impact of certain kinds of security vulnerabilities.
Stop Using Solidity's transfer() Now
Solidity’s transfer() method uses a hardcoded gas amount, but gas costs can change. It’s time to stop using this method.
Return Data Length Validation: a Bug We Missed
A rather serious vulnerability was recently found in the 0x v2.0 Exchange, a smart contract system that our team audited.
A Case Against Inheritance in Smart Contracts
Reduce your use of inheritance in smart contracts and increase your skepticism when you see it.
Detecting Reentrancy Issues in Smart Contracts Using Fuzzing
How Harvey warns you about reentrancy issues in your contracts
Provably Fair Ransom
Ransom has a trust problem. Suppose I’ve birdnapped your beloved pet parakeet and am demanding a $1,000 ransom to return the bird to you…
Uniswap audit
We are proud to announce that we have completed an audit of the Uniswap decentralized exchange. To our knowledge this is also the first…
Ethereum Name Service Audit
ConsenSys Diligence is happy to publish the Ethereum Name Service new registrar audit report. ENS new registrar is going live on May 4th.
All Ethereum Security Tools
ConsenSys Diligence is a security-focused group of 30+ Ethereum engineers, auditors and researchers distributed all over the world. We…
ConsenSys Diligence Ethereum Hacking Challenge #2
Win 100 DAI by Hacking this Vulnerable Ethereum Contract!
Newsletter 19 — MythX, IBM X-Force Red, Security Considerations for EIPs
Sign up to get this newsletter every week: https://tinyletter.com/smart-contract-security/
ConsenSys Diligence is going to Paris!
The Diligence team will be in Paris next week. 🎉
Newsletter 17 — MythX, False Positives on chain, & Front Running
Sign up to get this newsletter in your inbox every week: https://tinyletter.com/smart-contract-security/
ConsenSys Diligence Ethereum Hacking Challenge
ConsenSys Diligence is deploying vulnerable contracts on purpose.
Newsletter 16 — CREATE2 FAQ
Distilled News
Taxonomy of front-running attacks on Blockchain
This post is based on a paper published at 3rd Workshop on Trusted Smart Contracts In Association with Financial Cryptography (FC) 2019.
Poison Block Explorer Byte Code
You will understand how to trick a block explorer into displaying different byte code of your choosing, other than the one deployed on the…
Upgradeability Is a Bug
Smart contracts are useful because they’re trustless. Immutability is a critical feature to achieve trustlessness…
Fuzzing Smart Contracts Using Multiple Transactions
A Technique for Finding Deep Vulnerabilities
How to Exploit Ethereum in a Virtual Environment
This is going to be a series about some of the techniques I implemented when designing Karl, a free tool that finds exploitable code in…
Silent But Vulnerable: Ethereum Gas Security Concerns
Every transaction sent to the Ethereum blockchain requires a nontrivial amount of work to process. Gas is how that work is measured and…
Fuzzing Smart Contracts Using Input Prediction
A lightweight approach for making fuzzing more effective
Finding Vulnerabilities in Smart Contracts
Fuzzing as a way to reveal vulnerabilities in Ethereum smart contracts