Diligence Blog

It’s been a couple of years since code4rena has introduced competitive audits into the smart contract security landscape, and it looks like audit contests are here to stay. In the meanwhile several other platforms have popped up with the same forumula. Audit contests are simple. A project publishes a set of smart contracts that they would like to have audited, and promises a prize pool for security related findings. A contest is ran for a couple of weeks during which participants can submit their findings.

We recently released a new tool called napalm, a detection module IDE. Napalm makes it easy to set-up a multi-tool custom detector project. Not stopping there, napalm provides an all-out quality of life upgrade for security researchers that like to write their own detection modules. A tool that helps you develop detection modules is great, but it occurred to me that lots of people are not writing their own detection modules yet.

Attention, all auditors and security researchers! We’ve got a new tool for you! You’re a security researcher and you hate repetitive work. So what do you do? You’ve compiled a nice collection of analysis rules and detection modules that automatically do all the repetitive work for you. Life is great, until, …. You’ve got 100+ modules, some for slither, others for semgrep and things are getting out of hand! You have to spend time writing scripts to run the right modules at the right time, and it’s impossible to even keep track of what you can automatically detect.

Enterprise Ethereum Alliance (EEA) shapes the most mature standard for smart contract security. Consensys Diligence contributes to the EthTrust Security Levels Specification, spearheaded by the EEA EthTrust Security Levels Working Group.

Learn how an audit by the Diligence team made GLIF’s smart contracts and protocol more secure.

This blog post discusses Tidal’s engagement with Consensys Diligence to audit the protocol’s on-chain insurance smart contracts.

Consensys Diligence provides actionable tips on building secure and robust smart contracts in web3.

On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function. function burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn.

Announcing Diligence Fuzzing support for all Foundry developers to ensure easy and efficient smart contract security.

Consensys Diligence explains the Halo2 zero-knowledge prover and highlights bugs that can affect security of Halo2 circuits.

Crypto hacks are costing projects millions in user funds. Bug bounty programs can help prevent exploits and secure the Web3 ecosystem. Bug bounties provide financial incentives for hackers and researchers to disclose flaws in applications to development teams. In the tech industry, where minor software errors can lead to catastrophic losses, bug bounties provide a cost-effective method for detecting vulnerabilities in code. Bug bounties have a long history: In 1983, microprocessor manufacturer Hunter & Ready launched the “Bug for a Bug” program—finding flaws in its VRTX operating system earned the finder a Volkswagen Beetle, commonly called the “Bug”.

An overview of the emerging web3 security stack and industry.

While smart contract systems of today have the capability to be deployed with permissions, upgradeable proxies, and ways to add extra logic to them, the unique selling point of this technology has always been its ability to remain immutable and predictable after the initial deployment. Systems with these properties can be used reliably by integrators with strong expectations that they will continue working as expected. From a smart contract security perspective, this allows users and builders to rest easy knowing that the code they are transacting with now will not change and surprise them.

Helping users with selecting a suitable fuzzer

Use this helpful checklist to prepare your smart contacts for an audit

Step-by-step tutorial to get started using Fuzzing for your smart contract security

Diligence Fuzzing is now available for developers for testing smart contract systems.

How you can record fuzzing lessons in Diligence Fuzzing

In 2021 we privately disclosed multiple vulnerabilities in the InterPlanetary File System but never really talked about it. Let’s change that 😊!

Earlier this year, ConsenSys Diligence announced its partnership with StarkWare to expand its security audit capabilities for smart contracts written in Cairo and deployed on StarkWare. “We were very impressed by the team’s in-depth analysis and understanding of Cairo, overcoming the fact that this is a new language. Consensys Diligence has already contributed to the safety of StarkEx by detecting a bug that was promptly fixed.” said Uri Kolodny, Co-founder and CEO at StarkWare about the partnership.