Research

Standards and Guidelines


Resources that empower the blockchain community to build secure processes and give guidance on best practices.


Project Name Author(s) Venue Type Date
Token Interaction Checklist Shayan Eskandari Diligence Blog Guideline 2020
Ethereum Smart Contract Security Best Practices Diligence Team Diligence Blog Guideline 2020
EIP-1963 - Mandatory 'Security Considerations' for EIPs Martin Ortner EIP Standard 2019

Conferences


We educate 🎓, publish research, and join public discussion to spearhead blockchain security awareness.


Project Name Author(s) Venue Type Date
Oracles from the Ground Truth to Market Manipulation Shayan Eskandari ETHCC 4 Presentation 2021
Learn how to use scribble, created by ConsenSys Diligence, a solidity runtime verification tool for property based testing. Shayan Eskandari ETHCC 4 Workshop 2021
Automated Testing of Smart Contract Systems Valentin Wüstholz Liquidity 2020 Presentation 2020
Convergence, Economic Attacks & Composability Risks - How to Audit Cryptoeconomics? Gonçalo Sá Diffusion Digital Panel 2020
ERC20 Misbehaviors Sergii Kravchenko EthCC 3 Presentation 2020
Transparent Dishonesty: Blockchain Front-Running Taxonomy Shayan Eskandari The Stanford Blockchain Conference Presentation 2020
Testing and verification of smart contracts Valentin Wüstholz VMCAI Winter School 2020 Presentation 2020
Breaking Smart Contracts Shayan Eskandari & Maurelian DevCon V Workshop 2019
Transparent Dishonesty: Blockchain Front-Running Taxonomy Shayan Eskandari DevCon V Presentation 2019
All the Truth - an Ethereum Security Panel Gonçalo Sá DevCon V Panel 2019
Security By Design and Smart Contract Audits Shayan Eskandari BTC2019 Presentation 2019
The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum Bernhard Mueller and Daniel Luca DEFCON 27 Presentation 2019
Smashing Smart Contracts: Detecting and Exploiting Vulnerabilities in EVM bytecode Blockchain Village @ DEF CON 27 Workshop 2019
Democratic Improvement Proposals for decentralization projects (Improving EIP Process) Shayan Eskandari IETF 105 Presentation 2019
Breaking smart contracts Maurelian & Shayan Eskandari NorthSec Workshop 2019
Security in EIP process Martin Ortner Ethereum Core Devs Presentation 2019
How to Not Get Rekt: Processes and Tools for Smart Contract Secure SDLC DevCon IV Workshop 2018
Smart Contract Secure SDLC Tom Lindeman Hi-Con Presentation 2018
Current State of Security Panel DevCon IV Panel 2018
Smart Contract Vulnerabilities: The Most Interesting Transactions On The Ethereum Blockchain Jon Maurelian and Sarah Friend SecTor Presentation 2018
Ethereum the Hacker's Paradise Daniel Luca Security Espresso Presentation 2018
Solidity Dapp Optimization Gonçalo Sá DAPPCON Presentation 2018
Mythril: Symbolic Analysis of Contract Security Properties Jon Maurelian EDCON Presentation 2018
Smart contract vulnerabilities Sarah Friend and Jon Maurelian NorthSec Presentation 2018
Smashing Ethereum Smart Contracts for Fun and ACTUAL Profit Bernhard Mueller HITB Security Conference Presentation 2018
A brief history of smart contract security Jon Maurelian Empire Hacking Presentation 2017
BTC Relay Joseph Chow DEVCON 1 Presentation 2015

Academia


Our members actively participate in academic discourse pushing forward to progress blockchain research.


Project Name Author(s) Venue Type Date
SoK: Oracles from the Ground Truth to Market Manipulation Shayan Eskandari et al. Under Review Paper 2021
Perfectly parallel fairness certification of neural networks Caterina Urban, Maria Christakis, Valentin Wüstholz, Fuyuan Zhang OOPSLA 2020 Paper 2020
Detecting critical bugs in SMT solvers using blackbox mutational fuzzing Muhammad Numair Mansur, Maria Christakis, Valentin Wüstholz, Fuyuan Zhang ESEC/FSE 2020 Paper 2020
Harvey: a greybox fuzzer for smart contracts Valentin Wüstholz, Maria Christakis ESEC/FSE 2020 Paper 2020
Targeted greybox fuzzing with static lookahead analysis Valentin Wüstholz, Maria Christakis ICSE 2020 Paper 2020
Practical Mutation Testing for Smart Contracts Joran Honig et al. CBT'19 Paper 2019
Differentially testing soundness and precision of program analyzers Christian Klinger, Maria Christakis, Valentin Wüstholz ISSTA 2019 Paper 2019
HARVEY: A Greybox Fuzzer for Smart Contracts Valentin Wüstholz, Maria Christakis Paper 2019
Semantic Fault Localization and Suspiciousness Ranking Maria Christakis, Matthias Heizmann, Muhammad Numair Mansur, Christian Schilling, Valentin Wüstholz TACAS 2019 Paper 2019
SoK: Transparent Dishonesty: front-running attacks on Blockchain Shayan Eskandari et al. Workshop on Trusted Smart Contracts @ Financial Cryptography 19 Paper 2019
Smashing Ethereum Smart Contracts for Fun and Real Profit Bernhard Mueller HITB Security Conference Paper 2018
A first look at browser-based Cryptojacking Shayan Eskandari et al. Security & Privacy on the Blockchain (affiliated with Euro S&P) Paper 2018
On the feasibility of decentralized derivatives markets Shayan Eskandari et al. FC 2017: Financial Cryptography and Data Security Paper 2017
Real-world Deployability and Usability of Bitcoin Shayan Eskandari Concordia University - MASc Thesis Paper 2016
A first look at the usability of bitcoin key management Shayan Eskandari et al. USEC 15 NDSS Workshop on Usable Security (USEC) Paper 2015

Vulnerabilities


Responsible disclosure of 0-day vulnerabilities is one way we show our gratitude to all the beautiful ❤️ open-source projects.


CVE Title Author(s) Date
- Python - MIME Splitting tintinweb May 28, 2021
- Python - smtplib Multiple Crlf Injection tintinweb May 28, 2021
- PHP - IMAP MIME Splitting and Crlf Injection tintinweb May 28, 2021
- Remix Ethereum IDE - Drive-By and Remixd Path Traversal and Rce tintinweb May 5, 2021
CVE-2021-21374 CVE-2021-21373 CVE-2021-21372 Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection tintinweb Feb 4, 2021
CVE-2020-15690 Nim - stdlib asyncftpd - Crlf Injection tintinweb Feb 4, 2021
- Ethereum 2.0 - Teku - DoS via Gossipsub tintinweb Oct 20, 2020
- Ethereum 1.0 - Trinity - Neighbour of Death remote DoS via DiscV4 tintinweb Sep 3, 2020
CVE-2020-15692 Nim - stdlib Browsers - `open` Argument Injection tintinweb Jul 30, 2020
CVE-2020-15693 CVE-2020-15694 Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation tintinweb Jul 30, 2020
CVE-2020-15691 Nim - stdlib smtp - multiple crlf injections tintinweb Jul 30, 2020