Standards & Guidelines

Resources that empower the blockchain community to build secure processes and give guidance on best practices.

Project Name Author(s) Venue Type Date
Token Interaction Checklist Shayan Eskandari Diligence Blog Guideline 2020
Ethereum Smart Contract Security Best Practices Diligence Team Diligence Blog Guideline 2020
EIP-1963 - Mandatory 'Security Considerations' for EIPs Martin Ortner EIP Standard 2019

Academic Publications

Our members actively participate in academic discourse pushing forward to progress blockchain research.

Project Name Author(s) Venue Type Date
Metamorphic Relations via Relaxations: An Approach to Obtain Oracles for Action-Policy Testing Hasan Ferit Eniser, Timo P. Gros, Valentin Wüstholz, Jörg Hoffmann, Maria Christakis ISSTA 2022 Paper 2022
Debugging a Policy: Automatic Action-Policy Testing in AI Planning Marcel Steinmetz, Daniel Fiser, Hasan Ferit Eniser, Patrick Ferber, Timo P. Gros, Philippe Heim, Daniel Höller, Xandra Schuler, Valentin Wüstholz, Maria Christakis, Jörg Hoffmann ICAPS 2022 Paper 2022
Verifying Solidity Smart Contracts Via Communication Abstraction in SmartACE Scott Wesley, Maria Christakis, Jorge A. Navas, Richard Trefler, Valentin Wüstholz, Arie Gurfinkel VMCAI 2022 Paper 2022
Compositional Verification of Smart Contracts Through Communication Abstraction Scott Wesley, Maria Christakis, Jorge A. Navas, Richard Trefler, Valentin Wüstholz, Arie Gurfinkel SAS 2021 Paper 2021
SoK: Oracles from the Ground Truth to Market Manipulation Shayan Eskandari et al. ACM AFT'21 Paper 2021
Metamorphic Testing of Datalog Engines Muhammad Numair Mansur, Maria Christakis and Valentin Wüstholz ESEC/FSE 2021 Paper 2021
Estimating Residual Risk in Greybox Fuzzing Marcel Böhme, Danushka Liyanage, and Valentin Wüstholz ESEC/FSE 2021 Paper 2021
Automatically Tailoring Abstract Interpretation to Custom Usage Scenarios Muhammad Numair Mansur, Benjamin Mariano, Maria Christakis, Jorge A. Navas and Valentin Wüstholz CAV 2021 Paper 2021
Automated Safety Verification of Programs Invoking Neural Networks Maria Christakis, Hasan Ferit Eniser, Holger Hermanns, Jörg Hoffmann, Yugesh Kothari, Jianlin Li, Jorge A. Navas and Valentin Wüstholz CAV 2021 Paper 2021
Perfectly parallel fairness certification of neural networks Caterina Urban, Maria Christakis, Valentin Wüstholz, Fuyuan Zhang OOPSLA 2020 Paper 2020
Harvey: a greybox fuzzer for smart contracts Valentin Wüstholz, Maria Christakis ESEC/FSE 2020 Paper 2020
Detecting critical bugs in SMT solvers using blackbox mutational fuzzing Muhammad Numair Mansur, Maria Christakis, Valentin Wüstholz, Fuyuan Zhang ESEC/FSE 2020 Paper 2020
Targeted greybox fuzzing with static lookahead analysis Valentin Wüstholz, Maria Christakis ICSE 2020 Paper 2020
Practical Mutation Testing for Smart Contracts Joran Honig et al. CBT'19 Paper 2019
Differentially testing soundness and precision of program analyzers Christian Klinger, Maria Christakis, Valentin Wüstholz ISSTA 2019 Paper 2019
HARVEY: A Greybox Fuzzer for Smart Contracts Valentin Wüstholz, Maria Christakis Paper 2019
Semantic Fault Localization and Suspiciousness Ranking Maria Christakis, Matthias Heizmann, Muhammad Numair Mansur, Christian Schilling, Valentin Wüstholz TACAS 2019 Paper 2019
SoK: Transparent Dishonesty: front-running attacks on Blockchain Shayan Eskandari et al. Workshop on Trusted Smart Contracts @ Financial Cryptography 19 Paper 2019
Smashing Ethereum Smart Contracts for Fun and Real Profit Bernhard Mueller HITB Security Conference Paper 2018
A first look at browser-based Cryptojacking Shayan Eskandari et al. Security & Privacy on the Blockchain (affiliated with Euro S&P) Paper 2018
On the feasibility of decentralized derivatives markets Shayan Eskandari et al. FC 2017: Financial Cryptography and Data Security Paper 2017
Real-world Deployability and Usability of Bitcoin Shayan Eskandari Concordia University - MASc Thesis Paper 2016
A first look at the usability of bitcoin key management Shayan Eskandari et al. USEC 15 NDSS Workshop on Usable Security (USEC) Paper 2015

Talks & Workshops

We educate 🎓, publish research, and join public discussion to spearhead blockchain security awareness.

Project Name Author(s) Venue Type Date
Oracles from the Ground Truth to Market Manipulation Shayan Eskandari ETHCC 4 Presentation 2021
Learn how to use scribble, created by ConsenSys Diligence, a solidity runtime verification tool for property based testing. Joran Honig, Gonçalo Sá ETHCC 4 Workshop 2021
Automated Testing of Smart Contract Systems Valentin Wüstholz Liquidity 2020 Presentation 2020
Convergence, Economic Attacks & Composability Risks - How to Audit Cryptoeconomics? Gonçalo Sá Diffusion Digital Panel 2020
ERC20 Misbehaviors Sergii Kravchenko EthCC 3 Presentation 2020
Transparent Dishonesty: Blockchain Front-Running Taxonomy Shayan Eskandari The Stanford Blockchain Conference Presentation 2020
Testing and verification of smart contracts Valentin Wüstholz VMCAI Winter School 2020 Presentation 2020
Breaking Smart Contracts Shayan Eskandari & Maurelian DevCon V Workshop 2019
Transparent Dishonesty: Blockchain Front-Running Taxonomy Shayan Eskandari DevCon V Presentation 2019
All the Truth - an Ethereum Security Panel Gonçalo Sá DevCon V Panel 2019
Security By Design and Smart Contract Audits Shayan Eskandari BTC2019 Presentation 2019
The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum Bernhard Mueller and Daniel Luca DEFCON 27 Presentation 2019
Smashing Smart Contracts: Detecting and Exploiting Vulnerabilities in EVM bytecode Blockchain Village @ DEF CON 27 Workshop 2019
Democratic Improvement Proposals for decentralization projects (Improving EIP Process) Shayan Eskandari IETF 105 Presentation 2019
Breaking smart contracts Maurelian & Shayan Eskandari NorthSec Workshop 2019
Security in EIP process Martin Ortner Ethereum Core Devs Presentation 2019
How to Not Get Rekt: Processes and Tools for Smart Contract Secure SDLC DevCon IV Workshop 2018
Smart Contract Secure SDLC Tom Lindeman Hi-Con Presentation 2018
Current State of Security Panel DevCon IV Panel 2018
Smart Contract Vulnerabilities: The Most Interesting Transactions On The Ethereum Blockchain Jon Maurelian and Sarah Friend SecTor Presentation 2018
Ethereum the Hacker's Paradise Daniel Luca Security Espresso Presentation 2018
Solidity Dapp Optimization Gonçalo Sá DAPPCON Presentation 2018
Mythril: Symbolic Analysis of Contract Security Properties Jon Maurelian EDCON Presentation 2018
Smart contract vulnerabilities Sarah Friend and Jon Maurelian NorthSec Presentation 2018
Smashing Ethereum Smart Contracts for Fun and ACTUAL Profit Bernhard Mueller HITB Security Conference Presentation 2018
A brief history of smart contract security Jon Maurelian Empire Hacking Presentation 2017
BTC Relay Joseph Chow DEVCON 1 Presentation 2015

Vulnerability Disclosure

Responsible disclosure of 0-day vulnerabilities is one way we show our gratitude to all the beautiful ❤️ open-source projects.

Title Author(s) CVE Date - Proposal Space Confusion tintinweb - 2021
js-ipns - Downgrading Attack and Name Takeover tintinweb - 2021
jsipfs - ipfs-http-response - HTML Injection in Dirlisting tintinweb - 2021
Python - MIME Splitting tintinweb - 2021
Python - smtplib Multiple Crlf Injection tintinweb - 2021
PHP - IMAP MIME Splitting and Crlf Injection tintinweb - 2021
js-ipns - Signed Message Malleability Problem tintinweb - 2021
Ipfs Desktop - Path Traversal and arbitrary overwrite tintinweb - 2021
Remix Ethereum IDE - Drive-By and Remixd Path Traversal and Rce tintinweb - 2021
js-ipfs api CORS Bypass Full Admin Write tintinweb - 2021
Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection tintinweb CVE-2021-21374 CVE-2021-21373 CVE-2021-21372 2021
Nim - stdlib asyncftpd - Crlf Injection tintinweb CVE-2020-15690 2021
Ipfs - Path Traversal and Control Char Injection tintinweb CVE-2020-26279 CVE-2020-26283 2021
go-ipfs-files improperly handles writing ipfs nodes to files Joran Honig - 2021
Ipfs Fuse mount allows for symlinks outside the mount directory Joran Honig - 2021
Ethereum 2.0 - Teku - DoS via Gossipsub tintinweb - 2020
Ethereum 1.0 - Trinity - Neighbour of Death remote DoS via DiscV4 tintinweb - 2020
Nim - stdlib Browsers - `open` Argument Injection tintinweb CVE-2020-15692 2020
Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation tintinweb CVE-2020-15693 CVE-2020-15694 2020
Nim - stdlib smtp - multiple crlf injections tintinweb CVE-2020-15691 2020