Research

Standards & Guidelines

Resources that empower the blockchain community to build secure processes and give guidance on best practices.

Project Name	Author(s)	Venue	Type	Date
Token Interaction Checklist	Shayan Eskandari	Diligence Blog	Guideline	2020
Ethereum Smart Contract Security Best Practices	Diligence Team	Diligence Blog	Guideline	2020
EIP-1963 - Mandatory 'Security Considerations' for EIPs	Martin Ortner	EIP	Standard	2019

Academic Publications

Our members actively participate in academic discourse pushing forward to progress blockchain research.

Project Name	Author(s)	Venue	Type	Date
Metamorphic Relations via Relaxations: An Approach to Obtain Oracles for Action-Policy Testing	Hasan Ferit Eniser, Timo P. Gros, Valentin Wüstholz, Jörg Hoffmann, Maria Christakis	ISSTA 2022	Paper	2022
Debugging a Policy: Automatic Action-Policy Testing in AI Planning	Marcel Steinmetz, Daniel Fiser, Hasan Ferit Eniser, Patrick Ferber, Timo P. Gros, Philippe Heim, Daniel Höller, Xandra Schuler, Valentin Wüstholz, Maria Christakis, Jörg Hoffmann	ICAPS 2022	Paper	2022
Verifying Solidity Smart Contracts Via Communication Abstraction in SmartACE	Scott Wesley, Maria Christakis, Jorge A. Navas, Richard Trefler, Valentin Wüstholz, Arie Gurfinkel	VMCAI 2022	Paper	2022
Compositional Verification of Smart Contracts Through Communication Abstraction	Scott Wesley, Maria Christakis, Jorge A. Navas, Richard Trefler, Valentin Wüstholz, Arie Gurfinkel	SAS 2021	Paper	2021
SoK: Oracles from the Ground Truth to Market Manipulation	Shayan Eskandari et al.	ACM AFT'21	Paper	2021
Metamorphic Testing of Datalog Engines	Muhammad Numair Mansur, Maria Christakis and Valentin Wüstholz	ESEC/FSE 2021	Paper	2021
Estimating Residual Risk in Greybox Fuzzing	Marcel Böhme, Danushka Liyanage, and Valentin Wüstholz	ESEC/FSE 2021	Paper	2021
Automatically Tailoring Abstract Interpretation to Custom Usage Scenarios	Muhammad Numair Mansur, Benjamin Mariano, Maria Christakis, Jorge A. Navas and Valentin Wüstholz	CAV 2021	Paper	2021
Automated Safety Verification of Programs Invoking Neural Networks	Maria Christakis, Hasan Ferit Eniser, Holger Hermanns, Jörg Hoffmann, Yugesh Kothari, Jianlin Li, Jorge A. Navas and Valentin Wüstholz	CAV 2021	Paper	2021
Perfectly parallel fairness certification of neural networks	Caterina Urban, Maria Christakis, Valentin Wüstholz, Fuyuan Zhang	OOPSLA 2020	Paper	2020
Harvey: a greybox fuzzer for smart contracts	Valentin Wüstholz, Maria Christakis	ESEC/FSE 2020	Paper	2020
Detecting critical bugs in SMT solvers using blackbox mutational fuzzing	Muhammad Numair Mansur, Maria Christakis, Valentin Wüstholz, Fuyuan Zhang	ESEC/FSE 2020	Paper	2020
Targeted greybox fuzzing with static lookahead analysis	Valentin Wüstholz, Maria Christakis	ICSE 2020	Paper	2020
Practical Mutation Testing for Smart Contracts	Joran Honig et al.	CBT'19	Paper	2019
Differentially testing soundness and precision of program analyzers	Christian Klinger, Maria Christakis, Valentin Wüstholz	ISSTA 2019	Paper	2019
HARVEY: A Greybox Fuzzer for Smart Contracts	Valentin Wüstholz, Maria Christakis		Paper	2019
Semantic Fault Localization and Suspiciousness Ranking	Maria Christakis, Matthias Heizmann, Muhammad Numair Mansur, Christian Schilling, Valentin Wüstholz	TACAS 2019	Paper	2019
SoK: Transparent Dishonesty: front-running attacks on Blockchain	Shayan Eskandari et al.	Workshop on Trusted Smart Contracts @ Financial Cryptography 19	Paper	2019
Smashing Ethereum Smart Contracts for Fun and Real Profit	Bernhard Mueller	HITB Security Conference	Paper	2018
A first look at browser-based Cryptojacking	Shayan Eskandari et al.	Security & Privacy on the Blockchain (affiliated with Euro S&P)	Paper	2018
On the feasibility of decentralized derivatives markets	Shayan Eskandari et al.	FC 2017: Financial Cryptography and Data Security	Paper	2017
Real-world Deployability and Usability of Bitcoin	Shayan Eskandari	Concordia University - MASc Thesis	Paper	2016
A first look at the usability of bitcoin key management	Shayan Eskandari et al.	USEC 15 NDSS Workshop on Usable Security (USEC)	Paper	2015

Talks & Workshops

We educate 🎓, publish research, and join public discussion to spearhead blockchain security awareness.

Project Name	Author(s)	Venue	Type	Date
Oracles from the Ground Truth to Market Manipulation	Shayan Eskandari	ETHCC 4	Presentation	2021
Learn how to use scribble, created by ConsenSys Diligence, a solidity runtime verification tool for property based testing.	Joran Honig, Gonçalo Sá	ETHCC 4	Workshop	2021
Automated Testing of Smart Contract Systems	Valentin Wüstholz	Liquidity 2020	Presentation	2020
Convergence, Economic Attacks & Composability Risks - How to Audit Cryptoeconomics?	Gonçalo Sá	Diffusion Digital	Panel	2020
ERC20 Misbehaviors	Sergii Kravchenko	EthCC 3	Presentation	2020
Transparent Dishonesty: Blockchain Front-Running Taxonomy	Shayan Eskandari	The Stanford Blockchain Conference	Presentation	2020
Testing and verification of smart contracts	Valentin Wüstholz	VMCAI Winter School 2020	Presentation	2020
Breaking Smart Contracts	Shayan Eskandari & Maurelian	DevCon V	Workshop	2019
Transparent Dishonesty: Blockchain Front-Running Taxonomy	Shayan Eskandari	DevCon V	Presentation	2019
All the Truth - an Ethereum Security Panel	Gonçalo Sá	DevCon V	Panel	2019
Security By Design and Smart Contract Audits	Shayan Eskandari	BTC2019	Presentation	2019
The Ether Wars: Exploits, counter-exploits and honeypots on Ethereum	Bernhard Mueller and Daniel Luca	DEFCON 27	Presentation	2019
Smashing Smart Contracts: Detecting and Exploiting Vulnerabilities in EVM bytecode		Blockchain Village @ DEF CON 27	Workshop	2019
Democratic Improvement Proposals for decentralization projects (Improving EIP Process)	Shayan Eskandari	IETF 105	Presentation	2019
Breaking smart contracts	Maurelian & Shayan Eskandari	NorthSec	Workshop	2019
Security in EIP process	Martin Ortner	Ethereum Core Devs	Presentation	2019
How to Not Get Rekt: Processes and Tools for Smart Contract Secure SDLC		DevCon IV	Workshop	2018
Smart Contract Secure SDLC	Tom Lindeman	Hi-Con	Presentation	2018
Current State of Security Panel		DevCon IV	Panel	2018
Smart Contract Vulnerabilities: The Most Interesting Transactions On The Ethereum Blockchain	Jon Maurelian and Sarah Friend	SecTor	Presentation	2018
Ethereum the Hacker's Paradise	Daniel Luca	Security Espresso	Presentation	2018
Solidity Dapp Optimization	Gonçalo Sá	DAPPCON	Presentation	2018
Mythril: Symbolic Analysis of Contract Security Properties	Jon Maurelian	EDCON	Presentation	2018
Smart contract vulnerabilities	Sarah Friend and Jon Maurelian	NorthSec	Presentation	2018
Smashing Ethereum Smart Contracts for Fun and ACTUAL Profit	Bernhard Mueller	HITB Security Conference	Presentation	2018
A brief history of smart contract security	Jon Maurelian	Empire Hacking	Presentation	2017
BTC Relay	Joseph Chow	DEVCON 1	Presentation	2015

Vulnerability Disclosure

Responsible disclosure of 0-day vulnerabilities is one way we show our gratitude to all the beautiful ❤️ open-source projects.

Title	Author(s)	CVE	Date
Snapshot.org - Proposal Space Confusion	tintinweb	-	2021
Python - MIME Splitting	tintinweb	-	2021
Python - smtplib Multiple Crlf Injection	tintinweb	-	2021
PHP - IMAP MIME Splitting and Crlf Injection	tintinweb	-	2021
Remix Ethereum IDE - Drive-By and Remixd Path Traversal and Rce	tintinweb	-	2021
Nim - Insecure SSL/TLS Defaults, MitM, and nimble shell command injection	tintinweb	CVE-2021-21374 CVE-2021-21373 CVE-2021-21372	2021
Nim - stdlib asyncftpd - Crlf Injection	tintinweb	CVE-2020-15690	2021
Ethereum 2.0 - Teku - DoS via Gossipsub	tintinweb	-	2020
Ethereum 1.0 - Trinity - Neighbour of Death remote DoS via DiscV4	tintinweb	-	2020
Nim - stdlib Browsers - `open` Argument Injection	tintinweb	CVE-2020-15692	2020
Nim - stdlib Httpclient - Header Crlf Injection & Server Response Validation	tintinweb	CVE-2020-15693 CVE-2020-15694	2020
Nim - stdlib smtp - multiple crlf injections	tintinweb	CVE-2020-15691	2020