This week: DeFi Discussions Live Auditing, Uniswap & lendFme hack, Gitcoin Grants Collusion, and more.
Hope you are all healthy, at home, with plenty of toilet paper.
Last month was pretty busy with conferences, here are some of our talks:
EthCC [All Videos]
- Preventing Disaster: Advances in Smart Contract Vulnerability Detection — Bernhard Mueller
- Ether Wars Exploits Counter Exploits and Honeypots — Daniel Luca
- ERC20 Misbehaviors — Sergii Kravchenko
- Mutation Testing for Smart Contracts — Joran Honig
Stanford Blockchain Conference [All Videos]:
- “Transparent Dishonesty: front-running attacks on Blockchain” — Shayan Eskandari
Also listen to the latest Epicenter episode EthCC 3 — Flash Loans and Elbow Bumps featuring our one and only Gonçalo Sá
Twitter user kikx disclosed a bug in ProgPoW which would have enabled an ASIC operator to find a new advantage over GPU miners.
ProgPoW’s designer, Kristy-Leigh Minehan gave a nice step by step explanation of the bug in this twitter thread.
The MakerDAO Auction Fiasco
On March 12th, in the midst of a market sell-off, someone managed to purchase $4.5 MM worth of ETH from liquidated Maker CDPs (Collateralized Debt Position). GlassNode has the most comprehensive write-up we’ve seen, and we’ll borrow their great TL;DR:
- Ethereum Network Overwhelmed, Gas Prices Increased — On 12 March, the Ethereum network was overwhelmed by demand as the price rapidly plummeted. The transaction queue grew as network capacity was reached, and gas prices shot up by an order of magnitude.
- Price Oracles Failed — Due to uncharacteristically high gas prices, price oracles including the Maker ‘Medianizer’ failed to update their feeds.
- CDP Liquidations Lagged, Then Were Triggered En Masse — When the Medianizer feed was updated, the reported price instantly decreased by over 20%, causing many CDPs to be liquidated immediately.
- ETH Was Sold For Free Through Maker — Again due to high gas fees and network congestion, when the ETH collateral in these CDPs was auctioned off, many bids did not get through. This allowed some liquidators to win these auctions with bids of zero DAI by paying high gas fees, extracting over $8 million worth of ETH essentially for free.
- CDP Owners Left With Millions In Losses — This exploit means that over $4.5 million of DAI in the MakerDAO system is now unbacked. In addition, users whose CDPs were liquidated (and whose ETH was sold to the zero-bid liquidator) lost 100% of their collateral, resulting in millions of dollars of losses for the DeFi community.
On a not-entirely-unrelated note, someone built an interesting smart contract allowing MKR holders to sell their voting power to the highest bidder, read more here.
SmartBugs: An Execution Framework for Automated Analysis of Smart Contracts — João F. Ferreira
Over the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research. To address this, we present an empirical evaluation of 9 state-of-the-art automated analysis tools using two new datasets.
We found that only 42% of the vulnerabilities from our annotated dataset are detected by all the tools, with the tool Mythril having the higher accuracy (27%).
It’s a good opportunity to learn a new skill set or promote some of these resources to your friends and families so they can enjoy their home office with some fun productivity.
Hack these for fun:
- Capture The Ether — Hack the contracts for educational purposes only
- The Ethernaut — Hack the contracts with a cool interface
- CryptoZombies — Learn to Code Blockchain DApps By Building Simple Games
- Mastering Ethereum, by Andreas M. Antonopoulos, Gavin Wood [Open Source]
- Ethereum Developer Portal & Training — ConsenSys
- Watch Selected Talks by ConsenSys Diligence
- Kids can learn how to code while schools are closed
- Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit [Paper]
- VeriSmart: A Highly Precise Safety Verifier for Ethereum Smart Contract [Paper]
- DeFi Complexity Breeds Attacks, White Hat Superhero Samczsun Says — Camila Russo
- A curated list of oracle methods used in decentralized finance (DeFi) projects — Linda Xie
- Mea Culpa: A New Beginning — bZx
- Backdooring Gnosis Safe Multisig wallets — OpenZeppelin
- Easy multi-contract security analysis using Mythril — MythX
- End-to-End Transport Layer Security on Hyperledger Besu 1.4 — PegaSys
- Solidity Version 0.5.17 release, fixing private function override
Sign up for the Smart Contract Security Newsletter to be the first to receive the top security news every two weeks.