HackDig : Dig high-quality web security articles for hackers

Upgradeable contracts made safer with Crytic

Upgradeable contracts are not as safe as you think. Architectures for upgradeability can be flawed, locking contracts, losing data, or sabotaging your ability to recover from an incident. Every contract upgrade must be carefully reviewed to avoid catastrophic mistakes. The most common delegatecall proxy comes with drawbacks that we’ve catalogued before. Cryt
Publish At:2020-06-12 11:32 | Read:161 | Comments:0 | Tags:Blockchain Crytic

Breaking the Solidity Compiler with a Fuzzer

Over the last few months, we’ve been fuzzing solc, the standard Solidity smart contract compiler, and we’ve racked up almost 20 (now mostly fixed) new bugs. A few of these are duplicates of existing bugs with slightly different symptoms or triggers, but the vast majority are previously unreported bugs in the compiler. This has been a very successful fuzzing
Publish At:2020-06-05 09:40 | Read:228 | Comments:0 | Tags:Blockchain Compilers Fuzzing

Bug Hunting with Crytic

Crytic, our Github app for discovering smart contract flaws, is kind of a big deal: It detects security issues without human intervention, providing continuous assurance while you work and securing your codebase before deployment. Crytic finds many bugs no other tools can detect, including some that are not widely known. Right now, Crytic has 90+ detectors,
Publish At:2020-05-18 13:08 | Read:208 | Comments:0 | Tags:Blockchain Crytic

Announcing the 1st International Workshop on Smart Contract Analysis

At Trail of Bits we do more than just security audits: We also push the boundaries of research in vulnerability detection tools, regularly present our work in academic conferences, and review interesting papers from other researchers (see our recent Real World Crypto and Financial Crypto recaps). In this spirit, we and Northern Arizona University are
Publish At:2020-05-03 17:57 | Read:760 | Comments:0 | Tags:Blockchain Conferences Research Practice

An Echidna for all Seasons

TL;DR: We have improved Echidna with tons of new features and enhancements since it was released—and there’s more to come. Two years ago, we open-sourced Echidna, our property-based smart contract fuzzer. Echidna is one of the tools we use most in smart contract assessments. According to our records, Echidna was used in about 35% of our smart contract audits
Publish At:2020-03-30 07:49 | Read:308 | Comments:0 | Tags:Blockchain Fuzzing

Financial Cryptography 2020 Recap

A few weeks ago, we went to the 24th Financial Cryptography (FC) conference and the Workshop on Trusted Smart Contracts (WTSC) workshop, where we presented our work on smart contract bug categorization (see our executive summary), and a poster on Echidna. Although FC is not a blockchain conference, it featured several blockchain-oriented presentations this y
Publish At:2020-03-18 11:19 | Read:411 | Comments:0 | Tags:Blockchain Conferences Paper Review

Our Full Report on the Voatz Mobile Voting Platform

Voatz allows voters to cast their ballots from any geographic location on supported mobile devices. Its mobile voting platform is under increasing public scrutiny for security vulnerabilities that could potentially invalidate an election. The issues are serious enough to attract inquiries from the Department of Homeland Security and Congress. However, there
Publish At:2020-03-13 09:55 | Read:521 | Comments:0 | Tags:Blockchain Press Release

Chrome extension cons cryptocurrency users out of hardware wallet key

byDanny BradburyCryptocurrency security company Ledger has warned users about a rogue Chrome extension that dupes its victims into giving up the keys to their crypto wallets.Cryptocurrency owners need a wallet just like users of regular cash do. Instead of cash, however, crypto wallets hold digital keys – which grant users access to the blockchain addr
Publish At:2020-03-06 08:12 | Read:581 | Comments:0 | Tags:Cryptocurrency Security threats Blockchain chrome Chrome ext

Manticore discovers the ENS bug

The Ethereum Name Service (ENS) contract recently suffered from a critical bug that prompted a security advisory and a migration to a new contract (CVE-2020-5232). ENS allows users to associate online resources with human-readable names. As you might expect, it allows you to transfer and sell domain names. Figure 1: Sam Sun (samczsun) discovered a critical v
Publish At:2020-03-03 16:49 | Read:409 | Comments:0 | Tags:Blockchain Exploits Manticore Symbolic Execution

Mainnet360: joint economic and security reviews with Prysm Group

On Monday, October 28th at the Crypto Economics Security Conference, Trail of Bits announced a new joint offering with Prysm Group: Mainnet360. Carefully designed to produce a comprehensive assessment of the security and economic elements of blockchain software, Mainnet360 gives teams a broader perspective that will allow them to build safer and more resilie
Publish At:2019-12-09 09:30 | Read:952 | Comments:0 | Tags:Blockchain Press Release

Announcing the Crytic $10k Research Prize

At Trail of Bits, we make a significant effort to stay up to date with the academic world. We frequently evaluate our work through peer-reviewed conferences, and we love to attend academic events (see our recent ICSE and Crypto recaps). However, we consistently see one recurring issue at these academic events: a lack of reliable tools and experiments. Resear
Publish At:2019-11-13 08:25 | Read:1192 | Comments:0 | Tags:Blockchain Paper Review Press Release Research Practice

New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse

By Elliot Cao, Joseph C. Chen, William Gamazo Sanchez We discovered a new exploit kit named Capesand in October 2019. Capesand attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE). Based on our investigation, it also exploits a 2015 vulnerability for IE. It seems the cybercriminals behind the exploit kit are continuo
Publish At:2019-11-12 02:35 | Read:1247 | Comments:0 | Tags:Exploits Malware Blockchain Capesand exploit kit exploit

Formal Analysis of the CBC Casper Consensus Algorithm with TLA+

by Anne Ouyang, Piedmont Hills High School, San Jose, CA As a summer intern at Trail of Bits, I used the PlusCal and TLA+ formal specification languages to explore Ethereum’s CBC Casper consensus protocol and its Byzantine fault tolerance. This work was motivated by the Medium.com article Peer Review: CBC Casper by Muneeb Ali, Jude Nelson, and Aaron Blankste
Publish At:2019-10-25 08:25 | Read:908 | Comments:0 | Tags:Blockchain Internship Projects

Watch Your Language: Our First Vyper Audit

A lot of companies are working on Ethereum smart contracts, yet writing secure contracts remains a difficult task. You still have to avoid common pitfalls, compiler issues, and constantly check your code for recently discovered risks. A recurrent source of vulnerabilities comes from the early state of the programming languages available. Most developers are
Publish At:2019-10-24 08:25 | Read:1239 | Comments:0 | Tags:Blockchain Fuzzing Manticore Static Analysis Symbolic Execut

246 Findings From our Smart Contract Audits: An Executive Summary

Until now, smart contract security researchers (and developers) have been frustrated by limited information about the actual flaws that survive serious development efforts. That limitation increases the risk of making critical smart contracts vulnerable, misallocating resources for risk reduction, and missing opportunities to employ automated analysis tools.
Publish At:2019-09-19 16:00 | Read:891 | Comments:0 | Tags:Blockchain Paper Review


Share high-quality web security related articles with you:)