HackDig : Dig high-quality web security articles

Solar: Context-free, interactive analysis for Solidity

We’re hiring for our Research + Engineering team!  By Aaron Yoo, University of California, Los Angeles As an intern at Trail of Bits, I worked on Solar, a proof-of-concept static analysis framework. Solar is unique because it enables context-free interactive analysis of Solidity smart contracts. A user can direct Solar to explore program paths (e.g., t
Publish At:2021-04-02 02:45 | Read:298 | Comments:0 | Tags:Blockchain Internship Projects

NFTs explained: daylight robbery on the blockchain

Did you hear about the JPG file that sold for $69 million? I’ll give you some more detail, the JPG file is a piece of digital art made by Mike Winkelmann, the artist known as Beeple. The file was sold on Thursday by Christie’s in an online auction for $69.3 million. This set a record for artwork that exists only digitally. Which for many people raised the
Publish At:2021-03-18 16:00 | Read:241 | Comments:0 | Tags:Explained blockchain digital art ledger NFT NFTs non-fungibl

Confessions of a smart contract paper reviewer

If you’re thinking of writing a paper describing an exciting novel approach to smart contract analysis and want to know what reviewers will be looking for, you’ve come to the right place. Deadlines for many big conferences (ISSTA tool papers, ASE, FSE, etc.) are approaching, as is our own Workshop on Smart Contract Analysis, so we’d like to share a few
Publish At:2021-02-05 08:50 | Read:416 | Comments:0 | Tags:Blockchain Fuzzing Research Practice

Breaking Aave Upgradeability

On December 3rd, Aave deployed version 2 of their codebase. While we were not hired to look at the code, we briefly reviewed it the following day. We quickly discovered a vulnerability that affected versions 1 and 2 of the live contracts and reported the issue. Within an hour of sending our analysis to Aave, their team mitigated the vulnerability in the depl
Publish At:2020-12-16 12:08 | Read:565 | Comments:0 | Tags:Blockchain Exploits

Good idea, bad design: How the Diamond standard falls short

TL;DR: We audited an implementation of the Diamond standard proposal for contract upgradeability and can’t recommend it in its current form—but see our recommendations and upgrade strategy guidance. We recently audited an implementation of the Diamond standard code, a new upgradeability pattern. It’s a laudable undertaking, but the Diamond proposal and imple
Publish At:2020-10-30 16:55 | Read:677 | Comments:0 | Tags:Blockchain

Using Echidna to test a smart contract library

In this post, we’ll show you how to test your smart contracts with the Echidna fuzzer. In particular, you’ll see how to: Find a bug we discovered during the Set Protocol audit using a variation of differential fuzzing, and Specify and check useful properties for your own smart contract libraries. And we’ll demonstrate how to do all of this using cryt
Publish At:2020-08-17 15:00 | Read:955 | Comments:0 | Tags:Blockchain Fuzzing

Accidentally stepping on a DeFi lego

The initial release of yVault contained logic for computing the price of yUSDC that could be manipulated by an attacker to drain most (if not all) of the pool’s assets. Fortunately, Andre, the developer, reacted incredibly quickly and disabled the faulty code, securing the approximately 400,000 USD held at the time. However, this bug still highlights the ris
Publish At:2020-08-05 08:53 | Read:1079 | Comments:0 | Tags:Blockchain Exploits

Enhance Integrated Risk Management Solutions With Modern Technologies

Many business leaders struggle to efficiently respond to risk and compliance needs because of the complex regulatory landscape, ever-evolving risk scenarios and inconsistent internal processes. It’s only been more recently that organizations have embraced enterprise integrated risk management (IRM) tools to overcome a siloed approach of managing risk
Publish At:2020-07-30 15:45 | Read:845 | Comments:0 | Tags:Risk Management Artificial Intelligence (AI) Blockchain cybe

Contract verification made easier

Smart contract authors can now express security properties in the same language they use to write their code (Solidity) and our new tool, manticore-verifier, will automatically verify those invariants. Even better, Echidna and Manticore share the same format for specifying property tests. In other words, smart contract authors can now write one property test
Publish At:2020-07-12 17:22 | Read:1719 | Comments:0 | Tags:Blockchain Manticore Symbolic Execution

Upgradeable contracts made safer with Crytic

Upgradeable contracts are not as safe as you think. Architectures for upgradeability can be flawed, locking contracts, losing data, or sabotaging your ability to recover from an incident. Every contract upgrade must be carefully reviewed to avoid catastrophic mistakes. The most common delegatecall proxy comes with drawbacks that we’ve catalogued before. Cryt
Publish At:2020-06-12 11:32 | Read:913 | Comments:0 | Tags:Blockchain Crytic

Breaking the Solidity Compiler with a Fuzzer

Over the last few months, we’ve been fuzzing solc, the standard Solidity smart contract compiler, and we’ve racked up almost 20 (now mostly fixed) new bugs. A few of these are duplicates of existing bugs with slightly different symptoms or triggers, but the vast majority are previously unreported bugs in the compiler. This has been a very successful fuzzing
Publish At:2020-06-05 09:40 | Read:1027 | Comments:0 | Tags:Blockchain Compilers Fuzzing

Bug Hunting with Crytic

Crytic, our Github app for discovering smart contract flaws, is kind of a big deal: It detects security issues without human intervention, providing continuous assurance while you work and securing your codebase before deployment. Crytic finds many bugs no other tools can detect, including some that are not widely known. Right now, Crytic has 90+ detectors,
Publish At:2020-05-18 13:08 | Read:946 | Comments:0 | Tags:Blockchain Crytic

Announcing the 1st International Workshop on Smart Contract Analysis

At Trail of Bits we do more than just security audits: We also push the boundaries of research in vulnerability detection tools, regularly present our work in academic conferences, and review interesting papers from other researchers (see our recent Real World Crypto and Financial Crypto recaps). In this spirit, we and Northern Arizona University are
Publish At:2020-05-03 17:57 | Read:1825 | Comments:0 | Tags:Blockchain Conferences Research Practice

An Echidna for all Seasons

TL;DR: We have improved Echidna with tons of new features and enhancements since it was released—and there’s more to come. Two years ago, we open-sourced Echidna, our property-based smart contract fuzzer. Echidna is one of the tools we use most in smart contract assessments. According to our records, Echidna was used in about 35% of our smart contract audits
Publish At:2020-03-30 07:49 | Read:1291 | Comments:0 | Tags:Blockchain Fuzzing

Financial Cryptography 2020 Recap

A few weeks ago, we went to the 24th Financial Cryptography (FC) conference and the Workshop on Trusted Smart Contracts (WTSC) workshop, where we presented our work on smart contract bug categorization (see our executive summary), and a poster on Echidna. Although FC is not a blockchain conference, it featured several blockchain-oriented presentations this y
Publish At:2020-03-18 11:19 | Read:1242 | Comments:0 | Tags:Blockchain Conferences Paper Review