💫 Summary:
This week we will cover Zcash Hash Collision, a $1 million bounty on the Aurora blockchain, reversing the EVM, ice phishing attacks, tips on approaching new codebases, and finding permission bugs in smart contracts with role mining.
🔎 Audit Reports Explained
🐦 Lack of access control in the parameterize function of proposal contracts
🐦 Reentrancy Guard Lacking in mint function.
🐦 The lender can change NFT valuation oracle without borrower permission
🐦 Incorrect airdrop calculation
💡 Interesting Blogs to Read this week:
📌 Hack Analysis of Nomad Bridge : In this article, we will be analyzing the exploited vulnerability in the Nomad bridge’s Replica contract, and then we’ll create our own version of the attack to drain all the liquidity in one transaction, testing it against a local fork.
📌 Reading Raw EVM Calldata: In this article, we will dive into the encoding sequence of call data so that you can comprehend any verified or unverified smart contract transactions and understand the bytes.
📌 What are Ice Phishing Attacks and How to Avoid Getting ‘Hooked’: Ice Phishing involves tricking a user into signing a malicious transaction so the attacker can gain control over the crypto assets. Check out the blog for complete details on Ice Phishing.
📌 The Real Cause of the Wintermute Exploit: A Wintermute wallet was recently attacked, resulting in a loss of approximately $160 million dollars. The Profanity vulnerability is caused by a failure to create the 256-bit private key with enough randomness, resulting in a severely limited range of private key values. Check out the blog for more details.
📺Interviews and Conferences:
⚡ Samsung contrasts his eth transaction explorer VS existing options and demos his new vscode extension.
⚡The Billion-Dollar Vulnerability Forcing a Major Fork On The Ethereum Chain
⚡Check out the ZK hash collision vulnerability that led to a double-spending vulnerability impacting Zcash (2016).
⚡This video is an explanation of a bug in the Aurora blockchain that allowed anyone to basically take anyone’s cryptocurrency without them being able to prevent that.
🔥 Awesome Tweets and Updates:
📌 taek.eth shared vulnerable signature usage in erc4337 sample contract.
📌 Owen shared about the satisfiability modulo theorem, and how it applies to Solidity auditing.
📌 Liam shared about how to approach large and complex codebases.
📌 The new Solidity version will allow users to create user-defined operators for user-defined value types. Check out the thread to learn more.
🔥 Miscellaneous Resources:
📍ScrapyFi: This tool will help you to list all the projects from immunefi with basic details in tabular form. Also Query a particular project with its project name and list basic details along with all smart contract links. It will also let you download all those contracts.
📍Finding Permission Bugs in Smart Contracts with Role Mining: In this paper, we mine past transactions of a contract to recover a likely access control model, which can then be checked against various information flow policies and identify potential bugs related to user permissions
📍Slither 0.9.2: A new release of Slither is available, which now uses OpenAI’s Codex to auto-generate solidity documentation and leverages GPT-3 to find vulnerabilities.
📍Echidna 2.0.5 (New release): This release migrates Echidna to the new hevm implementation. Echidna can now use the prank cheat code that we recently added to hevm.
👨💻Challenges to try this week:
🐦 Thanks for reading here!
I hope you find this newsletter helpful. Follow me for more updates
Do check out my github repo. for Audit-365 for tracking all previous tweets and newsletters.
https://github.com/Sm4rty-1/Audit-365
