devcon 7 / finding bugs 42 tips from 4 security researchers
- YouTube
- Details
Finding Bugs: 42 Tips from 4 Security Researchers
Duration: 01:34:14
Speaker: 0xRajeev, Joran Honig, Nat Chin, tincho
Type: Workshop
Expertise: Beginner
Event: Devcon
Date: Nov 2024
Billions of dollars are at risk, and protocols spend millions on security through audits and bug bounties. Have you ever wondered how you can become a top security researcher securing these billions?
In this workshop, 4 recognized security researchers share their experiences on smart contract security with practical tools & techniques to find & report vulnerabilities. Security researchers, even aspirational ones, can take away some key advice to improve their smart contract security skills.
- Related
Devcon
Workshop
Don’t get rekt: practical threat detection for users and devs
Learn to uncover, and protect against, weaponized repositories, sites and tools targeting web3 users, devs & researchers. With examples and hands-on exercises, the session begins with topics like detecting suspicious activity in sites, handling wallet secrets & signatures, decoding calldata of malicious txs, and simulating them to avoid attacks. To then cover more advanced techniques to spot harmful backdoors in code repositories and services that can impact on devs & users’ safety.
Devcon
Lightning Talk
09:09
Double entry point issues - From breaking Compound to Uniswap v4
A short explanation of a critical-severity vulnerability we found in the Uniswap V4 core contracts that would have caused a ~$15M loss in Uniswap's pools. The goal is to explain the risks of double entry points, from the $30M+ TUSD issue in Compound to the Uniswap V4-specific case where protocols use native tokens and operate on chains where the native token has a corresponding ERC-20 token, and how to prevent them.
Devcon
Panel
56:25
Demystifying Smart Contract Security: Facts & Fallacies
Smart contract security is of critical importance as the Ethereum ecosystem rapidly expands across different infrastructures & applications. However, there exist serious gaps and misconceptions about security as it relates to smart contract design, development, validation, tooling, offchain components, audits, bug bounties, monitoring & incident response. This panel brings together six recognized researchers within the Ethereum security ecosystem to help demystify facts from fallacies.
Devcon
Talk
30:18
CBC Casper Design Philosophy
Consensus protocols are used by nodes to make consistent decisions in a distributed network. However, consensus protocols for public blockchains should satisfy other requirements, by virtue of the protocol being open. For example, they need to be incentivized, in that people will be incentivized to run consensus forming nodes in the first place, and in that following the protocol should be an equilibrium for consensus forming nodes.The CBC Casper family of consensus protocols has been designed to fit design criteria necessary for secure public blockchains. In this talk, we will explore the design goals and methodology used in CBC Casper research: economically motivated properties of the consensus protocol, the correct-by-construction approach to protocol specification, and the resulting rapid iteration.
Devcon
Talk
14:39
Scaling Ethereum with security and usability in mind
In this talk, I will go through scaling mechanisms and their disadvantages at a user and developer perspective. With our approach at Matic https://matic.network, plasma-fied sidechain, I will explain how we are tackling security using plasma, predicates, and normal state computation on the sidechain. Having specialized DApp specific fraud-proof using predicates, partial confirmations, different fee models allow us better usability for end users. Then will talk about how we are addressing the issue for users when they interact with multiple chains - Ethereum and Plasma sidechain using walletconnect protocol. Overall, it explains how connecting some important dots on Ethereum landscape can help us achieve scalability and usability, and clears our path to mass adoption which we all are aiming for.
Devcon
Breakout
07:40
Store your keys safely offline - never get online to sign transactions
The best way to keep your private key safe, is to keep it disconnected from the internet. This is usually done in hardware wallet, however most of those wallets are directly connected to a computer, either via usb or bluetooth. What if the wallet was never online and never ever connected to an online device. This is achievable using QR code. We did it with Parity Signer. I will present why we built it, how, do a short live demo, and what we will do in the future.
Devcon
Talk
05:40
The Gas Siphon Attack: The Technical and Economic Realities Behind Hacking Exchanges
The Gas Siphon Attack allows anyone to siphon value from many exchanges in the form of gas refunds, a mechanism built directly into the Ethereum protocol. Users can write a simple script that continuously drains unprotected exchange hot wallets of all of their ETH. Until this was responsibly disclosed, many exchanges were affected with varying degrees of severity. How it happened, who was affected, and the technical details behind the attack are discussed during the presentation. The talk dives into the details of the refund mechanism built into the Ethereum network, and how it can be maliciously abused. The presentation explains who is vulnerable and what they can do about it. A number of these types of technical exploits exist on both centralized and decentralized exchanges, and one may find that responsibly disclosing these attacks are harder than the actual exploit itself. Getting in touch with exchanges, continuous communication with services, and helping fix different systems may be a month-long journey that yields very little in return. Hacks, front-running, misaligned miner incentives, and economic disparities are all issues for exchanges and services that are discussed in this presentation. Finally, the talk covers different ways to protect yourself and your dapp from both known and unknown exploits. Preventative measures are presented that will allow for protection from these types of attacks.
Devcon
Lightning Talk
08:33
How to Audit Smart Contract Languages: Brief Intro
In this talk, we’ll dive into the unique challenges and considerations when auditing a smart contract language, as opposed to auditing individual smart contracts. We’ll cover: - Things to Look For: Key aspects of a smart contract language that need review. - Mindset Difference: Shifting from a contract-centric to a language-centric perspective, focusing on broader systemic issues rather than isolated contract logic.
Devcon
Lightning Talk
09:27
How to steal $1.1M from lending market in 15 minutes
In may 2024 I found multiple bugs in lending market which allowed to steal $1.1 mln. The exploit itself was very complicated and required multiple steps, including exploitation of liquidation process of unhealthy loan which worked very similar to flash loan. I'll tell the story of how I decided to check this project source code to finding an issue, contacting with owners of platform and fixing it. I'll also share the best tips how to avoid and prevent such issues in other projects.
Devcon
Lightning Talk
09:55
The 10 Most Common Vulnerabilities Found in Audit Contests
This lightning talk offers a quick survival guide for DApp developers and security experts, highlighting the most common vulnerabilities found in audit contests. As these contests are often the final step before mainnet, the identified vulnerabilities have typically been overlooked by multiple developers and auditors. The session includes a link to a guide on fixing each vulnerability and a 2-minute Q&A to explore any of the 10 vulnerabilities in more detail and discuss why they are often missed