devcon 7 / the 10 most common vulnerabilities found in audit contests
- YouTube
- Details
The 10 Most Common Vulnerabilities Found in Audit Contests
Duration: 00:09:55
Speaker: Jack Sanford
Type: Lightning Talk
Expertise: Intermediate
Event: Devcon
Date: Nov 2024
This lightning talk offers a quick survival guide for DApp developers and security experts, highlighting the most common vulnerabilities found in audit contests. As these contests are often the final step before mainnet, the identified vulnerabilities have typically been overlooked by multiple developers and auditors. The session includes a link to a guide on fixing each vulnerability and a 2-minute Q&A to explore any of the 10 vulnerabilities in more detail and discuss why they are often missed
- Related
Devcon
Lightning Talk
09:09
Double entry point issues - From breaking Compound to Uniswap v4
A short explanation of a critical-severity vulnerability we found in the Uniswap V4 core contracts that would have caused a ~$15M loss in Uniswap's pools. The goal is to explain the risks of double entry points, from the $30M+ TUSD issue in Compound to the Uniswap V4-specific case where protocols use native tokens and operate on chains where the native token has a corresponding ERC-20 token, and how to prevent them.
Devcon
Lightning Talk
08:33
How to Audit Smart Contract Languages: Brief Intro
In this talk, we’ll dive into the unique challenges and considerations when auditing a smart contract language, as opposed to auditing individual smart contracts. We’ll cover: - Things to Look For: Key aspects of a smart contract language that need review. - Mindset Difference: Shifting from a contract-centric to a language-centric perspective, focusing on broader systemic issues rather than isolated contract logic.
Devcon
Lightning Talk
09:18
Evolution of Scams
The goal of this talk will be to give a quick history of the evolution of scams and the new techniques employed to combat them. I was previously the co-founder of Wallet Guard, which has since been acquired by Consensys. I now am responsible for the research and development of the security engine employed by MetaMask to protect its users.
Devcon
Talk
17:48
Ethereum Security
Martin Swende gives their talk on Ethereum Security.
Devcon
Talk
19:41
Evolution of Smart Contract Security in the Ethereum Ecosystem
A lot has changed in the smart contract development ecosystem in the year since DEVCON2. Our perspective as leaders of the smart contract security community OpenZeppelin shows us that the industry is maturing. We give a brief overview of how security patterns and practices have evolved in the past months, dive into some details of recent developments, and talk about promising projects and their plans for the future.
Devcon
Talk
21:00
The Melon security approach
Melonport is striving to build a vibrant and successful developer ecosystem of Melon module builders. An important part of that ecosystem is the security and behaviour of smart contracts that make up Melon modules as well as how they interact with the Melon core and each other. In this presentation, we’ll demonstrate our ongoing technical efforts to assist Melon module developers in creating safe, secure smart contracts and touch on the importance of getting the auditing process right and how others can learn from our experience.
Devcon
Breakout
24:32
Vulnerability Coordination and Incident Response in a Decentralized World
There’s one question that every team of core blockchain developers has discussed at least once: what are we going to do when a critical vulnerability in our software is surfaced? By definition, everything we create is likely to include a vulnerability or code flaw and the difficult legal, ethical, and business issues arise when bugs show up in code. While decentralization does not require us to reinvent the first principles security, it does force us to challenge ourselves to manage significant complexity to reduce harm to those who depend on our code. This talk will discuss the CosmosCERT as a model for how teams can successfully coordinate vulnerabilities and respond to incidents in decentralized environments using on-chain governance mechanisms in a way that ensures stakeholders have a dedicated emergency response capabilities ready to go when the worst happens.
Devcon
Lightning Talk
09:27
How to steal $1.1M from lending market in 15 minutes
In may 2024 I found multiple bugs in lending market which allowed to steal $1.1 mln. The exploit itself was very complicated and required multiple steps, including exploitation of liquidation process of unhealthy loan which worked very similar to flash loan. I'll tell the story of how I decided to check this project source code to finding an issue, contacting with owners of platform and fixing it. I'll also share the best tips how to avoid and prevent such issues in other projects.
Devcon
Breakout
23:05
Batched Bonding Curves: Grieving DEX Frontrunners
It's been widely publicized that front-running is rampant across decentralized exchanges. Billy Rennekamp describes the technique developed to stop the parasitic behavior by using batched orders in tandem with bonding curves and how it's being used in a new fundraising app by Aragon Black.
Devcon
Breakout
27:10
(Defense Against) The Dark Arts - Contract Runtime Mutability
Smart contracts are no longer guaranteed to have immutable runtime code, and can be redeployed with new code using a variety of methods involving the CREATE2 and SELFDESTRUCT opcodes. In this presentation, we will investigate how this is done and how to protect against malicious mutable contracts. We will also explore ways these new techniques can be applied in order to enable new use-cases and to improve the user experience.