Smart Contract risk
Instructors: Andreas Park and Zissis Poulos
DeFi Security Risks
Risk is in every layer of the tech stack!
- Network Layer
- DDoS attacks etc.
- Blockchain Layer
- Sybil attacks
- MEV
- Smart Contract Layer
- Malicious code
- Bug exploits
- Interface Layer
- Oracle attacks
- Malicious plug-ins (e.g., malicious wallet installation etc.)
Known Smart Contract Vulnerabilities
- Re-entrancy
- Insecure arithmetic
- Unexpected ETH flows (force feeding)
- Unprivileged access/writes
- Etc...
https://consensys.github.io/smart-contract-best-practices/attacks/
Re-entrancy - The DAO hack
Re-entrancy - The DAO hack
fallback() with "evil" logic
The DAO
withdraw
send
receive() is missing!
- Hacker calls withdraw
- The DAO sends ETH
- No receive()
- Do fallback()
- fallback takes ETH and calls withdraw()
- First withdraw is still running!!!
- Nested loop and balance never updates
It's happened before
Unprivileged Writes - The Parity Wallet hack
...
...
DeFi Exploits
Hacker remotely stole validator private keys
Bridge attack
Hacker minted WETH out of thin air on Solana's contract
Signatures were not verified! Bridge attack....hmmm
Smart Contract Scams
- Too many to enumerate here
-
SetApproveForAll -> "I give you access to my digital assets to move around"
- OK for NFT marketplaces and maybe DEX.
- NOT OK if you don't trust the URL (see "Uniswap phishing attack")
-
SendEth -> Well..."Send your ETH to X address"
- OK, but what if it's invoked when you try to "mint" an NFT??
- Hidden "disable transfer" functions
- Cannot sell token (Squid token)
- Buy/Sell taxes
- Scammer can change tax from 5% to 99% for all holders except owner
- Slippage threshold makes all transactions fail
-
SetApproveForAll -> "I give you access to my digital assets to move around"
- Scammers think of new tricks every time a trick becomes "known"
- Honeypots!!
https://rekt.news/leaderboard/
Solutions?
Some options
- Centralized auditing (as a service)
- Blockchain layer
- Smart contract layer
- OK, but audits based on past "lessons"
- In-house testing
- OK, but limited coverage of cases
- Symbolic and formal verification
- Expensive but probably the future
@financeUTM
andreas.park@rotman.utoronto.ca
slides.com/ap248
sites.google.com/site/parkandreas/
youtube.com/user/andreaspark2812/
Risks
By zpoulos
Risks
- 414