Solidity 0.8.18 brought a new global variable - block.prevrandao. Is it going to bring Chainlink VRF and other offchain services generating random numbers to an end ❓ Here is a quick 🧵 explaining it:

The Ultimate Smart Contract Auditing Strategy Forget about methodologies for a minute... There is no single tactic that is going to serve you well at all times. However, here is a battle-tested powerful strategy that transformed scary code bases into a 🍰🍰 1 - Start by

Oh, I noticed this at the beginning, but I think this question must not be so simple (maybe the relay has additional checks...). So I started looking for solutions for web2

Too many people are trying to be better at security audits Going through videos, blogpost and old reports all day all night but only few are reading Research Papers I've gathered some for you, covering Liquidations, Oracle and more Let's dive in... a 🧵

Trying to share this repo from time to time, hoping more Solidity devs and junior auditors will see it because it is a must to read. You should always be on the lookout for weird ERC20 tokens in any system: github.com/d-xo/weird-erc…

Another disaster caused by precision loss. It's time to take it seriously.

Smart contracts can be represented as finite state machines. Creatively come up with undesirable states and work backwards to see if it is possible to reach such a state. Reverse thinking is often the most effective.

Just discovered that Compound's `cUSDCv3` token will transfer the user's balance on `transfer` with `amount == type(uint256).max` If you are caching the `amount` in your contract storage, this can be lead to very bad bugs and loss of value for the user or the protocol

nice series, whether it's for novice security researchers or auditors, it's great for hands-on training. Take time before bedtime to complete the challenge

Struggling to figure out what to look for in a codebase can leave you feeling lost. Most people just don't know where to start but then going through a security checklist can guide you I've curated the 3 best security checklists for you (make sure you check them)👇

What happened with Aave shortly: 1. Aave received a bug report 2. The bug was reported as a high vulnerability affecting Aave v2, afterwards raised to a critical. 3. Aave won't disclose the details surrounding the vulnerability for now. 4. By disabling stable rate mode

If you're auditing contracts that interact with WETH, listen up! Here are some of the things you need to pay attention to 👇 --------- 🌐 WETH addresses differs by chain and as such it should never be hardcoded (Ethereum WETH address differs from that of Polygon). 🌐 WETH

. TheStandard.io was exploited due to the lack of slippage protection when swapping out the collateral, and the loss is ~$290K. The attacker first created a CDP (SmartVaultV2) with 10 WBTC as collateral to mint 290,000 EUROs. Subsequently, the attacker forced the SmartVaultV2

🚨 Are you auditing a code deployed on a L2 chain like Arbitrum? READ 👇🏼 The utility of block.number as a precise temporal indicator for brief intervals is dubious. On Arbitrum, it mirrors the L1 block number, undergoing updates at minute intervals...

In the forthcoming Cancun hardfork, developers will gain access to transient storage (EIP-1153). However, minor differences between the semantics of TSTORE and SSTORE will introduce a unexpected reentrancy attack vector: This proposal introduces transient storage opcodes, which

Imagine you have: IERC20(_underlying).permit(from, address(this), amount, deadline, v, r, s); to approve a contract's withdrawal from the user's address. What will happen if the `_underlying` is WETH which doesn't have a permit function? Is it going to revert? WETH contract

⚡️Proud to share our research on Salus Lightning Cat, a smart contract audit tool, is featured in Scientific Reports, a prestigious scientific publication by Nature Portfolio. Explore deep learning and smart contract security in our work in the Nature Journal. nature.com/articles/s4159…

From this incident, we can see the drawbacks of decentralized auditing. We cannot always trust individual auditors to inform project parties of high-risk vulnerabilities.

crazy

IMPORTANT On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry. This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.