Smart Contract Security for Pentesters

by dyates on 4/21/2021, 11:58:45 AM with 38 comments

  • by ramimac on 4/21/2021, 2:38:08 PM

    I would highly recommend anyone interested in pentesting smart contracts look at the work Trail of Bits has been putting out: https://blog.trailofbits.com/?s=smart+contract&submit=Search

    Start with "246 Findings From our Smart Contract Audits: An Executive Summary" [1]

    [1] https://blog.trailofbits.com/2019/08/08/246-findings-from-ou...

  • by mratsim on 4/21/2021, 1:39:39 PM

    I'd like to add that there is a critical shortage of security auditors for smart contracts and blockchain protocols.

    Projects are willing to spend up to millions to squash away vulnerabilities. For example Balancer opened a bug bounty for their v2 with $2M USD for 1 critical bug:

    https://docs-v2.balancer.finance/core-concepts-1/security/bu...

  • by motohagiography on 4/21/2021, 1:40:12 PM

    Naive question: how is looting vulnerable smart contracts even illegal?

    Without a legal framework of smart contract enforcement, recognition of literally-hypothetical assets as valuable, the public nature of blockchains that would preclude "unauthorized access," and unlike an exchange holding assets on behalf of customers - smart contracts are effectively leaving money on the ground for anyone clever enough to pick it up.

    Clearly I haven't given it as much thought as the people involved, but it seems like if I'm not using my abilities full-time to hack and loot smart contracts, I'm missing the most direct and best possible effort/reward application of that kind of skill.

  • by rob-olmos on 4/22/2021, 1:23:07 AM

    I've been interested in any smart contract languages/VMs that are somehow more capable of being provably correct/secure. The only one I've come across is Kadena, which internally uses the Z3 prover, but I haven't looked into the source code in depth or if it's able to be applied to custom smart contracts (dApp) as well.

    Are there other blockchains that are similar? Is there a strict subset and prover for Solidity or other languages? Or things like proven smart contract kernels that can be built on top of? Eg, OpenZeppelin Contracts, but with provers rather than only audits.

  • by ketamine__ on 4/21/2021, 7:04:54 PM

    Was the issue with Fei actually a bug?

  • by Anointmous on 4/21/2021, 6:22:20 PM

    I hate the term "pentest", but apparently people who want lingo over the ability to do anything have won out over the decades. Besides being a meaningless inaccurate shortening of the phrase, an actually "pen test" would be part of putting a pen register on a phone. It just indicates that the newbies who created the term didn't know anything before.