When forking RAI into HAI, design changes were carefully discussed with
@reflexerfinance
experts, ensuring that there were strong reasons to change any line of code.
When an auditor (
@SolidifiedHQ
) pointed at an old flawed requirement, we realized what the bigger issue was: RAI
Created a Foundry (PoC) template to easily fork any EVM chain, saving you from spending 15 minutes setting up a new project whenever you need to test for possible vulnerabilities in mainnet.
I got mentioned in the Certora proposal on AAVE for finding a High Severity Vulnerability on the Aave v3 token, was great contributing to the security of the protocol!
Thrilled to announce that I have partnered with
@eulerfinance
in developing a fuzzing test suite specifically for the protocol vaults.
This shows Euler's commitment to adopting innovative approaches to security.
I will publish details about the suite and properties tested soon
Been working closely with some really interesting projects implementing invariant test suites for their codebases.
I will probably start releasing a series of articles going into details and issues found as soon as reports can be made public. Ready for the edge case bugs, anon?
Ever wanted to check that multiple variables are 0 in a function?
Reject shortcutting, embrace bitwise OR clauses, anon
17-31 GAS savings on across all truth table states
I wrote this cheat sheet for whitehats/devs on how the Celer cBridge works, terminology, some questions, and focus areas that caught my attention. Check out this thread for a quick overview!
Today we finally unveil
@EnigmadarkLabs
!!
An elite group of researchers, led by
@0xWeisss
and I. Each an absolute specialist in a different niche skill, with a mission to establish a new way of doing security in the space.
Check out the launch thread and the official article:
𝗨𝗻𝘃𝗲𝗶𝗹𝗶𝗻𝗴 𝗘𝗻𝗶𝗴𝗺𝗮 𝗗𝗮𝗿𝗸
“Perfection is not attainable, but if we chase perfection we can catch excellence.” – Vince Lombardi
Enigma Dark is an elite group of security researchers where everyone is an absolute specialist in a different niche skill
1/ Read more:
Just published a write-up of the bug I discovered in the RAI stablecoin, that was introduced by a huge auditing firm after an audit
-sometimes even auditors can introduce vulns anon
I have published the repo of the talk "Mastering fuzzing" I did a few weeks ago for
@calyptus_web3
It provides several practical examples of fuzzing using both Echidna & Foundry, two popular property based testing tools
Just noticed that my "tips to master fuzzing" talk is the most viewed one of the TrustX 2023. Looks like a good chunk of auditors and devs are getting into it.
A lot more fuzzing alpha ready for 2024
seems fuzzing is the new buzzword, pls learn about it before writing a million articles and x threads on how to win 100k a month with it, we DO NOT need more misinformation
Been working closely with some really interesting projects implementing invariant test suites for their codebases.
I will probably start releasing a series of articles going into details and issues found as soon as reports can be made public. Ready for the edge case bugs, anon?
Recently found a live bug introduced by a huge auditing company after an audit that has been years living on the chain unnoticed
will try to do a write up as soon as it gets sorted out
You can improve assembly block readability with Yul functions, and use them multiple times inside the same block
This enables various use cases, such as having ternary branchless "operators" inside Yul blocks.
I feel like the space could benefit from better testing techniques, specially good integration testing.
Yes, fuzzing is great for finding rare bugs, but integration tests are key for eliminating low hanging fruit.
Speaking as someone who stares at echidna call traces all day
Don’t miss this amazing talk by
@vn_martinez_
on EVM low-level vulnerabilities! 🔥 Learn how to write, debug, and test low-level code in Yul, Fuzzing, Bit safety, Memory Constraints. Discover the common bugs and pitfalls that can compromise your Yul code. Find out how to use
Excited to share that I been collaborating with the team at
@tapioca_dao
to build an invariant suite for their protocol as the final step before the deployment!
It’s a pleasure for me be able to contribute and provide value to such based teams
Many said it would be impossible, but we did it, with a LOT of help:
@0xWeisss
who became our in-house security engineer and immediately put us on the right path- one of the best guys I’ve ever met in this space: passionate, hardworking, and extremely knowledgeable.
@0xriptide
Acceptance emails to the ZK Auditing Fellowship started going out. A few more tomorrow.
Please read the acceptance offer carefully .. there are time sensitive items because the Fellowship kicks off Monday 22nd.
One great aspect of invariant testing engagements is that once you fix a bug, the fuzzer verifies the fix against the same properties.
This means the fix review efforts are backed up by the fuzzer, unlike in normal audits where fixes can be overlooked or less carefully reviewed
Most of the Block 5 fellowship acceptance emails have been sent out 🖅👀
But the rejection emails have not been sent yet, because it's possible a few slots for the block may still be available. The suspense...
Introducing the first-ever Spearbit HackerHouse with
@eulerfinance
&
@CertoraInc
.
This is the highest EV Web3 security event in history with $1.25M on the line at
@cantinaxyz
.
Full access to Euler's team. All meals provided. No costs. Just show up. Seats Limited.
RSVP Below:
I did a talk yesterday about fuzzing smart contracts on
@calyptus_web3
If you are a dev or a security guy that wants to know how to approach fuzz testing for your protocol check it out here!
It’s talk season,
Next week we will be hosting a defi security related talk in Andorra. With the help of top sec researchers and the Chainlink community
Thrilled to announce that on May 29th, we'll be hosting the 2nd
#Chainlink
community meetup in Andorra. We'll discuss DeFi risk mitigation strategies with top cybersecurity experts and smart contract auditors.
Looking forward to an insightful event!
➡️
Had a great time discussing testing and invariants best practices on
@tapioca_dao
‘s 100th TapTalks episode. Big thanks to
@twMattt
for having me on the show!
Always a pleasure to review assembly and OSS projects
Shout out to
@optimizoor
for trusting us!
Blog post coming soon on the improvement
@0xadrii
& I recommended to the ERC6551, anon
Thank you
@vn_martinez_
and
@0xadrii
for looking through Asterix staking contracts!
They also found some very good improvement which was added to the ERC-6551 reference implementation.
This was a blast!
I'm glad to have had the opportunity to talk about the fuzzing suites I built for
@eulerfinance
and to meet so many great devs and researchers IRL!
Thanks to the
@SpearbitDAO
team for organising such a great event, looking forward to the next one.
At the very beginning of the $1.25M
@eulerfinance
competition at
@cantinaxyz
, we hosted our very first Hacker House in Berlin, Germany.
A full-day of hacking away at the codebase live alongside the Euler protocol team and some of the best security researchers in the industry.
We just released the report of the invariant testing engagement we did for Euler v2. We found some cool edge case issues showing the importance of integrating novel security practices to any protocol's security pipeline.
Reach out to book an invariant testing engagement with us.
We have just published our Invariant Testing Engagement report for Euler's v2 EVK. We uncovered some highly interesting issues, edge cases, and checked over 55 invariants.
Read the report here:
Discover how to detect and prevent low-level vulnerabilities in smart contracts with
@vn_martinez_
, Learn about the techniques he uses to find and exploit different attack vectors.
Join
@opensensepw
to watch
Wednesday 01 of November, 16:00 UTC
Nothing worse than an over-engineered protocol, the goal should be to keep things as simple as possible, not to flex your solidity skills.
>The engineer problem, trying to solve problems that don’t even exist. Sometimes you just need to zoom out and see the bigger picture.
Let’s talk about hyper-optimizing smart contracts, saw some guys one this platform do something similar, so now that I'm an optimizoor I had to hyper-optimize the PaymentSplitter contract by openzeppelin
a thread :|
conclusion: writing handlers and improving coverage is a pain in the *ss, and foundry not being coverage guided makes it a lot worse than the other two fuzzers
PD: medusa getting better by the hour
Until we have some kind of universal testing framework, take inspiration from some of the best test suites out there. Learning from the best is underrated:
- Sablier
- Euler v2
Back in November I said "Medusa is not production ready".
Sad to say this is still the case, even though it is a few orders of magnitude faster than echidna (in terms of calls/s) it misses bugs.
TLDR; do not use medusa on its own.
@1_00_proof
@0xOwenThurm
@CyfrinAudits
This is common sense actually, foundry input generation is random. You just played with probability
>Any symbolic execution tool would catch this easy
For this cases, such as math libraries, we use halmos (takes 40ms for the tool to find a counter example)
I been saying this for too long, biasing your testing handlers is the worst thing you can do, at that point just write unit tests smh
Pls "let the fuzzer fuzz", almost every invariant testing suite I see is full of bias in the handlers.
For those wondering this technique is called equivalence testing, halmos-solady by zach obront is a great example of how to use it
Remember to check for reverts tho (since halmos will skip those) either using try catch statements or raw calls, anon
Formal Verification is the process of mathematically proving exactly one property of your system holds.
A property like:
"My gas-optimized huff code gives the exact same output as my solidity code"
This is known as an "equivalence check"
With this knowledge, what can you do?
Im going to start making more tweets about assembly and security.
Lmk what topics do you want to know more about, bit masking, accessing nested memory/call data structs with Yul, memory safety…
It was a pleasure working on this large codebase with such a skilled team. We identified key issues and suggested improvements for their testing suite.
Many thanks to the
@juiceboxETH
team, especially to
@me_jango
&
@0xBA5ED
for trusting Enigma Dark to secure their new codebase
We have just published our Security Review Report for
@juiceboxETH
's v4. A huge codebase with many integrations, we uncovered several intricate issues and concerns.
Read the report here:
Catch two of our Lead Security Researchers
@vn_martinez_
&
@0xadrii
at the, "Web3 Security: Mitigating Smart Contract Risks in Defi" panel at the
@chainlink
Community Meetup in Andorra
For more details:
Earlier today, Chainlink wstETH/ETH price feed on Arbitrum reported an inaccurate value, resulting in the liquidation of 5 positions.
Our friends at Chainlink are on it.
No bad debt accrued, Silo is performing as usual ✅
🧵
Hot take: that protocol probably needs a few more audits, same as a lot of the protocols that did a contest these past months. No way a “mid” that would get 300 dupes in the bear is a solo finding getting 18% of the pot.
Obv I’m not trying to disrespect any of the participants
🥉won $18,274.25 with 1 unique medium: incompatibility with fee-on-transfer & rebasing tokens.
Very basic finding normally with tons of duplicates but with audit demand so high there are less eyes on every contest.
Great time for auditors - if you want it, go get it!
If you write your invariant handlers similar to how you write unit tests, with a lot of preconditions and hardcoded sequences, you significantly limit the potential branches that the fuzzer could explore (including those sweet edge cases)
let the fuzzer do the hardwork anon
Not many know that one of the most interesting panels at ethcc was at the side event hosted by Spark
Fully recommend watching the recording when it’s released
Recently found a live bug introduced by a huge auditing company after an audit that has been years living on the chain unnoticed
will try to do a write up as soon as it gets sorted out
Really useful specially when writing fuzz tests or working with formal verification tools.
An interesting metric to take into account is that your fuzz test is “good” when it catches introduced mutations. Else you should rewrite it.
Mutation testing, or intentionally introducing bugs into your code to check the quality of your tests.
100% coverage does not matter if your tests are not properly designed to catch bugs. Top article by
@RareSkills_io
🫶
Test your code properly, anon🫡
Lol, just noticed im 6th on the leaderboard despite not participating on the formal verification contests for almost a year
Kudos to everyone on it, we def need more researchers focused on invariants!
@CertoraInc
contests are a great way to train your invariant testing skills
One great tip for both auditors and developers doing peer reviews is to check for integration and E2E tests.
Whenever you see `vm.mockCall` or mocked contracts double-check the basics—they often hide the most obvious bugs like interface DOS or wrong parameter order.
Is not web2sec vs web3sec
It is financial-web2sec vs web3sec
Web3 sec is expensive because 99% is money related ppl seem to forget that
Just check money spent by banks and financial institutions on security you will change your mind anon