Daily Security

Audit checklists for CDP( Collaterized Debt Positions) Give it a star🙏 https://github.com/Decurity/audit-checklists/blob/master/cdp.md

Heads up! Some Curve ETH pools have a major bug that allows an attacker to manipulate the virtual_price. https://twitter.com/danielvf/status/1657019677544001536?s=19 @EthSecurity1

If you see a Solidity method that has an argument of type array, always check for 3 things: 1. What if the array length is 0? 2. What if there are duplicated elements in the array? 3. What if there are zero value elements in the array? @EthSecurity1

Web3 Dev 1)How do you construct a lending protocol that supports arbitrary collateral, has no oracles, and has no expirations? Read the whitepaper to find out: paradigm.xyz/2023/05/blend 2) Web3education.dev brought by patrick collins @EthSecurity1

Are you familiar with the challenges borrowing and lending protocols face? #web3sec #defi Dive into: - Illiquid liquidations - Collateral Safeness - The dangers of governance - Oracle risk and cost of manipulation https://tokeninsight.com/en/research/market-analysis/the-7-deadly-sins-of-lending-protocols @EthSecurity1

nonReentrant modifiers might potentially cause a DoS attack. https://medium.com/@bloqarl/uncovering-real-life-examples-of-denial-of-service-attacks-on-smart-contracts-8bc220c2cdd0 @EthSecurity1

Vulnerable spots of Lending/Borrowing protocols https://mixbytes.io/blog/vulnerable-spots-of-lending-protocols https://dacian.me/lending-borrowing-defi-attacks

🔴Many security vulnerabilities come from faulty assumptions Identifying the assumptions made by the devs and evaluating if they are correct can uncover big discrepancies between what the code does vs what it is intended to do Here are examples of common faulty assumptions: 📔 1. Initialization functions will only be called ONCE and/or can be called only by the contract deployer 2. Only admins can call certain functions(access control issues) 3. Functions will always be called in a certain order as expected by the system Ex. what if there's a function that closes a position but expects that you opened one in the 1st place? A function that checks if your payment is on time but expects you got a loan before that? 4. Parameters can only have non-zero values or values within a certain threshold addresses will never be zero-valued sender will always be different from the receiver an element of a struct array will always exist so the values won't be the default ones 5. Certain addresses or data values can never be attacker-controlled 6. Function calls will always be successful and so checking for return values is not required These are just a few examples of common assumptions that don't always hold true Always try to identify what assumptions are made when writing the code and compare that to how the system could actually behave @EthSecurity1

https://www.paradigm.xyz/2023/01/eth-rng https://soliditydeveloper.com/prevrandao @ethers_officer

https://blog.chain.link/twap-vs-vwap/ https://uniswap.org/blog/uniswap-v3-oracles http://blog.pessimistic.io/chainlink-vrf-secure-integration-tips-specifications-eafd63e87022 http://blog.pessimistic.io/oracles-entropy-chainlink-vrf-secure-integration-tips-13c27d8fde48?1 #EDUCATION

https://cointelegraph.com/news/how-to-avoid-front-runners-on-decentralized-crypto-exchanges https://consensys.github.io/smart-contract-best-practices/attacks/frontrunning/ Optimal frontrunning attacks and how to stop them https://youtu.be/BwkNQWM32y0 #EDUCATION