From our Blog

TON is a novel blockchain that combines a complex fee system with asynchronous messages. We explore how fees are computed in TON and why their correct estimation is critical.

Off-chain components like bridge relayers and keepers hold cryptographic keys that give them power. Attackers exploit the classic Confused Deputy Problem to trick these components into misusing that power. The article covers multiple attack vectors including: fake EVM events, manipulable ERC-20 balance conditions that trigger incorrect state transitions, and block re-organizations that persist despite Proof-of-Stake.

To help the Compound community dig deeper and verify proposals independently, ChainSecurity has developed the Compound Proposal Decoder, an open-source CLI tool that fetches and better displays everything that’s happening inside a Compound proposal.

For years, developers have relied on EIP-1167 minimal proxies to cut gas costs during contract deployments. In this blog article, we present a new approach that pushes past those established limits, using a powerful feature in the new EIP-7702.

Bugs in off-chain applications can lead to critical problems like Denial of Service that can be abused by attackers. Typescript is used in many cases. Learn about our experiences.

A severe flaw was discovered in a library for on-chain verification of Merkle-Patricia-Trie proofs. Protocols using it to bridge operations to L2s could be misled into accepting wrong state proofs, entailing direct loss of funds.

A critical vulnerability in the f(x) Protocol allowed attackers to exploit nested flash loans and bypass access controls, enabling them to steal collateral from any user's positions.

ChainSecurity completes a limited security review of Java-Tron, the Client running Tron.

Although the protocol seems promising, it is a complex system with edge cases and details that need to be taken into account when integrating with EigenLayer. In this article, we will try to cover as many integration quirks as possible in order to help developers and auditors understand what can go wrong and why.

A Merkle Proof is a cryptographically authenticated data structure widely used to minimize on-chain data storage. For instance, a Merkle proof against a Merkle root can support airdrop claims from a smart contract. Similarly, a Merkle Patricia Trie proof can verify the existence of a key-value pair in Ethereum’s state Trie.

StarkNet ID recently launched a subscription feature for users. An auto-renewal contract has been implemented that facilitates the renewal of a user’s domain. This article explains the core functionality of this subscription feature, which we reviewed in our smart contract audit.

In the upcoming Cancun hardfork, Ethereum will add a new exciting feature to its Ethereum Virtual Machine (EVM). Transient storage (EIP-1153) will be available to developers as a new data location for storing data with the lifespan of one transaction.

This article is not meant to explain the concepts of zero-knowledge or zk-SNARKs, a lot of amazing learning material can be found online. Its goal is to make programmers aware of the misuse Circom’s assert() statement.

How can a DeFi project’s entire liquidity become inaccessible in an instant? In this article, we explore a type of Denial-of-Service attack vector. Namely, Denial-of-service by affecting internal token balances. This particular vulnerability arises when a Balancer multi-token flash loan is taken out for tokens with double entry points.

Having smart contracts audited is necessary if they are to serve a meaningful purpose. It is also essential that all stakeholders of a project read its audit report. This is so that the project and its security outlook is understood at a deeper level.

It’s easy to get tricked by lies and deception when you’re blinded by beauty. Taking off rose-colored glasses can be heartbreaking but getting them smashed on your face will be disastrous. Oracle manipulations are quite similar. They deceive you into not seeing the true value of something. Once you realize, the world around you is crumbling.

On April 14, we informed Curve and affected projects about a read-only reentrancy vulnerability in some Curve pools. More specifically, the value of function get_virtual_price can be manipulated by reentering it during the removal of liquidity.

Proof of Stake is coming Ethereum’s Merge is coming soon™ and will be moving the network from PoW to PoS. This is a consensus layer change and will have relatively few effects on the application layer.

This year’s Underhanded Solidity Contest featured many great submissions highlighting quirks in Solidity which can bite developers and auditors. We are proud to be among excellent company as judges for this contest, and even more so that this year the submission of Tynan, one of our Blockchain Security Engineers, won the contest for abusing a little known quirk in Solidity.

TrueUSD (TUSD) is a stablecoin on the Ethereum blockchain. Until recently, it had multiple entry points, which could cause issues for various protocols. We discovered such an issue in our audit of the Compound cToken contract. The issue, with several millions at risk, has been mitigated by Compound and OpenZeppelin and a detailed write-up can be found here.

On November 1st, 2021, we reported a vulnerability to OpenZeppelin in which the totalSupply can appear lower than it actually is for ERC1155 NFT tokens. This affects projects relying on totalSupply for calculations, e.g. when voting or determining market caps. All tokens utilizing the ERC1155Supply.sol extension prior to v4.3.2 are affected. The vulnerability was promptly fixed and publicly disclosed on November 12th.

The skyrocketing prices of cryptocurrencies — including Bitcoin and Ethereum — are drawing increased attention to the cryptocurrency market. And, this in turn, becomes a catalyst for growth of projects on these underlying distributed ledger networks.

ChainSecurity is happy to release PolPatrol, an automated validator for testing the stability and security of Polkadot runtimes with respect to generic security and performance properties. Since Polkadot’s relay chain runtime lies at the core of the Polkadot network, the current version of PolPatrol focuses on ensuring that relay chain runtimes are secure and functionally correct.

The Ethereum network will soon have its next hardfork called Istanbul. Many Ethereum Improvment Proposals (EIPs) were submitted to be included in that hardfork.

We are pleased to announce that ChainSecurity has joined the Capital Markets and Technology Association (CMTA) whose members include well-known FinTech leaders such as Bank Vontobel, Mt Pelerin Group, and Taurus Group.