{"@attributes":{"version":"2.0"},"channel":{"title":"Consensys Diligence","link":"https:\/\/diligence.security\/","description":"Recent content on Consensys Diligence","language":"en-us","lastBuildDate":"Thu, 12 Mar 2026 09:44:54 +0100","item":[{"title":"How Consensys Diligence Secures MetaMask Snaps and Linea","link":"https:\/\/diligence.security\/blog\/2024\/05\/how-consensys-diligence-secures-metamask-snaps-and-linea\/","pubDate":"Thu, 23 May 2024 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2024\/05\/how-consensys-diligence-secures-metamask-snaps-and-linea\/","description":"This blog highlights Diligences work across Consensys in auditing MetaMask Snaps and Linea components."},{"title":"Diving deep into Audit Contests Analytics and Economics","link":"https:\/\/diligence.security\/blog\/2024\/04\/diving-deep-into-audit-contests-analytics-and-economics\/","pubDate":"Fri, 12 Apr 2024 11:28:22 +0100","guid":"https:\/\/diligence.security\/blog\/2024\/04\/diving-deep-into-audit-contests-analytics-and-economics\/","description":"It&rsquo;s been a couple of years since code4rena has introduced competitive audits into the smart contract security landscape, and it looks like audit contests are here to stay. In the meanwhile several other platforms have popped up with the same forumula.\nAudit contests are simple. A project publishes a set of smart contracts that they would like to have audited, and promises a prize pool for security related findings. A contest is ran for a couple of weeks during which participants can submit their findings."},{"title":"You're missing out! If you're not writing detection modules.","link":"https:\/\/diligence.security\/blog\/2024\/02\/youre-missing-out-if-youre-not-writing-detection-modules\/","pubDate":"Wed, 21 Feb 2024 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2024\/02\/youre-missing-out-if-youre-not-writing-detection-modules\/","description":"We recently released a new tool called napalm, a detection module IDE. Napalm makes it easy to set-up a multi-tool custom detector project. Not stopping there, napalm provides an all-out quality of life upgrade for security researchers that like to write their own detection modules.\nA tool that helps you develop detection modules is great, but it occurred to me that lots of people are not writing their own detection modules yet."},{"title":"Unleashing Napalm","link":"https:\/\/diligence.security\/blog\/2024\/01\/unleashing-napalm\/","pubDate":"Wed, 31 Jan 2024 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2024\/01\/unleashing-napalm\/","description":"Attention, all auditors and security researchers! We\u2019ve got a new tool for you!\nYou\u2019re a security researcher and you hate repetitive work. So what do you do? You\u2019ve compiled a nice collection of analysis rules and detection modules that automatically do all the repetitive work for you. Life is great, until, \u2026. You\u2019ve got 100+ modules, some for slither, others for semgrep and things are getting out of hand! You have to spend time writing scripts to run the right modules at the right time, and it\u2019s impossible to even keep track of what you can automatically detect."},{"title":"EthTrust - The Frontier of Smart Contract Security Standards","link":"https:\/\/diligence.security\/blog\/2023\/12\/ethtrust-the-frontier-of-smart-contract-security-standards\/","pubDate":"Mon, 18 Dec 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/12\/ethtrust-the-frontier-of-smart-contract-security-standards\/","description":"Enterprise Ethereum Alliance (EEA) shapes the most mature standard for smart contract security. Consensys Diligence contributes to the EthTrust Security Levels Specification,  spearheaded by the EEA EthTrust Security Levels Working Group."},{"title":"GLIF: DeFi Innovation on Filecoin With Zero-Compromise Security ","link":"https:\/\/diligence.security\/blog\/2023\/12\/glif-defi-innovation-on-filecoin-with-zero-compromise-security\/","pubDate":"Fri, 08 Dec 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/12\/glif-defi-innovation-on-filecoin-with-zero-compromise-security\/","description":"Learn how an audit by the Diligence team made GLIF\u2019s smart contracts and protocol more secure."},{"title":"Tidal Finance: Crypto-Native Insurance For A Crypto-Native Economy","link":"https:\/\/diligence.security\/blog\/2023\/12\/tidal-finance-crypto-native-insurance-for-a-crypto-native-economy\/","pubDate":"Fri, 08 Dec 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/12\/tidal-finance-crypto-native-insurance-for-a-crypto-native-economy\/","description":"This blog post discusses Tidal\u2019s engagement with Consensys Diligence to audit the protocol\u2019s on-chain insurance smart contracts."},{"title":"How To Write Robust And Sustainable Smart Contracts","link":"https:\/\/diligence.security\/blog\/2023\/09\/how-to-write-robust-and-sustainable-smart-contracts\/","pubDate":"Tue, 19 Sep 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/09\/how-to-write-robust-and-sustainable-smart-contracts\/","description":"Consensys Diligence provides actionable tips on building secure and robust smart contracts in web3."},{"title":"Reproducing the DeusDao exploit with Diligence Fuzzing","link":"https:\/\/diligence.security\/blog\/2023\/08\/reproducing-the-deusdao-exploit-with-diligence-fuzzing\/","pubDate":"Tue, 01 Aug 2023 21:13:39 -1000","guid":"https:\/\/diligence.security\/blog\/2023\/08\/reproducing-the-deusdao-exploit-with-diligence-fuzzing\/","description":"On May 6th 2023 DeusDao was exploited resulting in $6.5M in losses. A detailed write-up of the event can be found here. The root cause of the exploit, was a logical error in the burnFrom function.\nfunction burnFrom(address account, uint256 amount) public virtual { uint256 currentAllowance = _allowances[_msgSender()][account]; _approve(account, _msgSender(), currentAllowance - amount); _burn(account, amount); } On the first line of burnFrom, the message sender and account are accidentally swapped when computing the allowance for tokens to burn."},{"title":"Diligence Fuzzing Now Supports Foundry Projects","link":"https:\/\/diligence.security\/blog\/2023\/08\/diligence-fuzzing-now-supports-foundry-projects\/","pubDate":"Tue, 01 Aug 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/08\/diligence-fuzzing-now-supports-foundry-projects\/","description":"Announcing Diligence Fuzzing support for all Foundry developers to ensure easy and efficient smart contract security."},{"title":"Endeavors into the zero-knowledge Halo2 proving system","link":"https:\/\/diligence.security\/blog\/2023\/07\/endeavors-into-the-zero-knowledge-halo2-proving-system\/","pubDate":"Wed, 26 Jul 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/07\/endeavors-into-the-zero-knowledge-halo2-proving-system\/","description":"Consensys Diligence explains the Halo2 zero-knowledge prover and highlights bugs that can affect security of Halo2 circuits."},{"title":"Why Your Web3 Project Needs A Bug Bounty Program","link":"https:\/\/diligence.security\/blog\/2023\/06\/why-your-web3-project-needs-a-bug-bounty-program\/","pubDate":"Wed, 21 Jun 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/06\/why-your-web3-project-needs-a-bug-bounty-program\/","description":"Crypto hacks are costing projects millions in user funds. Bug bounty programs can help prevent exploits and secure the Web3 ecosystem.\nBug bounties provide financial incentives for hackers and researchers to disclose flaws in applications to development teams. In the tech industry, where minor software errors can lead to catastrophic losses, bug bounties provide a cost-effective method for detecting vulnerabilities in code.\u00a0Bug bounties have a long history: In 1983, microprocessor manufacturer Hunter &amp; Ready launched the \u201cBug for a Bug\u201d program\u2014finding flaws in its VRTX operating system earned the finder a Volkswagen Beetle, commonly called the \u201cBug\u201d."},{"title":"Charting The Web3 Security Landscape","link":"https:\/\/diligence.security\/blog\/2023\/05\/charting-the-web3-security-landscape\/","pubDate":"Tue, 09 May 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/05\/charting-the-web3-security-landscape\/","description":"An overview of the emerging web3 security stack and industry."},{"title":"Consensys Diligence and Socket partner for secure Socket Liquidity Layer smart contracts","link":"https:\/\/diligence.security\/blog\/2023\/04\/consensys-diligence-and-socket-partner-for-secure-socket-liquidity-layer-smart-contracts\/","pubDate":"Tue, 25 Apr 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/04\/consensys-diligence-and-socket-partner-for-secure-socket-liquidity-layer-smart-contracts\/","description":"While smart contract systems of today have the capability to be deployed with permissions, upgradeable proxies, and ways to add extra logic to them, the unique selling point of this technology has always been its ability to remain immutable and predictable after the initial deployment.\u00a0Systems with these properties can be used reliably by integrators with strong expectations that they will continue working as expected. From a smart contract security perspective, this allows users and builders to rest easy knowing that the code they are transacting with now will not change and surprise them."},{"title":"Benchmarking Smart-Contract Fuzzers","link":"https:\/\/diligence.security\/blog\/2023\/04\/benchmarking-smart-contract-fuzzers\/","pubDate":"Wed, 19 Apr 2023 08:12:36 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/04\/benchmarking-smart-contract-fuzzers\/","description":"Helping users with selecting a suitable fuzzer"},{"title":"How to Prepare for a Smart Contract Audit with Consensys Diligence","link":"https:\/\/diligence.security\/blog\/2023\/04\/how-to-prepare-for-a-smart-contract-audit-with-consensys-diligence\/","pubDate":"Wed, 19 Apr 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/04\/how-to-prepare-for-a-smart-contract-audit-with-consensys-diligence\/","description":"Use this helpful checklist to prepare your smart contacts for an audit"},{"title":"Fuzzing Tutorial: How to get started testing your smart contracts","link":"https:\/\/diligence.security\/blog\/2023\/04\/fuzzing-tutorial-how-to-get-started-testing-your-smart-contracts\/","pubDate":"Thu, 06 Apr 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/04\/fuzzing-tutorial-how-to-get-started-testing-your-smart-contracts\/","description":"Step-by-step tutorial to get started using Fuzzing for your smart contract security"},{"title":"(Re-) Introducing Diligence Fuzzing","link":"https:\/\/diligence.security\/blog\/2023\/04\/re-introducing-diligence-fuzzing\/","pubDate":"Tue, 04 Apr 2023 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2023\/04\/re-introducing-diligence-fuzzing\/","description":"Diligence Fuzzing is now available for developers for testing smart contract systems."},{"title":"Increasing Code Coverage Using Fuzzing Lessons","link":"https:\/\/diligence.security\/blog\/2022\/10\/increasing-code-coverage-using-fuzzing-lessons\/","pubDate":"Mon, 24 Oct 2022 08:12:36 +0000","guid":"https:\/\/diligence.security\/blog\/2022\/10\/increasing-code-coverage-using-fuzzing-lessons\/","description":"How you can record fuzzing lessons in Diligence Fuzzing"},{"title":"The forgotten IPFS vulnerabilities","link":"https:\/\/diligence.security\/blog\/2022\/09\/the-forgotten-ipfs-vulnerabilities\/","pubDate":"Wed, 28 Sep 2022 13:36:47 +0100","guid":"https:\/\/diligence.security\/blog\/2022\/09\/the-forgotten-ipfs-vulnerabilities\/","description":"In 2021 we privately disclosed multiple vulnerabilities in the InterPlanetary File System but never really talked about it. Let&rsquo;s change that \ud83d\ude0a!"},{"title":"Consensys Diligence Partners with StarkWare To Expand Auditing Services","link":"https:\/\/diligence.security\/blog\/2022\/09\/consensys-diligence-partners-with-starkware-to-expand-auditing-services\/","pubDate":"Tue, 20 Sep 2022 15:39:51 +0700","guid":"https:\/\/diligence.security\/blog\/2022\/09\/consensys-diligence-partners-with-starkware-to-expand-auditing-services\/","description":"Earlier this year, Consensys Diligence announced its partnership with StarkWare to expand its security audit capabilities for smart contracts written in Cairo and deployed on StarkWare.\n\u201cWe were very impressed by the team\u2019s in-depth analysis and understanding of Cairo, overcoming the fact that this is a new language. Consensys Diligence has already contributed to the safety of StarkEx by detecting a bug that was promptly fixed.\u201d said Uri Kolodny, Co-founder and CEO at StarkWare about the partnership."},{"title":"Four Scribble features to make testing your smart contract easier","link":"https:\/\/diligence.security\/blog\/2022\/07\/four-scribble-features-to-make-testing-your-smart-contract-easier\/","pubDate":"Fri, 01 Jul 2022 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2022\/07\/four-scribble-features-to-make-testing-your-smart-contract-easier\/","description":"These four features make Scribble a more expressive specification language to help make testing your smart contract simpler."},{"title":"The State of Blockchain Security With Our Co-Founder, Gon\u00e7alo S\u00e1","link":"https:\/\/diligence.security\/blog\/2022\/02\/the-state-of-blockchain-security-with-our-co-founder-gon%C3%A7alo-s%C3%A1\/","pubDate":"Tue, 15 Feb 2022 18:54:07 -0700","guid":"https:\/\/diligence.security\/blog\/2022\/02\/the-state-of-blockchain-security-with-our-co-founder-gon%C3%A7alo-s%C3%A1\/","description":"A look at the state of the blockchain security industry and our plans in 2022."},{"title":"Under-constrained computation, a new kind of bug","link":"https:\/\/diligence.security\/blog\/2022\/01\/under-constrained-computation-a-new-kind-of-bug\/","pubDate":"Mon, 17 Jan 2022 14:37:55 +0100","guid":"https:\/\/diligence.security\/blog\/2022\/01\/under-constrained-computation-a-new-kind-of-bug\/","description":"Learn how provers can exploit under-constrained Cairo programs!\nIntroduction Cairo is a programming language for building zero-knowledge programs. These programs allow you to prove the result of a computation without asking other people to re-run the computation.\nProofs of correct computation are awesome! Let&rsquo;s assume you have a Cairo program to compute all prime numbers up to 1,000. When you run Cairo, you&rsquo;ll get both the prime numbers and proof that those prime numbers are the result of running the program."},{"title":"Hackwek - Hallucinating Solidity Source Code","link":"https:\/\/diligence.security\/blog\/2021\/12\/hackwek-hallucinating-solidity-source-code\/","pubDate":"Sun, 12 Dec 2021 11:04:19 +0100","guid":"https:\/\/diligence.security\/blog\/2021\/12\/hackwek-hallucinating-solidity-source-code\/","description":"Buidling, breaking, hacking, making! \ud83e\udd77\u2694\ufe0f Testing boundaries and playing with experimental technology is what we love at Diligence.\nIn this spirit, &ldquo;HackWek&rdquo; was born. A recurring Diligence internal five-day hacking party \ud83e\udd73. In this episode, I set out building a Solidity source code writing robot \ud83d\ude35\u200d\ud83d\udcab\ud83e\udd16.\nHallucinating Solidity Source Code Some time ago I&rsquo;ve started to collect smart contract samples from public block explorers with the smart-contract-sanctuary project. Initially, for no special reason, but it quickly turned into a treasure trove for all kinds of activities."},{"title":"Fuzzing ERC20 contracts with Diligence Fuzzing","link":"https:\/\/diligence.security\/blog\/2021\/09\/fuzzing-erc20-contracts-with-diligence-fuzzing\/","pubDate":"Thu, 30 Sep 2021 10:13:59 +0200","guid":"https:\/\/diligence.security\/blog\/2021\/09\/fuzzing-erc20-contracts-with-diligence-fuzzing\/","description":"Fuzzing ERC20 contracts Learn how you can use Scribble to define a complete and checkable ERC20 specification. As a bonus, we show how you can use fuzzing to check the specification automatically!\nI&rsquo;m willing to bet that you&rsquo;re familiar with the ERC20 standard, the best-known standard for tokens (next to ERC721). You might be less familiar with Scribble and fuzzing, which provide the easiest way to test ERC20 implementations exhaustively."},{"title":"Introducing Diligence Fuzzing","link":"https:\/\/diligence.security\/blog\/2021\/09\/introducing-diligence-fuzzing\/","pubDate":"Thu, 16 Sep 2021 10:13:59 +0200","guid":"https:\/\/diligence.security\/blog\/2021\/09\/introducing-diligence-fuzzing\/","description":"The Consensys Diligence team has built a lot of tools with use cases ranging from automatic vulnerability discovery (check out MythX) to network-based vulnerability scanning (TeaTime), to code understanding tools (Surya, VSCode visual developer).\nCheck out all our tools here: Blockchain Security Tools | Consensys Diligence\nA few months ago, we released Scribble, an all-new specification language for smart contracts. Using Scribble, you can extend your smart contract with specifications that we can automatically check using fuzzing and symbolic execution techniques."},{"title":"Annotating State Variables with Scribble","link":"https:\/\/diligence.security\/blog\/2021\/07\/annotating-state-variables-with-scribble\/","pubDate":"Thu, 29 Jul 2021 16:58:33 -1000","guid":"https:\/\/diligence.security\/blog\/2021\/07\/annotating-state-variables-with-scribble\/","description":"Since we released Scribble last December, we have been hard at work adding new features to the language and the tool itself. In this series of posts, we will look at some of the new features we&rsquo;ve added. Our first post showcases state variable annotations with if_updated.\nThe problem During our early usage of Scribble it became apparent that annotations of functions and contracts are nice, but are sometimes insufficient when reasoning about individual state variables."},{"title":"Hackathons are fantastic!","link":"https:\/\/diligence.security\/blog\/2021\/07\/hackathons-are-fantastic\/","pubDate":"Thu, 22 Jul 2021 11:09:01 +0200","guid":"https:\/\/diligence.security\/blog\/2021\/07\/hackathons-are-fantastic\/","description":"There&rsquo;s nothing more enjoyable than gathering a group of friends, eating pizza, and hack on something you&rsquo;ve always wanted to build but haven&rsquo;t had time for.\nWhen we learned that Consensys is organizing an internal hackathon, it didn&rsquo;t take us long to find projects to hack on.\nA couple of friends started hacking on &ldquo;TURN&rdquo;, a revolutionary token-based solution that could simplify our day-to-day operations. More on this in a future post."},{"title":"Introducing Scribble Generator","link":"https:\/\/diligence.security\/blog\/2021\/07\/introducing-scribble-generator\/","pubDate":"Wed, 14 Jul 2021 11:13:59 +0200","guid":"https:\/\/diligence.security\/blog\/2021\/07\/introducing-scribble-generator\/","description":"Some vendors use an effective sales strategy called &ldquo;lock-in&rdquo;. Once you&rsquo;re in the vendors&rsquo; ecosystem, it can be challenging to get out. You&rsquo;ll have made a big investment into various products that work great together but suck once you use them with anything else.\nA similar thing can happen (often unintentionally) with tech stacks. You invest big-time in tool X and are then locked into using it because you don&rsquo;t want to start from scratch with a new tool Y."},{"title":"IPFS Gateway Security","link":"https:\/\/diligence.security\/blog\/2021\/06\/ipfs-gateway-security\/","pubDate":"Mon, 07 Jun 2021 18:29:26 +0200","guid":"https:\/\/diligence.security\/blog\/2021\/06\/ipfs-gateway-security\/","description":"TL;DR: Path-based IPFS gateways have a critical flaw: They effectively disable one of the essential security features of modern browsers: the same-origin policy.\nNote Update: June 16, 2021\nWe&rsquo;d like to thank the team at security[at]ipfs.io for picking up and addressing our concerns. It is a pleasure seeing security being taken seriously and we&rsquo;d like to share their updates and feedback with you.\nThe following statements were provided by the IPFS security team and have not been validated by Consensys Diligence."},{"title":"Tackling Cross Site Scripting with Smart Contracts","link":"https:\/\/diligence.security\/blog\/2021\/03\/tackling-cross-site-scripting-with-smart-contracts\/","pubDate":"Wed, 10 Mar 2021 15:25:13 -0600","guid":"https:\/\/diligence.security\/blog\/2021\/03\/tackling-cross-site-scripting-with-smart-contracts\/","description":"Writing Smart Contracts can be fraught with dangers stemming from multiple vectors, but one you may not have considered is Cross Site Scripting attacks initiated by the Smart Contract itself! How is this possible? Let&rsquo;s explore and solve."},{"title":"Paradigm CTF Winner","link":"https:\/\/diligence.security\/blog\/2021\/02\/paradigm-ctf-winner\/","pubDate":"Sun, 28 Feb 2021 11:06:00 -0600","guid":"https:\/\/diligence.security\/blog\/2021\/02\/paradigm-ctf-winner\/","description":"Consensys Diligence team, a.k.a Dilicious, won the first place at Paradigm Capture the Flag competition. Paradigm CTF was one of the most anticipated security competitions in the Ethereum space."},{"title":"Fault Localisation with Tarantula ","link":"https:\/\/diligence.security\/blog\/2021\/02\/fault-localisation-with-tarantula\/","pubDate":"Wed, 10 Feb 2021 13:07:15 +0100","guid":"https:\/\/diligence.security\/blog\/2021\/02\/fault-localisation-with-tarantula\/","description":"Sometimes unit-tests fail, and you don\u2019t know why. That\u2019s when you want to use fault localisation; to find the fault that\u2019s causing the tests to fail. Tarantula is such an algorithm and finds which lines are most suspect of breaking the tests. I implemented this algorithm and used solidity-coverage results to localise bugs in Ethereum smart contracts.\nLet\u2019s start at the beginning; the motivation for fault localisation. Imagine you\u2019re just developing a new feature and you run your test suite."},{"title":"4 effective strategies to come up with Scribble annotations","link":"https:\/\/diligence.security\/blog\/2021\/02\/4-effective-strategies-to-come-up-with-scribble-annotations\/","pubDate":"Tue, 02 Feb 2021 11:28:22 +0100","guid":"https:\/\/diligence.security\/blog\/2021\/02\/4-effective-strategies-to-come-up-with-scribble-annotations\/","description":"Coming up with properties can be a difficult task! In this previous post we talked about starting to write Scribble properties. Here I&rsquo;m going to explore four strategies to accelerate annotating your smart contracts!\nAs you might already know, Scribble enables you to write properties that you can then test automatically using methods such as fuzzing and symbolic execution.\nSounds awesome, doesn&rsquo;t it? But how do you come up with those properties?"},{"title":"Writing Properties - A new approach to testing","link":"https:\/\/diligence.security\/blog\/2021\/01\/writing-properties-a-new-approach-to-testing\/","pubDate":"Tue, 19 Jan 2021 10:51:12 +0100","guid":"https:\/\/diligence.security\/blog\/2021\/01\/writing-properties-a-new-approach-to-testing\/","description":"Writing smart contract properties - A new approach to testing Scribble allows you to write smart contract properties that can be automatically tested using fuzzing and symbolic execution techniques. Writing properties requires a bit of a mindset shift. This article will talk about that shift, to go from unit testing to property-based testing with Scribble.\nIf you\u2019re a developer then I\u2019m sure you\u2019re familiar with unit testing, an approach where you write small (unit) test cases to see if a component behaves as expected."},{"title":"Introducing Scribble","link":"https:\/\/diligence.security\/blog\/2020\/12\/introducing-scribble\/","pubDate":"Mon, 07 Dec 2020 14:24:11 +0100","guid":"https:\/\/diligence.security\/blog\/2020\/12\/introducing-scribble\/","description":"Making sure that smart contracts are secure and bug-free has never been more critical. Unfortunately, it remains a difficult task. While there are helpful tools for automatic testing and formal verification, ensuring the correctness of smart contracts continues to be a time-intensive and challenging task. To make things worse, each tool often has a steep learning curve, and it is often uncertain whether it&rsquo;s even right for the job.\nThat is why we&rsquo;ve developed Scribble: a verification language and runtime verification tool."},{"title":"Token Interaction Checklist","link":"https:\/\/diligence.security\/blog\/2020\/11\/token-interaction-checklist\/","pubDate":"Mon, 16 Nov 2020 13:39:35 -0500","guid":"https:\/\/diligence.security\/blog\/2020\/11\/token-interaction-checklist\/","description":"A checklist for developers and security engineers to make use of when working with contracts that interact with many different tokens, especially if they want to support user-inputted tokens."},{"title":"2nd Solidity Underhanded Contest","link":"https:\/\/diligence.security\/blog\/2020\/10\/2nd-solidity-underhanded-contest\/","pubDate":"Fri, 02 Oct 2020 16:54:16 +0100","guid":"https:\/\/diligence.security\/blog\/2020\/10\/2nd-solidity-underhanded-contest\/","description":"The second Solidity Underhanded Contest is here. This is your call to arms."},{"title":"Breaking Ethereum Nodes with Teatime","link":"https:\/\/diligence.security\/blog\/2020\/09\/breaking-ethereum-nodes-with-teatime\/","pubDate":"Sat, 26 Sep 2020 14:37:04 +0200","guid":"https:\/\/diligence.security\/blog\/2020\/09\/breaking-ethereum-nodes-with-teatime\/","description":"Announcing the first version of an RPC attack framework for blockchain nodes."},{"title":"Detecting Ownership Takeovers Using Mythril","link":"https:\/\/diligence.security\/blog\/2020\/09\/detecting-ownership-takeovers-using-mythril\/","pubDate":"Tue, 22 Sep 2020 13:25:56 +0200","guid":"https:\/\/diligence.security\/blog\/2020\/09\/detecting-ownership-takeovers-using-mythril\/","description":"Mythril is an analysis tool which uses symbolic execution to find vulnerabilities in smart contracts. Mythril even generates exploits for the vulnerabilities that it finds \ud83d\ude80. In a previous article, I wrote about Mythril internals and symbolic execution. In this article, I&rsquo;ll show how I use Mythril to detect Ownership takeover vulnerabilities. I&rsquo;ll also use Mythril&rsquo;s new plugin system install and release plugins with ease!\nIntroduction Out of the box, Mythril comes with several zero-setup detection modules."},{"title":"LibP2P: Multiaddr - Enode - ENR ?!","link":"https:\/\/diligence.security\/blog\/2020\/09\/libp2p-multiaddr-enode-enr\/","pubDate":"Tue, 08 Sep 2020 11:48:06 +0200","guid":"https:\/\/diligence.security\/blog\/2020\/09\/libp2p-multiaddr-enode-enr\/","description":"Ethereum Node addressing can be confusing. We&rsquo;re looking into three ways to convey an Ethereum node&rsquo;s address and provide a convenient web-tool to extract a node&rsquo;s address from an ENR."},{"title":"Actionable Smart Contract Addresses for VSCode","link":"https:\/\/diligence.security\/blog\/2020\/08\/actionable-smart-contract-addresses-for-vscode\/","pubDate":"Mon, 31 Aug 2020 14:48:06 +0200","guid":"https:\/\/diligence.security\/blog\/2020\/08\/actionable-smart-contract-addresses-for-vscode\/","description":"ETHover is a hover provider for Microsoft VSCode that provides actions for Ethereum Addresses at your fingertips."},{"title":"Legions a Tool for Seekers","link":"https:\/\/diligence.security\/blog\/2020\/06\/legions-a-tool-for-seekers\/","pubDate":"Tue, 09 Jun 2020 16:28:26 -0400","guid":"https:\/\/diligence.security\/blog\/2020\/06\/legions-a-tool-for-seekers\/","description":"Legions is a handy toolkit for (security) researchers poking around EVM (Ethereum Virtual Machine) nodes and smart contracts, now with a slick command-line interface, with auto complete commands and history."},{"title":"tBTC: Navigating the cross-chain conundrum","link":"https:\/\/diligence.security\/blog\/2020\/05\/tbtc-navigating-the-cross-chain-conundrum\/","pubDate":"Fri, 01 May 2020 14:58:42 -0400","guid":"https:\/\/diligence.security\/blog\/2020\/05\/tbtc-navigating-the-cross-chain-conundrum\/","description":"We recently conducted a security assessment of Thesis&rsquo; tBTC. In this post, we explore a fundamental limitation of Bitcoin transaction verification within Ethereum smart contracts."},{"title":"An Experiment In Designing a New Smart Contract Language","link":"https:\/\/diligence.security\/blog\/2020\/05\/an-experiment-in-designing-a-new-smart-contract-language\/","pubDate":"Fri, 01 May 2020 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/05\/an-experiment-in-designing-a-new-smart-contract-language\/","description":"We&rsquo;ve been building a new experimental smart contract programming language. This post will share what we came up with."},{"title":"Project 0x Case Study","link":"https:\/\/diligence.security\/blog\/2020\/04\/project-0x-case-study\/","pubDate":"Fri, 17 Apr 2020 16:01:51 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/04\/project-0x-case-study\/","description":"Abstract Smart contracts facilitate the transfer of value and help determine digital asset behavior. This results in a higher need for formal proofs and computer-aided checks compared to traditional software which does not typically perform these functions. 0x is an open protocol that enables the peer-to-peer exchange of assets on the Ethereum blockchain. It is one of the largest open protocols with over 30 projects building on top of it, amassing over 713,000 total transactions, and a volume of $750 million."},{"title":"Catching Weird Security Bugs in Solidity Smart Contracts with Invariant Checks","link":"https:\/\/diligence.security\/blog\/2020\/04\/catching-weird-security-bugs-in-solidity-smart-contracts-with-invariant-checks\/","pubDate":"Mon, 06 Apr 2020 19:13:08 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/04\/catching-weird-security-bugs-in-solidity-smart-contracts-with-invariant-checks\/","description":"Contract invariants are properties of the program program state that are expected to always be true. In my previous article I discussed the use of Solidity assertions to check contract invariants. This article expands on the use of invariants and provides a couple of additional examples.\nAn interesting feature of invariant checking on the bytecode level is that it allows you to detect low-level issues, including issues caused by compiler optimisation or idiosyncrasies of the programming language, by defining high-level rules."},{"title":"Targeted fuzzing using static lookahead analysis: how to guide fuzzers using online static analysis","link":"https:\/\/diligence.security\/blog\/2020\/03\/targeted-fuzzing-using-static-lookahead-analysis-how-to-guide-fuzzers-using-online-static-analysis\/","pubDate":"Tue, 31 Mar 2020 09:11:35 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/03\/targeted-fuzzing-using-static-lookahead-analysis-how-to-guide-fuzzers-using-online-static-analysis\/","description":"In previous posts, we introduced Harvey, a fuzzer for Ethereum smart contracts, and presented two techniques to boost its effectiveness: input prediction and multi-transaction fuzzing.\nHarvey is being developed by MythX in collaboration with Maria Christakis from MPI-SWS. It is one of the tools that powers our smart contract analysis service. Sign up for our free plan to give it a try!\nIn this post, we summarize our upcoming ICSE 2020 paper and provide a high-level overview of how we use online static analysis to guide Harvey."},{"title":"New Offering: 1-Day Security Reviews","link":"https:\/\/diligence.security\/blog\/2020\/03\/new-offering-1-day-security-reviews\/","pubDate":"Tue, 31 Mar 2020 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/03\/new-offering-1-day-security-reviews\/","description":"Over the past few months, we have been conducting short &ldquo;security reviews&rdquo;, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they&rsquo;re quite different. In this post, I&rsquo;ll share what these engagements are like and why you might want to hire us for one."},{"title":"Part 3: MythX \u2764\ufe0f Continuous Integration (DIY)","link":"https:\/\/diligence.security\/blog\/2020\/03\/part-3-mythx-%EF%B8%8F-continuous-integration-diy\/","pubDate":"Mon, 16 Mar 2020 14:52:42 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/03\/part-3-mythx-%EF%B8%8F-continuous-integration-diy\/","description":"This is the third and last post in the MythX series on integrating security analysis of smart contracts into your Continuous Integration (CI) system. In the first part we built a CircleCI configuration. In the second part we built a small and beautiful Travis CI configuration.\n&ldquo;But I am using a completely different CI system!&rdquo; - You, maybe.\nFret not. The avid reader might have noticed a common pattern in the past two posts: In setups we used the MythX CLI and a basic Python runtime."},{"title":"Easy multi-contract security analysis using Mythril","link":"https:\/\/diligence.security\/blog\/2020\/03\/easy-multi-contract-security-analysis-using-mythril\/","pubDate":"Mon, 09 Mar 2020 17:50:54 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/03\/easy-multi-contract-security-analysis-using-mythril\/","description":"The MythX platform leverages several internal components to provide the best possible analysis results. One of these components is available open-source; the symbolic executor Mythril. In this article, I\u2019ll demonstrate how you can use Mythril to analyze a set-up of multiple smart contracts.\nBy default, Mythril will analyze a contract in isolation. Interactions with external contracts are generalized so that we capture all possible vulnerabilities. Sometimes, this means we find a weakness in your smart contract that might not affect your particular setup."},{"title":"Questions DeFi users should be asking DeFi Developers","link":"https:\/\/diligence.security\/blog\/2020\/03\/questions-defi-users-should-be-asking-defi-developers\/","pubDate":"Mon, 02 Mar 2020 12:37:52 -0500","guid":"https:\/\/diligence.security\/blog\/2020\/03\/questions-defi-users-should-be-asking-defi-developers\/","description":"The DeFi space has had a tumultuous couple months, with a number of attacks as well as unexploited vulnerabilities being reported.\nBugs are unavoidable, but there are many things that can be done to reduce their frequency, and mitigate their negative effects.\nAs auditors, we want to help, but in order to really get developers to truly prioritize security, users need to start asking tough questions, and putting their money into the protocols that can answer them thoughtfully."},{"title":"MythX and Continuous Integration (Part 2): Travis","link":"https:\/\/diligence.security\/blog\/2020\/02\/mythx-and-continuous-integration-part-2-travis\/","pubDate":"Tue, 04 Feb 2020 13:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/02\/mythx-and-continuous-integration-part-2-travis\/","description":"In the second part of this series on continuous integration, we will build an easy first integration of the MythX API into the Travis continuous integration platform.\nOther posts in this series:\nPart 1: CircleCI Part 2: Travis Part 3: (Coming soon) This three-part series is about integrating MythX into Continuous Integration systems. In the first part of this series I have shown how to automatically check for smart contract vulnerabilities in CircleCI."},{"title":"Interview with samczsun","link":"https:\/\/diligence.security\/blog\/2020\/01\/interview-with-samczsun\/","pubDate":"Thu, 30 Jan 2020 16:00:02 -0500","guid":"https:\/\/diligence.security\/blog\/2020\/01\/interview-with-samczsun\/","description":"If you keep up with Ethereum security-related postings, you\u2019ve no doubt heard of samczsun: security researcher and white hat extraordinaire. In this interview, we discuss his process as well as a few of his well-known findings."},{"title":"MythX and Continuous Integration (Part 1): CircleCI","link":"https:\/\/diligence.security\/blog\/2020\/01\/mythx-and-continuous-integration-part-1-circleci\/","pubDate":"Tue, 28 Jan 2020 13:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/01\/mythx-and-continuous-integration-part-1-circleci\/","description":"In the first post of a new series, we discuss integrating security considerations to a continuous integration pipeline, starting with CircleCI.\nConveyor belts. Because continuity. Get it?\nContinuous testing of applications can be hard to figure out. While it is difficult to measure CI\/CD adoption, the blockchain ecosystem offers a great opportunity to adopt in-depth testing and continuous delivery pipelines where they make sense: right from the start.\nAt MythX we don\u2019t mind which technologies you are using to get things done."},{"title":"More ways to stay secure: Announcing two new plans and another way to pay","link":"https:\/\/diligence.security\/blog\/2020\/01\/more-ways-to-stay-secure-announcing-two-new-plans-and-another-way-to-pay\/","pubDate":"Tue, 21 Jan 2020 13:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/01\/more-ways-to-stay-secure-announcing-two-new-plans-and-another-way-to-pay\/","description":"We\u2019re introducing new plans offering the highest confidence in the correctness of your code, and allowing payment via credit\/debit cards for the first time.\nWe\u2019re excited to announce some changes to our MythX plans that will be going live on January 31, 2020.\nNow, whenever a team announces \u201cexciting changes\u201d it\u2019s often code word for something bad, but in this case, these changes should positively affect (as far as we can predict) absolutely all of our known users."},{"title":"Verifying smart contract security with Remix and MythX","link":"https:\/\/diligence.security\/blog\/2020\/01\/verifying-smart-contract-security-with-remix-and-mythx\/","pubDate":"Tue, 14 Jan 2020 13:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/01\/verifying-smart-contract-security-with-remix-and-mythx\/","description":"Leveraging security tools for verification can help you increase confidence in the correctness of smart contract code. Examples are given here using the MythX plugin for Remix.\nWhether you are a smart contract developer or auditor you might wonder if there&rsquo;s any value in using an automatic smart contract analysis tool. Assuming you know what you&rsquo;re doing, will these tools tell you anything you don&rsquo;t already know?\nIn this article I&rsquo;ll describe how you can leverage security tools to increase confidence in the correctness of smart contract code and potentially detect issues that are not easily apparent."},{"title":"MythX is for all stages of smart contract development","link":"https:\/\/diligence.security\/blog\/2020\/01\/mythx-is-for-all-stages-of-smart-contract-development\/","pubDate":"Tue, 07 Jan 2020 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2020\/01\/mythx-is-for-all-stages-of-smart-contract-development\/","description":"We recommend using MythX through every stage of the smart contract development life-cycle, before, during, and after deployment. (Note: This post was originally published in June 2019 and has been updated.)\nWe talk a lot here on the MythX team about the importance of regular, routine analysis of your smart contracts prior to deployment onto the blockchain.\nThe reason for this is simple: once the contract is deployed, it is immutable."},{"title":"Welcome Back! Security for the EIP Process","link":"https:\/\/diligence.security\/blog\/2020\/01\/welcome-back-security-for-the-eip-process\/","pubDate":"Sun, 05 Jan 2020 13:13:14 +0100","guid":"https:\/\/diligence.security\/blog\/2020\/01\/welcome-back-security-for-the-eip-process\/","description":"The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum\u2019s core change management process. Good thing, this finally changed."},{"title":"MythX Tech: Behind the Scenes of Smart Contract Security Analysis","link":"https:\/\/diligence.security\/blog\/2019\/12\/mythx-tech-behind-the-scenes-of-smart-contract-security-analysis\/","pubDate":"Tue, 17 Dec 2019 16:34:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/12\/mythx-tech-behind-the-scenes-of-smart-contract-security-analysis\/","description":"The tech behind MythX smart contract analysis, including the microservices Maru, Harvey, and Mythril, and how they work together.\nWhen I first introduced Mythril in 2017, I didn\u2019t expect it to be very useful to smart contract developers. It was a simple symbolic analyzer for Ethereum bytecode with tacked-on Solidity support. Mythril was OK for detecting\u00a0some security issues and solving CTFs, but it wasn\u2019t written with the needs of developers in mind."},{"title":"Destroying the Indestructible","link":"https:\/\/diligence.security\/blog\/2019\/12\/destroying-the-indestructible\/","pubDate":"Wed, 11 Dec 2019 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/12\/destroying-the-indestructible\/","description":"<p>This morning, I saw a link to <a href=\"https:\/\/github.com\/dharma-eng\/dharma-smart-wallet\/blob\/fe381cd190e2d0bb579d721c69202b814b2d4717\/contracts\/helpers\/IndestructibleRegistry.sol\">Dharma&rsquo;s <code>IndestructibleRegistry<\/code><\/a>. The idea behind this registry is that it keeps track of contracts that <em>cannot be destroyed<\/em>. It does this by verifying the contract&rsquo;s bytecode on chain. In this post, I&rsquo;ll show you how I managed to trick that verification and destroy an &ldquo;indestructible&rdquo; contract.<\/p>"},{"title":"All smart contract security issues in one place: An introduction to the SWC Registry","link":"https:\/\/diligence.security\/blog\/2019\/12\/all-smart-contract-security-issues-in-one-place-an-introduction-to-the-swc-registry\/","pubDate":"Tue, 10 Dec 2019 16:01:51 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/12\/all-smart-contract-security-issues-in-one-place-an-introduction-to-the-swc-registry\/","description":"The SWC Registry is an indispensable resource for securing your smart contracts. Here we show how you can use it most effectively.\nIn our last post, we showed you how you can use Remix with the MythX plugin to detect weaknesses in smart contract code.\nNow, let\u2019s talk about those weaknesses.\nSmart contract weaknesses are classified into many different types, allowing for easier management and discussion. The code that generates the weakness may vary widely, but the type of weakness is the same."},{"title":"A beginner\u2019s guide to MythX","link":"https:\/\/diligence.security\/blog\/2019\/11\/a-beginners-guide-to-mythx\/","pubDate":"Tue, 26 Nov 2019 16:01:51 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/11\/a-beginners-guide-to-mythx\/","description":"A detailed, step-by-step howto guide on how to use MythX with Remix, showing as well as the differences between MythX and MythX Pro.\nMythX is a tool for finding smart contract weaknesses. For our single developers and dev teams, we offer two plans: MythX and MythX Pro.\n(We also offer custom plans too; contact us for details.)\nWe recently posted about the differences between MythX and MythX Pro. But you may find it more useful to see an actual scenario involving testing a smart contract using MythX."},{"title":"MythX Pro Security Analysis Explained","link":"https:\/\/diligence.security\/blog\/2019\/11\/mythx-pro-security-analysis-explained\/","pubDate":"Tue, 19 Nov 2019 16:01:51 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/11\/mythx-pro-security-analysis-explained\/","description":"MythX recently went live with a new Pro upgrade that offers more powerful analysis features than the free version. In this article I\u2019ll explain how the new \u201cfull\u201d analysis mode affects the performance of MythX.\nMythX is a smart contract security service that integrates multiple analysis techniques. The MythX Pro plan comes with a new analysis mode called Full mode. In this mode, submitted contracts are subjected to a thorough fuzzing campaign and deep inspection using symbolic analysis."},{"title":"Solidity, the Young Adult","link":"https:\/\/diligence.security\/blog\/2019\/11\/solidity-the-young-adult\/","pubDate":"Fri, 15 Nov 2019 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/11\/solidity-the-young-adult\/","description":"Solidity is getting bigger! We are doing a series to present you with the language&rsquo;s future plans and hopefully spark a conversation on merits and use cases."},{"title":"Stepping into the light","link":"https:\/\/diligence.security\/blog\/2019\/11\/stepping-into-the-light\/","pubDate":"Tue, 12 Nov 2019 16:01:51 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/11\/stepping-into-the-light\/","description":"MythX comes into its own, and creates a partnership with Consensys Diligence.\nI would like to introduce you to the new MythX blog.\nThis is the place for the whole MythX team, including our researchers, developers, and (yes) marketing folks to be able to share news, tips, ideas, and consolation\/hope for the state of security on the Ethereum platform.\n(Looking for our old blog? It\u2019s here.)\nBut first, some orientation, and how we got here."},{"title":"AraGraph - DAO Permissions Visualized","link":"https:\/\/diligence.security\/blog\/2019\/11\/aragraph-dao-permissions-visualized\/","pubDate":"Wed, 06 Nov 2019 11:43:08 +0100","guid":"https:\/\/diligence.security\/blog\/2019\/11\/aragraph-dao-permissions-visualized\/","description":"A Tool to visualize permission relationships and other details of Aragon DAOs"},{"title":"Vyper Preliminary Security Review","link":"https:\/\/diligence.security\/blog\/2019\/10\/vyper-preliminary-security-review\/","pubDate":"Mon, 28 Oct 2019 22:21:46 -0700","guid":"https:\/\/diligence.security\/blog\/2019\/10\/vyper-preliminary-security-review\/","description":"Consensys Diligence conducted a preliminary review of the Vyper compiler."},{"title":"Solidity Visual Auditor Extension for VS Code","link":"https:\/\/diligence.security\/blog\/2019\/10\/solidity-visual-auditor-extension-for-vs-code\/","pubDate":"Sat, 05 Oct 2019 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/10\/solidity-visual-auditor-extension-for-vs-code\/","description":"A VS Code extension for developing secure smart contract systems."},{"title":"Meet our Ethereum Security Experts in Japan at Devcon 5!","link":"https:\/\/diligence.security\/blog\/2019\/10\/meet-our-ethereum-security-experts-in-japan-at-devcon-5\/","pubDate":"Thu, 03 Oct 2019 11:44:43 -0700","guid":"https:\/\/diligence.security\/blog\/2019\/10\/meet-our-ethereum-security-experts-in-japan-at-devcon-5\/","description":"There are lots of opportunities to come meet our team in Japan."},{"title":"Vyper: Here be\u00a0Snakes!","link":"https:\/\/diligence.security\/blog\/2019\/09\/vyper-here-be-snakes\/","pubDate":"Fri, 27 Sep 2019 15:07:45 -0400","guid":"https:\/\/diligence.security\/blog\/2019\/09\/vyper-here-be-snakes\/","description":"A cautionary tale of a young serpent in a big world"},{"title":"Eliminating Smart Contract Special Cases","link":"https:\/\/diligence.security\/blog\/2019\/09\/eliminating-smart-contract-special-cases\/","pubDate":"Mon, 23 Sep 2019 11:39:00 -0700","guid":"https:\/\/diligence.security\/blog\/2019\/09\/eliminating-smart-contract-special-cases\/","description":"Special cases lead to code complexity, which leads to bugs. In this post, I&rsquo;ll share some examples of eliminating special cases to reduce code complexity and improve maintainability."},{"title":"How to Prepare for a Smart Contract Audit","link":"https:\/\/diligence.security\/blog\/2019\/09\/how-to-prepare-for-a-smart-contract-audit\/","pubDate":"Tue, 17 Sep 2019 12:00:00 -0400","guid":"https:\/\/diligence.security\/blog\/2019\/09\/how-to-prepare-for-a-smart-contract-audit\/","description":"A guide to the simple steps you can take beforehand, to get the best result out of the audit process"},{"title":"Factories Improve Smart Contract Security","link":"https:\/\/diligence.security\/blog\/2019\/09\/factories-improve-smart-contract-security\/","pubDate":"Tue, 10 Sep 2019 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/09\/factories-improve-smart-contract-security\/","description":"Using the factory pattern can simplify your code and reduce the impact of certain kinds of security vulnerabilities."},{"title":"Stop Using Solidity's transfer() Now","link":"https:\/\/diligence.security\/blog\/2019\/09\/stop-using-soliditys-transfer-now\/","pubDate":"Mon, 02 Sep 2019 00:00:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/09\/stop-using-soliditys-transfer-now\/","description":"Solidity&rsquo;s transfer() method uses a hardcoded gas amount, but gas costs can change. It&rsquo;s time to stop using this method."},{"title":"Return Data Length Validation: a Bug We Missed","link":"https:\/\/diligence.security\/blog\/2019\/07\/return-data-length-validation-a-bug-we-missed\/","pubDate":"Sat, 13 Jul 2019 18:02:21 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/07\/return-data-length-validation-a-bug-we-missed\/","description":"A rather serious vulnerability was recently found in the 0x v2.0 Exchange, a smart contract system that our team audited."},{"title":"A Case Against Inheritance in Smart Contracts","link":"https:\/\/diligence.security\/blog\/2019\/06\/a-case-against-inheritance-in-smart-contracts\/","pubDate":"Wed, 26 Jun 2019 01:58:36 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/06\/a-case-against-inheritance-in-smart-contracts\/","description":"Reduce your use of inheritance in smart contracts and increase your skepticism when you see it."},{"title":"Detecting Reentrancy Issues in Smart Contracts Using Fuzzing","link":"https:\/\/diligence.security\/blog\/2019\/04\/detecting-reentrancy-issues-in-smart-contracts-using-fuzzing\/","pubDate":"Tue, 30 Apr 2019 08:12:36 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/04\/detecting-reentrancy-issues-in-smart-contracts-using-fuzzing\/","description":"How Harvey warns you about reentrancy issues in your contracts"},{"title":"Provably Fair Ransom","link":"https:\/\/diligence.security\/blog\/2019\/04\/provably-fair-ransom\/","pubDate":"Mon, 29 Apr 2019 14:19:13 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/04\/provably-fair-ransom\/","description":"Ransom has a trust problem. Suppose I\u2019ve birdnapped your beloved pet parakeet and am demanding a $1,000 ransom to return the bird to you\u2026"},{"title":"Uniswap audit","link":"https:\/\/diligence.security\/blog\/2019\/04\/uniswap-audit\/","pubDate":"Thu, 18 Apr 2019 11:41:46 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/04\/uniswap-audit\/","description":"We are proud to announce that we have completed an audit of the Uniswap decentralized exchange. To our knowledge this is also the first\u2026"},{"title":"Ethereum Name Service Audit","link":"https:\/\/diligence.security\/blog\/2019\/04\/ethereum-name-service-audit\/","pubDate":"Mon, 08 Apr 2019 23:02:47 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/04\/ethereum-name-service-audit\/","description":"Consensys Diligence is happy to publish the Ethereum Name Service new registrar audit report. ENS new registrar is going live on May 4th."},{"title":"All Ethereum Security Tools","link":"https:\/\/diligence.security\/blog\/2019\/03\/all-ethereum-security-tools\/","pubDate":"Thu, 28 Mar 2019 06:59:21 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/03\/all-ethereum-security-tools\/","description":"Consensys Diligence is a security-focused group of 30+ Ethereum engineers, auditors and researchers distributed all over the world. We\u2026"},{"title":"Consensys Diligence Ethereum Hacking Challenge #2","link":"https:\/\/diligence.security\/blog\/2019\/03\/consensys-diligence-ethereum-hacking-challenge-2\/","pubDate":"Sat, 16 Mar 2019 18:01:51 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/03\/consensys-diligence-ethereum-hacking-challenge-2\/","description":"Win 100 DAI by Hacking this Vulnerable Ethereum Contract!"},{"title":"Newsletter 19\u200a\u2014\u200aMythX, IBM X-Force Red, Security Considerations for EIPs","link":"https:\/\/diligence.security\/blog\/2019\/03\/newsletter-19-mythx-ibm-x-force-red-security-considerations-for-eips\/","pubDate":"Mon, 11 Mar 2019 03:08:43 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/03\/newsletter-19-mythx-ibm-x-force-red-security-considerations-for-eips\/","description":"Sign up to get this newsletter every week: <a href=\"https:\/\/tinyletter.com\/smart-contract-security\/\">https:\/\/tinyletter.com\/smart-contract-security\/<\/a>"},{"title":"Consensys Diligence is going to Paris!","link":"https:\/\/diligence.security\/blog\/2019\/03\/consensys-diligence-is-going-to-paris\/","pubDate":"Sat, 02 Mar 2019 16:11:11 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/03\/consensys-diligence-is-going-to-paris\/","description":"The Diligence team will be in Paris next week. \ud83c\udf89"},{"title":"Newsletter 17\u200a\u2014\u200aMythX, False Positives on chain, & Front Running","link":"https:\/\/diligence.security\/blog\/2019\/02\/smart-contract-security-newsletter-17-mythx-false-positives-on-chain-front-running\/","pubDate":"Sun, 24 Feb 2019 22:16:39 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/02\/smart-contract-security-newsletter-17-mythx-false-positives-on-chain-front-running\/","description":"Sign up to get this newsletter in your inbox every week: <a href=\"https:\/\/tinyletter.com\/smart-contract-security\/\">https:\/\/tinyletter.com\/smart-contract-security\/<\/a>"},{"title":"Consensys Diligence Ethereum Hacking Challenge","link":"https:\/\/diligence.security\/blog\/2019\/02\/consensys-diligence-ethereum-hacking-challenge\/","pubDate":"Thu, 21 Feb 2019 03:28:53 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/02\/consensys-diligence-ethereum-hacking-challenge\/","description":"Consensys Diligence is deploying vulnerable contracts on purpose."},{"title":"Newsletter 16\u200a\u2014\u200aCREATE2 FAQ","link":"https:\/\/diligence.security\/blog\/2019\/02\/smart-contract-security-newsletter-16-create2-faq\/","pubDate":"Mon, 18 Feb 2019 15:42:37 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/02\/smart-contract-security-newsletter-16-create2-faq\/","description":"Distilled News"},{"title":"Taxonomy of front-running attacks on Blockchain","link":"https:\/\/diligence.security\/blog\/2019\/02\/taxonomy-of-front-running-attacks-on-blockchain\/","pubDate":"Mon, 18 Feb 2019 02:32:32 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/02\/taxonomy-of-front-running-attacks-on-blockchain\/","description":"This post is based on a paper published at 3rd Workshop on Trusted Smart Contracts In Association with Financial Cryptography (FC) 2019."},{"title":"Poison Block Explorer Byte Code","link":"https:\/\/diligence.security\/blog\/2019\/02\/poison-block-explorer-byte-code\/","pubDate":"Mon, 11 Feb 2019 10:18:13 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/02\/poison-block-explorer-byte-code\/","description":"You will understand how to trick a block explorer into displaying different byte code of your choosing, other than the one deployed on the\u2026"},{"title":"Upgradeability Is a Bug","link":"https:\/\/diligence.security\/blog\/2019\/01\/upgradeability-is-a-bug\/","pubDate":"Wed, 30 Jan 2019 17:39:07 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/01\/upgradeability-is-a-bug\/","description":"Smart contracts are useful because they&rsquo;re trustless. Immutability is a critical feature to achieve trustlessness\u2026"},{"title":"Fuzzing Smart Contracts Using Multiple Transactions","link":"https:\/\/diligence.security\/blog\/2019\/01\/fuzzing-smart-contracts-using-multiple-transactions\/","pubDate":"Mon, 07 Jan 2019 15:21:00 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/01\/fuzzing-smart-contracts-using-multiple-transactions\/","description":"A Technique for Finding Deep Vulnerabilities"},{"title":"How to Exploit Ethereum in a Virtual Environment","link":"https:\/\/diligence.security\/blog\/2019\/01\/how-to-exploit-ethereum-in-a-virtual-environment\/","pubDate":"Fri, 04 Jan 2019 13:10:02 +0000","guid":"https:\/\/diligence.security\/blog\/2019\/01\/how-to-exploit-ethereum-in-a-virtual-environment\/","description":"This is going to be a series about some of the techniques I implemented when designing Karl, a free tool that finds exploitable code in\u2026"},{"title":"Silent But Vulnerable: Ethereum Gas Security Concerns","link":"https:\/\/diligence.security\/blog\/2018\/12\/silent-but-vulnerable-ethereum-gas-security-concerns\/","pubDate":"Mon, 17 Dec 2018 03:35:32 +0000","guid":"https:\/\/diligence.security\/blog\/2018\/12\/silent-but-vulnerable-ethereum-gas-security-concerns\/","description":"Every transaction sent to the Ethereum blockchain requires a nontrivial amount of work to process. Gas is how that work is measured and\u2026"},{"title":"Fuzzing Smart Contracts Using Input Prediction","link":"https:\/\/diligence.security\/blog\/2018\/12\/fuzzing-smart-contracts-using-input-prediction\/","pubDate":"Wed, 12 Dec 2018 14:41:53 +0000","guid":"https:\/\/diligence.security\/blog\/2018\/12\/fuzzing-smart-contracts-using-input-prediction\/","description":"A lightweight approach for making fuzzing more effective"},{"title":"Finding Vulnerabilities in Smart Contracts","link":"https:\/\/diligence.security\/blog\/2018\/12\/finding-vulnerabilities-in-smart-contracts\/","pubDate":"Mon, 10 Dec 2018 15:46:35 +0000","guid":"https:\/\/diligence.security\/blog\/2018\/12\/finding-vulnerabilities-in-smart-contracts\/","description":"Fuzzing as a way to reveal vulnerabilities in Ethereum smart contracts"}]}}