Security Hygiene

[0x4007]

ongoing security hygiene suggestions

• hiring
• spec design
• code reviews
• testing
• [CONTRACTS] - fuzzing <- we are here #120
• formal verification
• key management
• external reviews
• security assessment
• bug bounty program
• incident handling

List of known attack vectors

[0x4007]

Note to self I just remembered I'm connected with the guy who made the world's first hack for pacemakers - career white hat. I think he can do a white box test easily.

[0x4007]

https://github.com/PatrickAlphaC/hardhat-security-fcc/

[sergfeldman]

Hardhat security
https://github.com/PatrickAlphaC/hardhat-security-fcc/
1/ Run tests
2/ Read specs/docs
3/ Run fast tools (like slither, linters, static analysis, etc)
4/ Manual Analysis
5/ Run slow tools (like echidna, manticore, symbolic execution, MythX)
6/ Discuss (and repeat steps as needed)
7/ Write a report
The decision: it is mandatory for the most important smart contracts with the possible high damage. For other smart contracts decide case by case.

Slither Analyzer to avoid security issues and vulnerabilities
https://github.com/crytic/slither
The decision: in the future, we can integrate it into CI, for now, run in the local environment

Solhint to follow the best programming rules
https://github.com/protofire/solhint
The decision: in the future, we can integrate it into CI, for now, run in the local environment

[0x4007]

https://twitter.com/drdr_zz/status/1564920740721426433?s=21&t=ohJwYahWyq9Mbv6zXkNO6w

[0x4007]

Sherlock is so confident in this audit process that we are willing to back every audit with:

$10M TVL coverage
+
$1M bug bounty coverage

Meanwhile, no other auditor will even give you a refund if you get exploited due to a bug they missed.

https://twitter.com/sherlockdefi/status/1564280392403787777?s=21&t=5V2jary-n_MJTU2Xn_H59A

[0x4007]

Tools

From https://graph.org/ETHSec-Tools-02-13

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3769774
https://arxiv.org/pdf/2112.03426.pdf
https://publik.tuwien.ac.at/files/publik_278277.pdf
https://arxiv.org/pdf/2008.02712.pdf

[0x4007]

I was looking at the CI of other projects and realized that we can probably just use the same configs.

1. Slither CI - Origin
2. Echidna CI - Uniswap
3. MythX CI - Uniswap
4. Snyk CI - Origin

[0x4007]

I accidentally disabled lavamoat on the core dollar contracts at some point while converting this into a monorepo. We should definitely re-add to the whole project.

• Turns out its a MetaMask product, which prompted me to check out their CI and looks like they have a ton more scripts to consider! CodeQL looks interesting.

• Also a built in yarn audit seems like a good idea.

[0x4007]

Since DNS hijacking is on the rise (we've seen it recently with the curve.fi UI being compromised) an idea would be to have a badge on the UI that does an ajax request to get the commit hash of the current instance (uad.ubq.fi) and compare with the other deployments (netlify.ubq.fi, fleek.ubq.fi, cloudflare.ubq.fi)

This would require a compromise of all UI deployments simultaneously to thwart this detection.

If there's any difference then we can get the user's attention and explain that something is fishy and to be aware of any new approvals!

[0x4007]

Automated threat detection and killswitch transaction can be signed and deployed by the platform frontrunning suspicious transactions in the mempool. Not entirely sure how they guarantee a frontrun but worth exploring. I already reached out to sales to learn more.

https://twitter.com/peckshield/status/1571819575901319168

[0x4007]

Certora - formal verification tool

[0x4007]

Spizzy was ere

[0x4007]

• https://twitter.com/zellic_io/status/1588344731611779072?s=46&t=wklEHiWoVdlASNob9SeDMA

• https://www.zellic.io/blog/ante-x-zellic

Ante x Zellic: Audit incentive alignment
The first audit firm to stake ETH behind the effectiveness of an audit.
Zellic11/3/2022
Zellic becomes the first audit firm to stake ETH behind the effectiveness of their audit. There has been a recent uproar in the crypto community about auditor incentives. Incentive misalignment occurs when auditors get paid even if they miss bugs or the protocol gets hacked later.
Not all audit firms suffer from hacks equally. High-tier audit firms are the most levered towards their customers’ outcomes. This is because high-tier audit firms differentiate themselves on quality. The reputational damage from a hack harms the community’s trust in them, damaging future business. Meanwhile, low-tier audit firms adopt a volume-centric business model, and thus less sensitive to customer outcomes.
At Zellic, we believe in our audits. We hold ourselves to the highest standards of quality. And we don’t just talk the talk: we back this commitment with financial incentives. We’ve always been willing to put money where our mouth is.
Now, we’re taking it even one step further. To signal our confidence behind our audit of Ante Finance, we are staking ETH on two core invariants of the Ante Protocol. These invariants were identified during our audit and should never be violated. If these security invariants are violated, Zellic will directly lose up to 10 ETH.
Staking creates a deep alignment between auditors and protocols. When invariants break and Ante Tests fail, the auditor’s stake is paid out to challengers (e.g., protocol users). In the future, we believe strong incentives are necessary for auditors to truly stand behind their customers.
The Ante tests can be found here and here.
TABLE OF CONTENTS

[0x4007]

More for economic security but we should consider a Gauntlet subscription to run real time simulations on our inflows (collateral) and outflows (uAD) in order to simulate and prevent bank runs.

I'm not entirely sure if their platform supports our type of setup (we don't have the concept of liquidations) but its worth speaking with their team on this.

[0x4007]

I converted one of the lists in one of the images I posted earlier and I think we should consider all of these options to add to our CI potentially? I didn't actually realize how many tools are out there. I think we should try and stick with the top/most popular ones.

Researched	Relevant	Software
❌	❌	Oyente
✅	✅	Mythx
❌	❌	Mythril
❌	❌	SmartCheck
❌	❌	Securify
❌	❌	Ositis
❌	❌	Sereum
❌	❌	Manticore
❌	❌	MAIAN
❌	❌	Solgraph
❌	❌	Reguard
✅	✅	Slither
❌	❌	Fether
❌	❌	ESolidM
❌	❌	Veri Solid
❌	❌	Zokrates
❌	❌	Vandal
❌	❌	Zeus
❌	❌	SODA
❌	❌	Why3

Notice

We should first research the tool to see what its about, then check if its relevant to our project.

The possibilities per row could be

Researched	Relevant	Software	Comment
❌	❌	appname	TODO
✅	❌	appname	Researched, and not relevant
✅	✅	appname	Researched, and relevant

[0x4007]

https://twitter.com/1nf0s3cpt/status/1583011233363824640?s=46&t=Pl2ZJVPiATpTDi6ulNNMXw

📑 Root cause analysis from past DeFi incidents.

Hope this stuff can help devs to avoid the same mistakes as much as possible.

Now covered 95 incidents.

https://wooded-meter-1d8.notion.site/0e85e02c5ed34df3855ea9f3ca40f53b?v=22e5e2c506ef4caeb40b4f78e23517ee

#DeFi #Web3

[0x4007]

https://twitter.com/storming0x/status/1509769575021178886?t=aP4CHqGHvi6cn0gbOeqfRw