All Questions
55 questions
0
votes
1
answer
28
views
Is delegatecall to another contract really same as calling the function as if it were the part of calling contract?
When a contract makes a delegatecall, the code at the target address is executed in the context of the calling contract. This means that the storage, state variables, and functions of the calling ...
1
vote
1
answer
121
views
Does sandwich attack work if there are TWO attackers?
In this scenerio, could both attackers turn a profit from this attack?
I imagine it would work, but I want to be certain.
Tx No.
Description
Tx0
Attacker 1 trades A for B
Tx1
Attacker 2 trades A ...
- 11
0
votes
1
answer
134
views
How do these 2 functions differ in terms of security?
How are these 2 functions different in terms of security, there was a question on a forum and i don't understand
function emergencyWithdraw(uint256 _pid) public {
PoolInfo storage pool = poolInfo[...
- 1
0
votes
1
answer
155
views
Security considerations: using events to trigger offchain actions
I need to trigger a sensitive offchain action based on a users interaction with my smart contract.
My current approach is to emit and event (Trigger(msg.sender, 123)) and then use a filterQuery with ...
- 152
1
vote
1
answer
166
views
How can I demonstrate attacks on Quorum-based smart contracts in my local test network?
Currently, I am conducting a research regarding the security and privacy vulnerabilities of Quorum-based smart contracts. However, so far I've been struggling to implement attack vectors in order to ...
1
vote
1
answer
211
views
Flash minting ether security considerations and attacks
Flash loans enable a class of attacks that have not been possible or observed as much in prior systems.
Flash minting ether is a concept that is starting to be implemented.
See Example of flash ...
eth♦
- 86.5k
10
votes
3
answers
2k
views
Flash loan security considerations and attacks
What do developers need to be aware of to make their contracts and systems safe against flash loans?
What do they have to think about and protect against?
eth♦
- 86.5k
4
votes
0
answers
1k
views
Frontrunning Uniswap horror story transactions
From the Ethereum is a Dark Forest post, the rescue plan was:
Deploy a Getter contract which, when called by its owner, would make
the burn call ONLY if activated, and otherwise revert.
Deploy a ...
eth♦
- 86.5k
2
votes
1
answer
70
views
Is the May 2017 contract creation attack still possible?
In May 2017, an "attacker" created a contract that attempts to create many other contracts(using many JUMPDEST operations in the creation bytecode) until it runs out of gas.
I see the gas ...
- 123
1
vote
1
answer
179
views
Risk of Messages Not Having a Signature
As per my understanding transactions are signed before sending to Ethereum. Else, no transfer of Ether will happen. However, messages sent to Smart Contracts (SC) aren't signed (e.g., using methods....
- 111
4
votes
1
answer
892
views
What is the "pre-commit" scheme to defeat frontrunning attack?
I am writing to inquire feasible strategies to defeat Transaction Ordering Dependence (TOD) bugs.
I learned from the best practice guideline such that we can use a so-called "pre-committed" scheme ...
- 257
1
vote
1
answer
2k
views
Griefing Attacks: Are they profitable for the attacker?
The following article explains one of the solutions for indirectly validate a block when cross-sharding transaction between two shards to prevent invalid blocks.
The article called one of these ...
- 2,700
1
vote
2
answers
199
views
adaptive vs. non-adaptive adversaries? Is there a precise, unique and general definition? (Updated)
In this Ethereum github page (Link to the page: https://github.com/ethereum/wiki/wiki/Sharding-FAQ#what-are-the-security-models-that-we-are-operating-under) there is a very brief definition of the ...
- 2,700
1
vote
1
answer
356
views
How does the exploit in FOMO3D work?
With the recent release of the FOMO3D exploit in its smart contract, how does the exploit work?
- 4,810
1
vote
1
answer
150
views
Account management risks of booting into Tails OS from USB using a "partially air-gapped" Linux PC
My threat tolerance is around a 3 out of 5 on the paranoia scale. What are the practical account management risks of using a flash drive loaded with Tails OS to boot into a Linux PC, which will only ...
- 13
4
votes
1
answer
515
views
ERC20 transfer - caller expects return but none provided - what happens?
If someone implements the ERC20 transfer() function without the return value as follows:
function transfer(address to, uint256 value) public {
require( ... usual checks ... );
balances_[msg....
- 665
1
vote
1
answer
476
views
Best practices for a secure Ethereum private network? [closed]
What are the best practices for an Ethereum private network with n nodes (programmed with Geth), to be secure from possibles external attacks?
I mean, which config parameters are recommended during ...
- 385
5
votes
3
answers
2k
views
Dealing with the short address attack
I'm writing a contract for an ERC20 token, based on Zepellin contracts. I noticed that their code doesn't handle the short address attack. Does it mean I shouldn't care about it?
- 730
0
votes
1
answer
62
views
Leverage short positions in decentralised PoW currencies
Hint
I asked this question in a similar style already on bitcointalk and on bitcoin.stackexchange. But in these threads, there are no good answers and I thought maybe it would be better to ask the ...
user24389
1
vote
1
answer
278
views
Unable to replicate short-address attack
I was reading about the short address attack and decided to replicate and test the possible solutions.
What I know about short address attack is if you skip n characters of your address, you end up ...
- 8,076
0
votes
1
answer
407
views
What are the most common attack patterns on a Smart Contract? [duplicate]
i'm new to Solidity.
After writing my first smart contract im fairly concerned about it's security, once deployed to the MainNet. What are the most important things i should check within my code? ...
9
votes
2
answers
1k
views
Is sending some datas in the data field safe?
An airdrop ask to send it 0ETH with 150000 GAS and some datas in DATA field.
Is it safe?
What could be the aim of this transaction?
Thanks.
3
votes
1
answer
2k
views
Is it Safe to Share the Wallet Keystore File Without Password?
There is an ICO that asks for ethereum keystore file, which is unusual for me as far as ICOs go. Even though it does not looks like it contains private key and password it still feels unsettling.
Is ...
2
votes
3
answers
469
views
In ethereum, what happen if someone controls a large majority of mining power?
If someone manages more than 50% of the mining power, this situation necessarily compromises the integrity of the past blocks and newly generating blocks?
- 163
4
votes
1
answer
160
views
Can an Ethereum key generated on a laptop be brute-forced by someone else because of low entropy?
I read this and this tweets. Though, I understand that this issue occur because some people use the same private key mentioned in a blog/forum.
But, on the first tweet, people were talking about the ...
- 557
1
vote
0
answers
166
views
Are there any real examples of Sybil attack? [closed]
I have seen many articles and blog posts talking about Sybil attack but except the case of Tor (Article Link), i couldn't find any relevant articles pointing to the Sybil attack on Computer Networks ...
- 111
3
votes
1
answer
84
views
How to count empty accounts?
Is there a way to count empty accounts using geth ? I just want to be able to track current DDOS cleanup process.
- 609
3
votes
0
answers
137
views
What is an empty account if the state root is not empty?
"State-bloat" attacks led to an empty account being defined as an account that has zero balance, nonce and code.
There was a disagreement on EIP 161:
I disagree. An account should be considered ...
eth♦
- 86.5k
16
votes
1
answer
1k
views
Why were empty accounts allowed to be on the blockchain?
It's hard to see what the benefits of allowing empty accounts to be on the blockchain are. This was a known subtlety (see "note: there is a difference between zero-balance and nonexistent") and ...
eth♦
- 86.5k
2
votes
1
answer
403
views
Reproducing recursive call exploit
Here's a contract that I want to attack using recursive call:
contract Abstract {
function foobar();
}
contract B {
uint stateVar;
function foo(Abstract someAddress){
...
- 4,308
3
votes
2
answers
391
views
Besides TheDAO - what are some examples of where Ether has been hacked, stolen or lost?
Besides TheDAO - what are some examples of where Ether has been hacked, stolen or lost ?
4
votes
1
answer
147
views
Did the spamming counter-attack on The DAO attack work to slow down the attacks?
This question was asked in the comment section of What does TheDAO counter-attack by spamming actually do? (suggested by Stephan Tual).
Background links:
The attacks used a recursive call ...
- 40.4k
7
votes
1
answer
840
views
How much would 51% attack cost?
I was thinking about situation where for example NSA would want to gain control over significant portion of Ethereum network.
How much would it cost to for example create mining pool that would be ...
- 681
9
votes
1
answer
931
views
How many ethers have been drained through the recursive call attacks on The DAO?
The recursive call attacks on The DAO have now stopped as there are no more ethers in The DAO account.
What are the amounts and percentages that can be attributed to the hostile and friendly attacks, ...
- 40.4k
5
votes
1
answer
138
views
Is it possible to use negative gas to execute a Reentrant attack using .send()?
Haven't tested it out but I think in theory this could work. It might work somehing like this:
An attacker first writes a lot of data to storage so there is data to be deleted.
Using .send() in the ...
- 667
8
votes
1
answer
1k
views
How many The DAO recursive call vulnerability attacks have occurred to date?
The first identified The DAO recursive call vulnerability attack occurred on 17 June 2016, with the accounts identified in Which accounts are involved in mounting the recursive call vulnerability ...
- 40.4k
6
votes
2
answers
899
views
What was the second vulnerability used in The DAO attack on 17 June 2016?
From The big theDAO heist FAQ by koeppelmann:
How did the attack worked exactly? The attacker managed to combine 2 exploits. The first exploit was to call the split DAO function recursively. That ...
- 40.4k
3
votes
1
answer
533
views
How was the recursive call vulnerability attack conducted via proposal #59 when there were no Yes votes?
From Which split proposal was used to mount the recursive call vulnerability attack on The DAO?, proposal #59 is very likely the vector uses by the attacker to hack 3,641,694.241898506 Ether ($59,578,...
- 40.4k
3
votes
1
answer
495
views
Which accounts are involved in mounting the recursive call vulnerability attacks on The DAO?
The first transaction 0x0ec3f2488a93839524add10ea229e773f6bc891b4eb4794c3337d4495263790b was initiated from account 0x969837498944ae1dc0dcac2d0c65634c88729b2d to the contract at ...
3
votes
1
answer
401
views
Which split proposal was used to mount the recursive call vulnerability attack on The DAO?
I'm assuming that a split proposal was used to mount the recursive call vulnerability attack on The DAO.
Which of the splits below was used to mount this attack?
Here are the current list of splits:
...
7
votes
2
answers
2k
views
How was the recursion created that lead to theDAO hack?
I understand that if theDAO contract has a withdrawal function that sends money to contract X - contract X can be malicious and use the fallback function to call the withdrawal function again. However ...
- 7,636
5
votes
4
answers
594
views
In simple terms, how did the DAO get hacked and funds removed from it?
How did the DAO get hacked? Can someone explain in simple terms?
- 4,810
4
votes
1
answer
248
views
Does the recent attack to "the DAO" means end of it? [duplicate]
However implementing the DAO and its smart contracts are incredibly exciting experiments, the recent attack to the DAO clearly suggested that the code is not safe and may or may not have more ...
- 1,255
12
votes
2
answers
217
views
Is it possible to attack "the DAO" attackers new splitted DAO?
Since the splitted DAO (dark DAO) has the exact same vulnerability in its code, is it possible to execute the same attack to the attackers DAO?
- 1,255
7
votes
2
answers
2k
views
How did they stop "the DAO" attack on 17 June 2016? [duplicate]
Is it possible to prevent some transactions from happening? Obviously not, since it will ruin the whole purpose of having a decentralized system.
So my question is how could they stop the attack? In ...
- 1,255
22
votes
3
answers
4k
views
TheDAO hack FAQ: How did the attack happen on 17 June 2016?
Can anyone explain that how the DAO attack happened? Vitalik Buterin explained here that it was performed by splitting a DAO from the main DAO but calling the split function recursively.
We know that ...
5
votes
2
answers
416
views
Can the stalker attack in TheDAO be stopped?
https://github.com/slockit/dao/wiki/Why-The-Stalker-attack-is-a-non-issue#a-way-to-guarantee-you-get-your-eth says:
Assuming the attacker also voted yes in all of the new Curator
Proposals, in ...
eth♦
- 86.5k
3
votes
1
answer
140
views
Potential attack vectors on an Ethereum account
Besides someone stealing your private key, what are other potential attack vectors on an Ethereum account?
- 6,403
7
votes
3
answers
1k
views
What is a Sybil attack?
The term "Sybil Attack" comes up often when discussing network security with researchers. What is it? How much of a concern is it to the Ethereum network? What are some effective ways to prevent it?
- 4,831
4
votes
0
answers
135
views
How is Casper better than POW against possible government censorship? [closed]
As of now my understanding is that with POW an attack by one or multiple goverments could be orchestrated just by raiding mining farms (which can be easily identified given the electricity bill) and ...
- 41