Questions tagged [security]
Questions relating to application security, safety, trust, and attacks against the Ethereum software stack and blockchain system.
872 questions
1
vote
1
answer
17
views
installing foundry on gitpod
please is there a way I can install or use foundry on Gitpod environment?
I tried installing wsl on my windows 10 but the command doesn't seem to be running.
so I want to use Gitpod environment for ...
- 11
1
vote
0
answers
21
views
Difference in parameters makes one way pass while other fail. Why?
I'm doing right now Damn Vulnerable Defi V4, specifically 11.Backdoor. I tried to do it my way, but something didn't work so I checked solution. And here's the deal while my code doesn't work:
...
- 11
1
vote
0
answers
16
views
Help me find a practical product that implements Zero Knowledge Proofs and solves an actual problem in the blockchain context
I'll explain in broad terms what I'm trying to do. I'm writing a security thesis on Zero Knoweledge Proofs and my basic idea is to find a solution to the privacy problem in the blockchain through the ...
- 61
0
votes
0
answers
9
views
How Custody Settlement Blockchain-Based Solutions Work with Centralized Exchanges
I read How does clearing & settlement work on crypto exchanges and have a follow-up question: Can you explain in more detail how our own custody for settlement on the blockchain would work if we ...
- 102
0
votes
1
answer
62
views
Initialize a Safe using private key
I am trying to understand the best practices for using the Safe SDK.
I have these lines of code:
async function generateSafeCreationData(owners, threshold) {
const safeFactory = await SafeFactory.init(...
- 48
0
votes
1
answer
28
views
Is delegatecall to another contract really same as calling the function as if it were the part of calling contract?
When a contract makes a delegatecall, the code at the target address is executed in the context of the calling contract. This means that the storage, state variables, and functions of the calling ...
1
vote
0
answers
24
views
Ethereum desktop or mobile wallets for privacy
Are there any Ethereum wallets or forks designed for user privacy?
A desktop or mobile wallet that only makes calls to a local node, and has logging disabled by default?
Is there a fork of MetaMask ...
eth♦
- 86.5k
1
vote
1
answer
27
views
Can eavesdroppers see when one opens MetaMask with a password (and does nothing else)?
Person wants to keep his web identity decoupled from his MetaMask wallet and uses a trustworthy VPN.
Person forgot to activate VPN and opened MetaMask with his password, realizes VPN is not active and ...
- 111
1
vote
1
answer
49
views
In Solidity, is division automatically unchecked?
I recently saw a Smart Contract with an unchecked division.
However, I thought division was automatically unchecked, as:
Biggest possible quotient = type(uint).max / 1 = type(uint).max (no overflow)
...
0
votes
1
answer
60
views
Blockchain Layer 2 Attacks
I'm interested in learning more about blockchain security. I've studied the vulnerabilities in Layer 1 and improved my skills. After focusing on smart contract vulnerabilities in Layer 1, I want to ...
- 5
1
vote
1
answer
531
views
Contract got hacked, what's wrong with it?
My Contract got hacked, and I cannot figure out why.
Happened on Base. Hacker deployed a contract, then called their contract, which called my contract, and extracted tokens from my contract. But ...
- 13
2
votes
1
answer
78
views
EIP-3448 really need the metadata length or is it optional?
If you check the specs of EIP-3448, it states:
"The last 32 bytes (one word) of the bytecode must indicate the length of the metadata in bytes."
However, if this is not included in the ...
- 141
0
votes
0
answers
13
views
What is the _statsTracker address on some ERC-20 contracts?
I've been finding some ERC-20 contracts having a _statsTracker address, which then gets used like so:
if (_statsTracker != address(0)) {
IStatsTracker(_statsTracker).updateTransferStats(address(...
- 103
0
votes
0
answers
30
views
Why is only the first call frame aliased on Optimism?
Because addresses can be impersonated cross-chain, rollups have to alias addresses when L1 to L2 transactions are performed.
From Optimism's docs:
CALLER
msg.sender
If the transaction is an L1 ⇒ L2 ...
- 18.7k
0
votes
2
answers
45
views
where does popular bridges keeps their private key in backend in dapps?
I have an interesting question, that major players of bridges and other dapps, where do they store their private keys at their backend?
I mean what flow do they decide so that only owner of that ...
- 120
0
votes
0
answers
23
views
Most decentralized and secure ways of listening to events for multiple wallets
The most common for listening to events emitted by multiple smart contracts seems to be by using a JSON-RPC wrapper such as ethers or web3js.
Let the contracts be ERC-721. If our contract emits an ...
- 11
0
votes
0
answers
39
views
The token was hacked in my smart contract
The transactions below were not created by me.
Someone else withdrew tokens from my smart contract.
The hack occurred in a transaction that creates a smart contract.
How is this possible?
https://...
- 1
2
votes
1
answer
106
views
Can a user impersonate a smart contract address - and use it as an EOA?
First of all: I'm aware of the fact that only EOAs sign/create txs in Ethereum, that the public address of an EOA and the address of a Smart Contract are calculated differently and that it's ...
- 410
0
votes
1
answer
17
views
Does Ethereum ever charge an "unusual funds fee" [duplicate]
Trust wallet is telling me I am being charged an unusual funds fee by Ethereum for a mysterious deposit which appeared in my account. I didn't make the deposit.
- 11
1
vote
2
answers
243
views
Why is my account frozen? [duplicate]
My accounts in Ether universe are frozen. I'm trying to find out why. Trust wallet is asking me to pay a third party unusual funds fee.
- 11
1
vote
1
answer
256
views
What number of confirmations is considered secure in Polygon?
In Bitcoin, 4 confirmations are considered secure (very low probability of transaction/block reversal).
What is the current number in Polygon?
- 845
0
votes
0
answers
42
views
Geth Private Network - Account management
I'm building a private blockchain using Geth. I created 2 accounts with command geth --datadir miner-node account new and geth --datadir rpc-node account new, then I added their address to genesis....
0
votes
0
answers
50
views
Is everything okay with this Presale contract?
Could you help me check if this presale contract does what it's supposed to do and if it's safe? I tried to find bugs or flaws but couldn't find anything.
The theory is very simple: the user can use ...
- 115
0
votes
2
answers
132
views
Is it possible to manipulate V2 getAmountOut() or V3 sqrtPriceX96 using Uniswap flash swaps or any kind of flash loan
I use this calls:
IUniswapV2Router(uniswapV2Router).getAmountOut(tokenAmount, reserve1, reserve0) // Uniswap V2 token price
(uint160 sqrtPriceX96, , , , , , ) = uniswapV3Pool.slot0(); // Uniswap V3 ...
- 49
0
votes
0
answers
64
views
Token Transfer in the absence of _isApprovedOrOwner
I have created a smart contract in which I have a method called forSale used to store a flag (in a struct part of a mapping) indicating that the owner of an ERC721 token wishes to sell his said token (...
- 291
0
votes
0
answers
282
views
Adding liquidity for honeypot scam tokens
I have bought into my share of honeypot scam tokens over the years. I am not sore about it - I accept it as an 'operating cost' of trading in risky tokens. But I was curious whether I could take these ...
- 1
0
votes
0
answers
30
views
Geth private network security
I'm implementing a private network with Geth, which is expected to go into production for a client.
What are the most important points to focus on regarding the security of my blockchain?
I was ...
0
votes
0
answers
8
views
How to record proof of contract exploit on-chain?
Suppose one want to insure from certain contract hacks. Do do that in non custodial manner, we need some way to detect hack on-chain.
I see some obvious ideas, like "if one wallet stores more ...
- 111
0
votes
0
answers
35
views
Eth_sign, blind singing and MM signing
Having some confusion on what is what here.
Is there difference in enabling eth_sign in metamask with blind signing on ledger?
Many web3 sites today require user to sign message as log in method. I ...
- 384
1
vote
1
answer
101
views
Reentrancy Guard and CEI
Could you please explain, is there a need to use a ReentrancyGuard modifier if the contract follows the CEI(Check Effect Interactions) pattern? If yes, could you bring an example, where the contract ...
- 13
0
votes
1
answer
316
views
Permit and transferFrom function called on an ERC20 which drained a specific token in my wallet
I recently found out I've been drained of around 1600 $ALT tokens in two separate transactions a few days ago. It sucks to lose money, but it sucks even more if you never know how it happened and what ...
- 3
3
votes
1
answer
894
views
Where does Metamask store the private key (when the account is only locked with a machine-specific password)?
Where does Metamask store the private keys of an EVM-account after one recovers an account with private keys? Does it cipher the private keys before writing to storage, e.g. encoding with the access ...
- 1,554
0
votes
0
answers
15
views
How to use ethereum on decentralized exchanges in the US?
See https://www.reddit.com/r/Bitcoin/comments/145yka4/comment/jnoduy1/?utm_source=share&utm_medium=web2x&context=3
Dex's don't deal with Fiat directly, you always need a cex to buy your
...
- 101
0
votes
0
answers
6
views
Implement a secure communication mechanism between the smart contract and the client."
I'm developing a dapp to allow users to chat with each other. The problem is that I need to ensure the security of the transmitted messages. What mechanism can be used to make the communication ...
- 1
0
votes
1
answer
32
views
I get blackmailed by a person from which I have only the Etherium wallet adress [duplicate]
I need help to identify a person that is blackmailing with what she thinks is compromising material, to send it to family, colleagues, etc etc, if I do not pay 300 € (as a start) to settle the issue.
...
- 1
1
vote
0
answers
484
views
What are examples of high-liquidity ERC777 tokens on ETHEREUM? Any other token standards apply too, as long as there's a beforeTransfer callback
I'm looking to make a list of popular tokens that implement hooks on transferFrom(address owner, address receiver, uint256 amount) and are deployed on the Ethereum blockchain in particular.
For ...
- 1,554
0
votes
1
answer
381
views
New Metamask account randomly sending funds to another wallet
I made a new secondary account under my wallet and immediately transferred funds to it through Coinbase exchange. In less than 4 mins, the new account made a random unauthorized transfer to a random ...
0
votes
1
answer
22
views
Ethernaut Alien Codex Gas Estimation Failed
When i call attack() or exploit() function the remix shows Gas Estimation Failed. The code is copied from existing solution available on internet. so code is correct, can someone please help me why I ...
- 25
1
vote
1
answer
579
views
backend based signature verification
I'm new in web3 and I'm trying to develop a way to authenticate users in my dapp. I'm used to using the old and safe method with email + password to do that, but recently I realised that I could use ...
- 13
0
votes
0
answers
16
views
Learning to test
I am currently learning how to test SC with foundry and I feel with each different contract that I test that I really don't learn anything, any study recommendations?
1
vote
1
answer
57
views
Understanding Reentrancy attacks
I'm trying to understand the mechanism for a reentrancy attack, and how it might be mitigated. I'm looking at (for example) this scan result: https://de.fi/scanner/contract/...
- 103
1
vote
2
answers
43
views
Audit Vulnerability Findings
As a person who is interested in smart contract auditing but have never done before I have this question in my head. What if an auditor finds a lets say critical vulnerability which will enable him to ...
- 13
4
votes
0
answers
152
views
BLS signatures and the Splitting Zero attack
In 2021 security researcher Quan Thoi Minh Nguyen published two papers ("0" and "Attacks and weaknesses of BLS aggregate signatures") where he highlighted some security weaknesses ...
- 56
0
votes
1
answer
230
views
Are multiplications after division UNSAFE?
I have a smart contract which essentially does this:
uint256 tokenRate = _pair.a2 * PRECISION_FACTOR / _pair.a1;
uint256 toSend = _amount * tokenRate / PRECISION_FACTOR;
uint256 feeToOwner2 = toSend ...
- 665
1
vote
1
answer
28
views
How prevent of attack in Ethereum
I hope you are well. The topic of my thesis is to increase security in blockchain-based IoMT (Internet of Medical Things). I aim to present new ideas to reduce attacks in the blockchain, considering ...
- 11
2
votes
1
answer
60
views
Is there a way to stop wallet homomorph attacks without ditching the create2 opcode?
Losses from create2 wallets that look similar to recently active wallets has surpassed $60m:
https://gbhackers.com/create2-bypass-wallet-security-alerts/
Even today I made a transaction, and noticed ...
- 141
2
votes
1
answer
16
views
Is it profitable for a miner to manipulate blocks in a small Ethereum project?
In the context of my blockchain project, I’m using the blockhash() function to generate randomness. However, I’m concerned about the potential vulnerability of this method. I’d like to know if, in a ...
- 21
0
votes
1
answer
543
views
How to download and install Echidna?
I have just started learning echidna but i havent found any detailed information of how to install and setup echidna in WSL.
- 71
1
vote
1
answer
278
views
What is "pig butchering" scam?
What is the "pig butchering" scam? Why is it called "pig butchering"? What are some of its elements? How bad can it get?
eth♦
- 86.5k
0
votes
1
answer
47
views
To what extent was the block hash malleable under proof-of-work?
To emphasise, I’m solely interested in blocks prior to the transition to PoS.
Given that a miner making any change to the block header would have resulted in a completely different hash, my thinking ...
- 135