Decentralized Application Security Project – Pentest smart devices
Decentralized Application security project also knowns as DASP Top 10 – is all about discovering smart contract vulnerabilities within the security community. Below is the NCC Groups’ initiative in discovering vulnerabilities related to smart contracts and blockchain and the order of the vulnerabilities.
- Reentrancy – This could be a medley of our usual race function with multi-threading issues where external contract calls are allowed to make further new calls when a similar execution is already in place and has not completed its execution.
- Access Control – This is our age-old appsec issue and will not leave smart contracts too.
- Arithmetic Issues – Always be wary of your integer overflows and underflows whether it’s blockchain or its simple calculator application.
- Unchecked Low-Level Calls – First of all, avoid using low-level calls. But if you must, please check the return value for Christ’s sake!
- Denial Of Service – Again, DOS is not new.
- Bad Randomness – This again is not new
- Front Running – Similar to RACE condition, where one can exploit the situation mainly become someone who is qualified enough to WIN can be kept waiting to be mined and the other stealing party can take it over with higher fees. Of all the issues, I think this is a more practical one and will always be exploited by users of malicious intent as it is how it’s in the real world.
- Time Manipulation – Reliance on the timestamp that someone has control over. Why did they even allow this?
- Short Addresses – Though it could be termed new, to me it looks plain like missing input validation.
- Unknown Unknowns – The vagueness of all. It’s the fear of the unknown since not many actually understand blockchain or smart contracts even though they claim that their entire country now runs on that. Some kid on the block may stumble upon something interesting and might loot your country away.
The Original Article can be found here.
Bug bounty programs :-
https://consensys.github.io/smart-contract-best-practices/bug_bounty_list/
Recent Comments