DeFiVulnLabs

This was an internal Web3 solidity security training in XREX. I want to share these materials with everyone interested in Web3 security and how to find vulnerabilities in code and exploit them. Every vulnerability testing uses Foundry. Faster and easier!

Currently supports 47 types of vulnerabilities. it compiles with Solidity 0.8.18 except the cases like overflow, underflow where we need older solidity to reproduce the bug.

Disclaimer: This content serves solely as a proof of concept showcasing Solidity common bugs. It is strictly intended for educational purposes and should not be interpreted as encouraging or endorsing any form of illegal activities or actual hacking attempts. The provided information is for informational and learning purposes only, and any actions taken based on this content are solely the responsibility of the individual. The usage of this information should adhere to applicable laws, regulations, and ethical standards.

DeFiVulnLabs Solidity Security Testing Guide

• Notion

Getting Started

• Follow the instructions to install Foundry.
• Clone and install dependencies:git submodule update --init --recursive
• Test vulnerability: forge test --contracts ./src/test/Reentrancy.sol -vvvv

List of vulnerabilities

• Integer Overflow 1 | Integer Overflow 2 :
  • In previous versions of Solidity (prior Solidity 0.8.x) an integer would automatically roll-over to a lower or higher number.
  • Without SafeMath (prior Solidity 0.8.x)
• Selfdestruct 1 | Selfdestruct 2 :
  • Due to missing or insufficient access controls, malicious parties can self-destruct the contract.
  • The selfdestruct(address) function removes all bytecode from the contract address and sends all ether stored to the specified address.
• Unsafe Delegatecall :
  • This allows a smart contract to dynamically load code from a different address at runtime.
• Reentrancy :
  • One of the major dangers of calling external contracts is that they can take over the control flow.
  • Not following checks-effects-interactions pattern and no ReentrancyGuard.
• Read Only Reentrancy :
  • An external call from a secure smart contract "A" invokes the fallback() function in the attacker's contract. The attacker executes the code in the fallback() function to run against a target contract "B", which some how indirectly related to contract "A".
  • In the given example, Contract "B" derives the price of the LP token from Contract "A"
• ERC777 callbacks and reentrancy :
  • ERC777 tokens allow arbitrary callbacks via hooks that are called during token transfers. Malicious contract addresses may cause reentrancy on such callbacks if reentrancy guards are not used. REF1, REF2, Cream POC
  • ERC667 reentrancy | ERC827 reentrancy
• Unchecked external call - call injection :
  • Use of low level "call" should be avoided whenever possible. If the call data is controllable, it is easy to cause arbitrary function execution.
• Private data :
  • Private data ≠ Secure. It's readable from slots of the contract.
  • Because the storage of each smart contract is public and transparent, and the content can be read through the corresponding slot in the specified contract address. Sensitive information is not recommended to be placed in smart contract programs.
• Unprotected callback - ERC721 SafeMint reentrancy :
  • _safeMint is secure? Attacker can reenter the mint function inside the onERC721Received callback.
• Hidden Backdoor in Contract :
  • An attacker can manipulate smart contracts as a backdoor by writing inline assembly. Any sensitive parameters can be changed at any time.
• Bypass iscontract :
  • The attacker only needs to write the code in the constructor of the smart contract to bypass the detection mechanism of whether it is a smart contract.
• DOS :
  • External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. For example, contracts that receive Ether do not contain fallback or receive functions. (DoS with unexpected revert)
  • Real case : Charged Particles
• Randomness :
  • Use of global variables like block hash, block number, block timestamp and other fields is insecure, miner and attacker can control it.
• Visibility :
  • The default visibility of the function is Public. If there is an unsafe visibility setting, the attacker can directly call the sensitive function in the smart contract.
  • Real case : FlippazOne NFT | 88mph NFT | CoinstoreNFT Public Burn | Sandbox LAND Public Burn
• txorigin - phishing :
  • tx.origin is a global variable in Solidity; using this variable for authentication in a smart contract makes the contract vulnerable to phishing attacks.
• Uninitialized state variables :
  • Uninitialized local storage variables may contain the value of other storage variables in the contract; this fact can cause unintentional vulnerabilities, or be exploited deliberately.
• Storage collision 1 | Storage collision 2 (Audius) :
  • If variable’s storage location is fixed and it happens that there is another variable that has the same index/offset of the storage location in the implementation contract, then there will be a storage collision. REF
• Approval scam :
  • Most current scams use approve or setApprovalForAll to defraud your transfer rights. Be especially careful with this part.
• Signature replay 1 | Signature replay 2 (NBA):
  • Missing protection against signature replay attacks, Same signature can be used multiple times to execute a function. REF1, REF2, REF3, REF4, REF5
• Data location - storage vs memory :
  • Incorrect use of storage slot and memory to save variable state can easily cause contracts to use values not updated for calculations. REF1, REF2
• DirtyBytes :
  • Copying bytes arrays from memory or calldata to storage may result in dirty storage values.
• Invariants :
  • Assert is used to check invariants. Those are states our contract or variables should never reach, ever. For example, if we decrease a value then it should never get bigger, only smaller.
• NFT Mint via Exposed Metadata :
  • The contract is vulnerable to CVE-2022-38217, this could lead to the early disclosure of metadata of all NFTs in the project. As a result, attacker can find out valuable NFTs and then target mint of specific NFTs by monitoring mempool and sell the NFTs for a profit in secondary market
  • The issue is the metadata should be visible after the minting is completed
• Divide before multiply :
  • Performing multiplication before division is generally better to avoid loss of precision because Solidity integer division might truncate.
• Unchecked return value :
  • Some tokens (like USDT) don't correctly implement the EIP20 standard and their transfer/ transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.
• No Revert on Failure :
  • Some tokens do not revert on failure but instead return false, for example, ZRX.
• Incompatibility with deflationary / fee-on-transfer tokens :
  • The actual deposited amount might be lower than the specified depositAmount of the function parameter. REF1 ,REF2, REF3
• Phantom function - Permit Function :
  • Accepts any call to a function that it doesn't actually define, without reverting. For example: WETH. REF1, REF2
  • Attack Vector
    • Token that does not support EIP-2612 permit.
    • Token has a fallback function.
• First deposit bug :
  • First depositor can break minting of shares: The attack vector and impact is the same as TOB-YEARN-003, where users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”. REF1, REF2, REF3
• Empty loop :
  • Due to insufficient validation, An attacker can simply pass an empty array to bypass the loop & signature verification. REF
• Unsafe downcasting :
  • Downcasting from a larger integer type to a smaller one without checks can lead to unexpected behavior if the value of the larger integer is outside the range of the smaller one. This could lead to unexpected results due to overflow. REF1 , REF2
• Price manipulation :
  • Incorrect price calculation over balanceOf, getReverse may refer to a situation where the price of a token or asset is not accurately calculated based on the balanceOf function. REF
• ecRecover returns address(0) :
  • If v value isn't 27 or 28. it will return address(0). REF
• Oracle stale price :
  • Oracle data feed is insufficiently validated. REF
• Precision Loss - Rounded down to zero :
  • Avoid any situation that if the numerator is smaller than the denominator, the result will be zero. REF
• Slippage - Incorrect deadline & slippage amount :
  • If both the slippage is set to 0 and there is no deadline, users might potentially lose all their tokens. REF
• abi.encodePacked() Hash Collisions :
  • Using abi.encodePacked() with multiple variable length arguments can, in certain situations, lead to a hash collision.REF
• Struct Deletion Oversight :
  • Incomplete struct deletion leaves residual data. If you delete a struct containing a mapping, the mapping won't be deleted.REF
• Array Deletion Oversight :
  • Incorrect array deletion leads to data inconsistency. REF
• txGasPrice manipulation :
  • Manipulation of the txGasPrice value, which can result in unintended consequences and potential financial losses. REF
• Return vs break :
  • Use of return in inner loop iteration leads to unintended termination. REF
• Incorrect use of payable.transfer() or send() :
  • Fixed 2300 gas, these shortcomings can make it impossible to successfully transfer ETH to the smart contract recipient. REF
• Unauthorized NFT Transfer in custom ERC721 implementation :
  • Custom transferFrom function in contract VulnerableERC721, does not properly check if msg.sender is the current owner of the token or an approved address. REF
• Missing Check for Self-Transfer Allows Funds to be Lost :
  • The vulnerability in the code stems from the absence of a check to prevent self-transfers. REF
• Incorrect implementation of the recoverERC20() function in the StakingRewards :
  • The recoverERC20() function in StakingRewards.sol can potentially serve as a backdoor for the owner to retrieve rewardsToken. REF
• Missing flash loan initiator check :
  • Missing flash loan initiator check refers to a potential security vulnerability in a flash loan implementation. REF
• Incorrect sanity checks - Multiple Unlocks Before Lock Time Elapse :
  • This allows tokens to be unlocked multiple times before the lock period has elapsed, potentially leading to significant financial loss. REF

Bug Reproduce

20220714 Sherlock Yield Strategy Bug - Cross-protocol Reentrancy

Bounty: $250K POC | Reference

20220623 Sense Finance - Access control

Missing access control in onSwap()

Bounty: $50,000

Testing

forge test --contracts ./src/test/SenseFinance_exp.sol -vv 

Link reference

https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0

Spotthebugchallenge

• Immunefi #spotthebugchallenge 1 :
  • Incorrect check msg.value, we can mint many NFTs with 1 ETH.
• Immunefi #spotthebugchallenge 2

Link reference

• Mastering Ethereum - Smart Contract Security

• Ethereum Smart Contract Best Practices

• Awesome-Smart-Contract-Security

• (Not So) Smart Contracts

• Smart Contract Attack Vectors

• Secureum Security Pitfalls 101

• Secureum Security Pitfalls 201

• How to Secure Your Smart Contracts: 6 Solidity Vulnerabilities and how to avoid them (Part 1)(Part 2)

• Top 10 DeFi Security Best Practices