Bug Hunting in Smart-Contracts:

Where to Begin

Nikita Stupin

nikita@openzeppelin.com

Our mission is to protect �the open economy

�OpenZeppelin is a software company that provides security audits and products for decentralized systems.

Projects from any size - from new startups to established organizations - trust OpenZeppelin to build, inspect and connect to the open economy.

How I got into

smart-contract bug hunting

Where to begin (theory)

• Mastering Ethereum
• https://github.com/ethereumbook/ethereumbook
• Decentralized Finance MOOC
• https://defi-learning.org
• Finematics (*)
• https://www.youtube.com/c/Finematics
• Foundations of Blockchains (*)
• https://youtube.com/playlist?list=PLEGCF-WLh2RLOHv_xUGLqRts_9JxrckiA

Where to begin (practice)

• Ethernaut
• https://ethernaut.openzeppelin.com
• Damn Vulnerable DeFi
• https://www.damnvulnerabledefi.xyz
• Capture the Ether (*)
• https://capturetheether.com

Decentralized Application stack

• JavaScript front-end or mobile application
• A “wallet” software
• MetaMask
• A blockchain node (cloud or local)
• Smart-contracts
• Execution layer of a blockchain
• EVM
• Consensus layer of a blockchain

​

https://www.notonlyowner.com/learn/what-happens-when-you-send-one-dai

The vulnerability landscape

What are the main focus areas

DASP Top 10 (2018)

1. Reentrancy
2. Access Control
3. Arithmetic
4. Unchecked Low Level Calls
5. Denial of Services
6. Bad Randomness
7. Front Running
8. Time Manipulation
9. Short Addresses
10. Unknown Unknowns

​

https://dasp.co

DASP Top 10 (2022)

• Reentrancy
• Access Control
• Arithmetic
• Unchecked Low Level Calls
• Denial of Services
• Bad Randomness
• Front Running
• Time Manipulation
• Short Addresses
• Unknown Unknowns

How I personally see DASP Top 10 now

• Reentrancy
• Access Control
• Oracle manipulation
• Math issues
1. rounding
2. scaling
3. incorrect math
• Unsafe usage of low-level code
• delegatecall
• call return values
• assembly
• Business logic bugs

Dynamically adapting to a changing landscape

• Rekt
• https://rekt.news/
• Blockchain Threat Intelligence
• https://blockthreat.io
• In trend
• bridges
• Might be the next trend
• L1 <-> L2 smart-contract interactions
• configuration mistakes

How to increase chances of finding a bug?

• Audits in the blockchain space are thorough and solid
• There is an implicit assumption that an audit must find all vulnerabilities
• Usually a project is audited multiple times by different companies
• However, audits do not cover certain things
• Runtime configuration
• https://medium.com/immunefi/wormhole-uninitialized-proxy-bugfix-review-90250c41a43a
• Project upgrades
• https://rekt.news/compound-rekt/
• Some projects skip audits

The bug hunting process

Recon

• GitHub repository
• Address
• https://etherscan.io/address/0x6b175474e89094c44da98b954eedeac495271d0f
• https://etherscan.deth.net/address/0x6b175474e89094c44da98b954eedeac495271d0f
• Usually both git and address(es) are provided

Manual analysis

• Source code review
• VSCode
• https://github.com/christianparpart/solidity-language-client-vscode
• Manual interaction for more complex code bases
• https://github.com/foundry-rs/foundry
• https://github.com/NomicFoundation/hardhat

​

Automated analysis

• Smart Contract Sanctuary
• https://github.com/tintinweb/smart-contract-sanctuary
• Semgrep rules for smart contracts
• https://github.com/Decurity/semgrep-smart-contracts
• Static analysis tools
• https://github.com/solidity-parser/parser
• https://github.com/crytic/slither
• State of the Art of Ethereum Smart Contract Fuzzing in 2022 [EthCC5]
• https://youtu.be/RrdrfdtWnSo

Crafting a proof of concept

• Usually
• the mainnet is forked
• the proof of concept is developed and run locally
• and the script is shared with the bug bounty program
• How To Use Foundry To PoC Bug Leads
• https://medium.com/immunefi/how-to-use-foundry-to-poc-bug-leads-part-1-214c9c02ff30
• https://medium.com/immunefi/how-to-use-foundry-to-poc-bug-leads-part-2-b7b3807400df
• Foundry
• https://github.com/foundry-rs/foundry
• HardHat
• https://github.com/NomicFoundation/hardhat

Where to apply this knowledge?

Bug bounty platforms

​

​

The bounty amounts are dynamic

​

The process is built on top of smart-contracts

​

https://hats.finance/

​

​

Traditional bug bounties for smart-contracts and blockchain systems

​

​

​

https://immunefi.com/

​

​

Time-framed contests

​

If you have reported a valid vulnerability, you will be paid

​

https://code4rena.com/

CTFs

• Paradigm CTF
• https://github.com/paradigmxyz
• https://ctf.paradigm.xyz

Other blockchains and layer 2s

• StarkNet
• Cairo
• Solana
• Rust
• Avalanche
• EVM-compatible but not equivalent
• Avalanche Cauldrons Vulnerability and Post Mortem
• Optimism
• …

Conclusion

• The overall bug hunting process is very similar
• The source code is usually available
• more techniques can be applied
• There are familiar vulnerability types
• Even if you are not willing to learn smart-contract security you can still apply your web, application security, and cryptography knowledge and skills to hunt for bugs
• Now you several ways to enter the blockchain security space

OpenZeppelin.com

forum.openzeppelin.com

docs.openzeppelin.com

Thank you!