Raz0r (2)

Arseniy Reutov, CTO Decurity

All your staking rewards are belong to us

This is a write-up of a critical vulnerability found by Decurity during the audit of Giveth smart contracts conducted together with PowerInside Security Lab. The bug allowed to claim the rewards out of thin air from the staking contract deployed in production. This contract incentivized GIV token holders to stake their tokens and get in return governance tokens (gGIV) that could be used in the voting procedures of the Giveth DAO. As we discovered the complex logic of Aragon OS left a subtle backdoor into a crucial part of this contract. In case of a successful attack the profit for a malicious actor could be 150,000-450,000 GIV tokens per reward period. The vulnerability existed only in the staking contract on Gnosis chain, client donations were never at risk due to this issue.

Continue reading...

Scanning for vulnerable ERC721 implementations

An ERC (Ethereum Request for Comments) standard is a de-facto guide to describe interfaces, formats, and procedures for the smart contracts in the Ethereum ecosystem. Although the specifications are mostly precise and accurate, there is still room for ambiguities and misinterpretations. Moreover, some tokens actually do not follow these specs completely as ERCs only describe behaviors, but do not enforce them. Anyone can create a smart contract that is ERC compliant on the surface: it has correct return types, emits appropriate events, and so on, but will it behave as expected? It's up to the contract developer and as such any interaction with a contract should be double-checked.

Continue reading...