From 7949baf215e145da6ff59f8370ca56adafec8a94 Mon Sep 17 00:00:00 2001 From: 0xphaze <0xphaze@gmail.com> Date: Wed, 12 Apr 2023 14:18:50 +0100 Subject: [PATCH 1/7] GPT Review --- CONTRIBUTING.md | 50 ++++++++-------- README.md | 52 ++++++++--------- SUMMARY.md | 104 ++++++++++++++++----------------- resources/tob_blogposts.md | 117 +++++-------------------------------- 4 files changed, 118 insertions(+), 205 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d7960378..8bf7e5d8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,43 +1,43 @@ -# Contributing to Building-secure-contracts +# Contributing to Building-Secure-Contracts -First, thanks for your interest in contributing to Building-secure-contracts! We welcome and appreciate all contributions, including bug reports, feature suggestions, tutorials/blog posts, and code improvements. +First, thank you for your interest in contributing to Building-Secure-Contracts! We appreciate and warmly welcome all contributions, which include bug reports, feature suggestions, tutorials/blog posts, and code improvements. -If you're unsure where to start, we recommend our [`good first issue`](https://github.com/crytic/building-secure-contracts/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) and [`help wanted`](https://github.com/crytic/building-secure-contracts/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) issue labels. +If you're not sure where to begin, we recommend checking out our [`good first issue`](https://github.com/crytic/building-secure-contracts/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) and [`help wanted`](https://github.com/crytic/building-secure-contracts/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22) issue labels. -## Bug reports and feature suggestions +## Bug Reports and Feature Suggestions -Bug reports and feature suggestions can be submitted to our issue tracker. For bug reports, attaching the contract that caused the bug will help us in debugging and resolving the issue quickly. If you find a security vulnerability, do not open an issue; email opensource@trailofbits.com instead. +Please submit bug reports and feature suggestions to our issue tracker. When reporting a bug, attaching the contract causing the issue is helpful for efficient debugging and resolution. If you discover a security vulnerability, do not open an issue; instead, email opensource@trailofbits.com. ## Questions -Questions can be submitted to the issue tracker, but you may get a faster response if you ask in our [chat room](https://empireslacking.herokuapp.com/) (in the #ethereum channel). +You can submit questions to the issue tracker, but you might receive a quicker response if you ask in our [chat room](https://empireslacking.herokuapp.com/) (in the #ethereum channel). -## Code +## Code Contributions -building-secure-contracts uses the pull request contribution model. Please make an account on Github, fork this repo, and submit code contributions via pull request. For more documentation, look [here](https://guides.github.com/activities/forking/). +Building-Secure-Contracts follows the pull request contribution model. Create an account on Github, fork this repo, and submit code contributions through pull requests. For additional documentation, refer [here](https://guides.github.com/activities/forking/). Some pull request guidelines: -- Minimize irrelevant changes (formatting, whitespace, etc) to code that would otherwise not be touched by this patch. Save formatting or style corrections for a separate pull request that does not make any semantic changes. -- When possible, large changes should be split up into smaller focused pull requests. -- Fill out the pull request description with a summary of what your patch does, key changes that have been made, and any further points of discussion, if applicable. -- Title your pull request with a brief description of what it's changing. "Fixes #123" is a good comment to add to the description, but makes for an unclear title on its own. +- Limit unnecessary changes (formatting, whitespace, etc.) to code unrelated to the patch. Save formatting or style corrections for a separate pull request, which doesn't include any semantic changes. +- When possible, break down large changes into smaller, focused pull requests. +- Complete the pull request description with an overview of your patch, including key modifications, and any further discussion points if relevant. +- Use a concise title to describe your pull request's changes. "Fixes #123" is suitable for adding to the description, but not as a standalone title. ## Directory Structure -Below is a rough outline of building-secure-contracts's structure: +Here's a basic overview of Building-Secure-Contracts' structure: ```text . -├── development-guidelnes # High-level best-practices for all smart contracts +├── development-guidelnes # High-level best practices for all smart contracts ├── learn_evm # EVM technical knowledge -├── not-so-smart-contracts # Examples of smart contract common issues. Each issue contains a description, an example and recommendations -├── program-analysis # How to use automated tools to secure contracts -├── ressources # Various online resources +├── not-so-smart-contracts # Examples of common smart contract issues, including descriptions, examples, and recommendations +├── program-analysis # How to utilize automated tools for securing contracts +├── resources # Various online resources └── ... ``` -## Linting and formatting +## Linting and Formatting To install the formatters and linters, run: @@ -45,26 +45,26 @@ To install the formatters and linters, run: npm install ``` -To run the formatter, use: +To use the formatter, run: ```bash npm run format ``` -To run the linters, use: +To use the linters, run: ```bash npm run lint ``` -To run the individual linters, use: +To use individual linters, run: - `npm run lint:format` to check the formatting -- `npm run lint:links` to check for invalid links in markdown files +- `npm run lint:links` to verify the validity of links in markdown files -## Create the book +## Creating the Book -We use `mdbook` to generate [secure-contracts.com](https://secure-contracts.com/). +We utilize `mdbook` to generate [secure-contracts.com](https://secure-contracts.com/). To run it locally: @@ -73,4 +73,4 @@ cargo install --git https://github.com/montyly/mdBook.git mdbook mdbook build ``` -Note: we use https://github.com/montyly/mdBook.git, which contains https://github.com/rust-lang/mdBook/pull/1584. +Note: We use https://github.com/montyly/mdBook.git, which contains https://github.com/rust-lang/mdBook/pull/1584. diff --git a/README.md b/README.md index 4fcabb8d..da3238df 100644 --- a/README.md +++ b/README.md @@ -2,41 +2,39 @@ ![](https://github.com/crytic/building-secure-contracts/workflows/CI/badge.svg) ![](https://github.com/crytic/building-secure-contracts/workflows/Echidna/badge.svg) -This repository, brought to you by [Trail of Bits](https://www.trailofbits.com/), outlines guidelines and best practices to write secure smart contracts. +Brought to you by [Trail of Bits](https://www.trailofbits.com/), this repository offers guidelines and best practices for developing secure smart contracts. Contributions are welcome, so please participate by adhering to our [contributing guidelines](https://github.com/crytic/building-secure-contracts/blob/master/CONTRIBUTING.md). -We welcome contributions, and you can contribute by following our [contributing guidelines](https://github.com/crytic/building-secure-contracts/blob/master/CONTRIBUTING.md). +**Table of Contents:** -**Table of contents:** - -- [Development guidelines](./development-guidelines) - - [High-level best practices](./development-guidelines/guidelines.md): High-level best-practices for all smart contracts - - [Incident Response Recommendations](./development-guidelines/incident_response.md): Guidelines on how to formulate an incident response plan - - [Secure development workflow](./development-guidelines/workflow.md): A rough, high-level process to follow while you write code - - [Token integration checklist](./development-guidelines/token_integration.md): What to check when interacting with arbitrary token -- [Learn EVM](./learn_evm): EVM technical knowledge - - [EVM Opcodes](./learn_evm/evm_opcodes.md): Details on all EVM opcodes +- [Development Guidelines](./development-guidelines) + - [High-Level Best Practices](./development-guidelines/guidelines.md): Essential practices for all smart contracts + - [Incident Response Recommendations](./development-guidelines/incident_response.md): Advice for creating an incident response plan + - [Secure Development Workflow](./development-guidelines/workflow.md): A high-level process to follow during code development + - [Token Integration Checklist](./development-guidelines/token_integration.md): What to check when interacting with arbitrary tokens +- [Learn EVM](./learn_evm): Technical knowledge about EVM + - [EVM Opcodes](./learn_evm/evm_opcodes.md): Information on all EVM opcodes - [Transaction Tracing](./learn_evm/tracing.md): Helper scripts and guidance for generating and navigating transaction traces - - [Yellow Paper Guidance](./learn_evm/yellow-paper.md): Symbol reference for more easily reading the Ethereum yellow paper - - [Forks <> EIPs](./learn_evm/eips_forks.md): Summarize the EIPs included in each Ethereum fork - - [Forks <> CIPs](./learn_evm/cips_forks.md): Summarize the CIPs and EIPs included in each Celo fork _(EVM-compatible chain)_ - - [Upgrades <> TIPs](./learn_evm/tips_upgrades.md): Summarize the TIPs included in each TRON upgrade _(EVM-compatible chain)_ - - [Forks <> BEPs](./learn_evm/beps_forks.md): Summarize the BEPs included in each BSC fork _(EVM-compatible chain)_ -- [Not so smart contracts](./not-so-smart-contracts): Examples of smart contract common issues. Each issue contains a description, an example and recommendations + - [Yellow Paper Guidance](./learn_evm/yellow-paper.md): Symbol reference for easier reading of the Ethereum yellow paper + - [Forks <> EIPs](./learn_evm/eips_forks.md): Summaries of the EIPs included in each Ethereum fork + - [Forks <> CIPs](./learn_evm/cips_forks.md): Summaries of the CIPs and EIPs included in each Celo fork _(EVM-compatible chain)_ + - [Upgrades <> TIPs](./learn_evm/tips_upgrades.md): Summaries of the TIPs included in each TRON upgrade _(EVM-compatible chain)_ + - [Forks <> BEPs](./learn_evm/beps_forks.md): Summaries of the BEPs included in each BSC fork _(EVM-compatible chain)_ +- [Not So Smart Contracts](./not-so-smart-contracts): Examples of common smart contract issues, complete with descriptions, examples, and recommendations - [Algorand](./not-so-smart-contracts/algorand) - [Cairo](./not-so-smart-contracts/cairo) - [Cosmos](./not-so-smart-contracts/cosmos) - [Substrate](./not-so-smart-contracts/substrate) - [Solana](./not-so-smart-contracts/solana) -- [Program analysis](./program-analysis): How to use automated tools to secure contracts - - [Echidna](./program-analysis/echidna): a fuzzer that will check your contract's properties. - - [Slither](./program-analysis/slither): a static analyzer available through a CLI and scriptable interface. - - [Manticore](./program-analysis/manticore): a symbolic execution engine that can prove the correctness properties. - - For each tool, this training material will provide: - - a theoretical introduction, a walkthrough of its API, and a set of exercises. - - exercises expected to require ~two hours to practically learn its operation. -- [Resources](./resources): Various online resources - - [Trail of Bits blogposts](./resources/tob_blogposts.md): List of blockchain related blogposts made by Trail of Bits +- [Program Analysis](./program-analysis): Using automated tools to secure contracts + - [Echidna](./program-analysis/echidna): A fuzzer that checks your contract's properties + - [Slither](./program-analysis/slither): A static analyzer with both CLI and scriptable interfaces + - [Manticore](./program-analysis/manticore): A symbolic execution engine that proves correctness properties + - Each tool comes with: + - A theoretical introduction, an API walkthrough, and a set of exercises + - Exercises that take approximately two hours to gain practical understanding +- [Resources](./resources): Assorted online resources + - [Trail of Bits Blog Posts](./resources/tob_blogposts.md): A list of blockchain-related blog posts created by Trail of Bits # License -secure-contracts and building-secure-contracts are licensed and distributed under the [AGPLv3 license](https://github.com/crytic/building-secure-contracts/blob/master/LICENSE). Contact us if you're looking for an exception to the terms. +Secure-contracts and building-secure-contracts are licensed and distributed under the [AGPLv3 license](https://github.com/crytic/building-secure-contracts/blob/master/LICENSE). Please contact us if you require an exception to the terms. diff --git a/SUMMARY.md b/SUMMARY.md index 3e0d5784..94e697ce 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -2,50 +2,50 @@ [Introduction](./README.md) -- [Development-guidelines](./development-guidelines/README.md) - - [High-level best practices](./development-guidelines/guidelines.md) - - [Token integration checklist](./development-guidelines/token_integration.md) +- [Development Guidelines](./development-guidelines/README.md) + - [High-Level Best Practices](./development-guidelines/guidelines.md) + - [Token Integration Checklist](./development-guidelines/token_integration.md) - [Incident Response Recommendations](./development-guidelines/incident_response.md) - - [Secure development workflow](./development-guidelines/workflow.md) + - [Secure Development Workflow](./development-guidelines/workflow.md) - [Learn EVM](./learn_evm/README.md) - [EVM Opcode Reference](./learn_evm/evm_opcodes.md) - [Transaction Tracing](./learn_evm/tracing.md) - [Yellow Paper Guidance](./learn_evm/yellow-paper.md): - - [Forks <> EIPs](./learn_evm/eips_forks.md) - - [Forks <> CIPs](./learn_evm/cips_forks.md) - - [Upgrades <> TIPs](./learn_evm/tips_upgrades.md) - - [Forks <> BEPs](./learn_evm/beps_forks.md) -- [Not so smart contracts](./not-so-smart-contracts/README.md) + - [Forks and EIPs](./learn_evm/eips_forks.md) + - [Forks and CIPs](./learn_evm/cips_forks.md) + - [Upgrades and TIPs](./learn_evm/tips_upgrades.md) + - [Forks and BEPs](./learn_evm/beps_forks.md) +- [Not So Smart Contracts](./not-so-smart-contracts/README.md) - [Algorand](./not-so-smart-contracts/algorand/README.md) - [Rekeying](./not-so-smart-contracts/algorand/rekeying/README.md) - [Unchecked Transaction Fees](./not-so-smart-contracts/algorand/unchecked_transaction_fee/README.md) - [Closing Account](./not-so-smart-contracts/algorand/closing_account/README.md) - [Closing Asset](./not-so-smart-contracts/algorand/closing_asset/README.md) - [Group Size Check](./not-so-smart-contracts/algorand/group_size_check/README.md) - - [Time-based Replay Attack](./not-so-smart-contracts/algorand/time_based_replay_attack/README.md) + - [Time-Based Replay Attack](./not-so-smart-contracts/algorand/time_based_replay_attack/README.md) - [Access Controls](./not-so-smart-contracts/algorand/access_controls/README.md) - - [Asset Id Check](./not-so-smart-contracts/algorand/asset_id_check/README.md) + - [Asset ID Check](./not-so-smart-contracts/algorand/asset_id_check/README.md) - [Denial of Service](./not-so-smart-contracts/algorand/denial_of_service/README.md) - [Cairo](./not-so-smart-contracts/cairo/README.md) - - [Improper access controls](./not-so-smart-contracts/cairo/access_controls/README.md) - - [Integer division errors](./not-so-smart-contracts/cairo/integer_division/README.md) - - [View state modifications](./not-so-smart-contracts/cairo/view_state/README.md) - - [Arithmetic overflow](./not-so-smart-contracts/cairo/arithmetic_overflow/README.md) - - [Signature replays](./not-so-smart-contracts/cairo/replay_protection/README.md) + - [Improper Access Controls](./not-so-smart-contracts/cairo/access_controls/README.md) + - [Integer Division Errors](./not-so-smart-contracts/cairo/integer_division/README.md) + - [View State Modifications](./not-so-smart-contracts/cairo/view_state/README.md) + - [Arithmetic Overflow](./not-so-smart-contracts/cairo/arithmetic_overflow/README.md) + - [Signature Replays](./not-so-smart-contracts/cairo/replay_protection/README.md) - [L1 to L2 Address Conversion](./not-so-smart-contracts/cairo/L1_to_L2_address_conversion/README.md) - [Incorrect Felt Comparison](./not-so-smart-contracts/cairo/incorrect_felt_comparison/README.md) - [Namespace Storage Var Collision](./not-so-smart-contracts/cairo/namespace_storage_var_collision/README.md) - [Dangerous Public Imports in Libraries](./not-so-smart-contracts/cairo/dangerous_public_imports_in_libraries/README.md) - [Cosmos](./not-so-smart-contracts/cosmos/README.md) - - [Incorrect signers](./not-so-smart-contracts/cosmos/incorrect_getsigners/README.md) - - [Non-determinism](./not-so-smart-contracts/cosmos/non_determinism/README.md) - - [Not prioritized messages](./not-so-smart-contracts/cosmos/messages_priority/README.md) - - [Slow ABCI methods](./not-so-smart-contracts/cosmos/abci_fast/README.md) - - [ABCI methods panic](./not-so-smart-contracts/cosmos/abci_panic/README.md) - - [Broken bookkeeping](./not-so-smart-contracts/cosmos/broken_bookkeeping/README.md) - - [Rounding errors](./not-so-smart-contracts/cosmos/rounding_errors/README.md) - - [Unregistered message handler](./not-so-smart-contracts/cosmos/unregistered_msg_handler/README.md) - - [Missing error handler](./not-so-smart-contracts/cosmos/missing_error_handler/README.md) + - [Incorrect Signers](./not-so-smart-contracts/cosmos/incorrect_getsigners/README.md) + - [Non-Determinism](./not-so-smart-contracts/cosmos/non_determinism/README.md) + - [Not Prioritized Messages](./not-so-smart-contracts/cosmos/messages_priority/README.md) + - [Slow ABCI Methods](./not-so-smart-contracts/cosmos/abci_fast/README.md) + - [ABCI Methods Panic](./not-so-smart-contracts/cosmos/abci_panic/README.md) + - [Broken Bookkeeping](./not-so-smart-contracts/cosmos/broken_bookkeeping/README.md) + - [Rounding Errors](./not-so-smart-contracts/cosmos/rounding_errors/README.md) + - [Unregistered Message Handler](./not-so-smart-contracts/cosmos/unregistered_msg_handler/README.md) + - [Missing Error Handler](./not-so-smart-contracts/cosmos/missing_error_handler/README.md) - [Solana](./not-so-smart-contracts/solana/README.md) - [Arbitrary CPI](./not-so-smart-contracts/solana/arbitrary_cpi/README.md) - [Improper PDA Validation](./not-so-smart-contracts/solana/improper_pda_validation/README.md) @@ -53,34 +53,34 @@ - [Signer Check](./not-so-smart-contracts/solana/signer_check/README.md) - [Sysvar Account Check](./not-so-smart-contracts/solana/sysvar_account_check/README.md) - [Substrate](./not-so-smart-contracts/substrate/README.md) - - [Arithmetic overflow](./not-so-smart-contracts/substrate/arithmetic_overflow/README.md) - - [Don't panic!](./not-so-smart-contracts/substrate/dont_panic/README.md) - - [Weights and fees](./not-so-smart-contracts/substrate/weights_and_fees/README.md) - - [Verify first](./not-so-smart-contracts/substrate/verify_first/README.md) - - [Unsigned transaction validation](./not-so-smart-contracts/substrate/validate_unsigned/README.md) - - [Bad randomness](./not-so-smart-contracts/substrate/randomness/README.md) - - [Bad origin](./not-so-smart-contracts/substrate/origins/README.md) + - [Arithmetic Overflow](./not-so-smart-contracts/substrate/arithmetic_overflow/README.md) + - [Don't Panic!](./not-so-smart-contracts/substrate/dont_panic/README.md) + - [Weights and Fees](./not-so-smart-contracts/substrate/weights_and_fees/README.md) + - [Verify First](./not-so-smart-contracts/substrate/verify_first/README.md) + - [Unsigned Transaction Validation](./not-so-smart-contracts/substrate/validate_unsigned/README.md) + - [Bad Randomness](./not-so-smart-contracts/substrate/randomness/README.md) + - [Bad Origin](./not-so-smart-contracts/substrate/origins/README.md) - [Program Analysis](./program-analysis/README.md) - [Echidna](./program-analysis/echidna/README.md) - [Introduction](./program-analysis/echidna/introduction/README.md) - - [Introduction to fuzzing](./program-analysis/echidna/introduction/fuzzing-introduction.md) - - [How to test a property](./program-analysis/echidna/introduction/how-to-test-a-property.md) + - [Introduction to Fuzzing](./program-analysis/echidna/introduction/fuzzing-introduction.md) + - [How to Test a Property](./program-analysis/echidna/introduction/how-to-test-a-property.md) - [Basic](./program-analysis/echidna/basic/README.md) - - [How to select the most suitable testing mode](./program-analysis/echidna/basic/testing-modes.md) - - [How to select the best testing approach](./program-analysis/echidna/basic/common-testing-approaches.md) - - [How to filter functions](./program-analysis/echidna/basic/filtering-functions.md) - - [How to test assertions](./program-analysis/echidna/basic/assertion-checking.md) - - [How to write good properties step by step](./program-analysis/echidna/basic/property-creation.md) + - [Selecting the Most Suitable Testing Mode](./program-analysis/echidna/basic/testing-modes.md) + - [Selecting the Best Testing Approach](./program-analysis/echidna/basic/common-testing-approaches.md) + - [Filtering Functions](./program-analysis/echidna/basic/filtering-functions.md) + - [Testing Assertions](./program-analysis/echidna/basic/assertion-checking.md) + - [Writing Good Properties Step by Step](./program-analysis/echidna/basic/property-creation.md) - [Advanced](./program-analysis/echidna/advanced/README.md) - - [How to collect a corpus](./program-analysis/echidna/advanced/collecting-a-corpus.md) - - [How to use optimization mode](./program-analysis/echidna/advanced/optimization_mode.md) - - [How to detect high gas consumption](./program-analysis/echidna/advanced/finding-transactions-with-high-gas-consumption.md) - - [How to perform smart contract fuzzing at a large scale](./program-analysis/echidna/advanced/smart-contract-fuzzing-at-scale.md) - - [How to test bytecode-only contracts](./program-analysis/echidna/advanced/testing-bytecode.md) - - [How to use hevm cheats to test permit](./program-analysis/echidna/advanced/hevm-cheats-to-test-permit.md) - - [How to seed Echidna with unit tests](./program-analysis/echidna/advanced/end-to-end-testing.md) - - [Understanding and using `multi-abi`](./program-analysis/echidna/advanced/using-multi-abi.md) - - [Fuzzing tips](./program-analysis/echidna/fuzzing_tips.md) + - [Collecting a Corpus](./program-analysis/echidna/advanced/collecting-a-corpus.md) + - [Using Optimization Mode](./program-analysis/echidna/advanced/optimization_mode.md) + - [Detecting High Gas Consumption](./program-analysis/echidna/advanced/finding-transactions-with-high-gas-consumption.md) + - [Smart Contract Fuzzing at Large Scale](./program-analysis/echidna/advanced/smart-contract-fuzzing-at-scale.md) + - [Testing Bytecode-Only Contracts](./program-analysis/echidna/advanced/testing-bytecode.md) + - [Using Hevm Cheats to Test Permit](./program-analysis/echidna/advanced/hevm-cheats-to-test-permit.md) + - [Seeding Echidna with Unit Tests](./program-analysis/echidna/advanced/end-to-end-testing.md) + - [Understanding and Using `multi-abi`](./program-analysis/echidna/advanced/using-multi-abi.md) + - [Fuzzing Tips](./program-analysis/echidna/fuzzing_tips.md) - [Frequently Asked Questions](./program-analysis/echidna/frequently_asked_questions.md) - [Exercises](./program-analysis/echidna/exercises/README.md) - [Exercise 1](./program-analysis/echidna/exercises/Exercise-1.md) @@ -92,10 +92,10 @@ - [Exercise 7](./program-analysis/echidna/exercises/Exercise-7.md) - [Exercise 8](./program-analysis/echidna/exercises/Exercise-8.md) - [Manticore](./program-analysis/manticore/README.md) - - [Introduction to symbolic execution](./program-analysis/manticore/symbolic-execution-introduction.md): - - [Running under Manticore](./program-analysis/manticore/running-under-manticore.md) - - [Getting throwing paths](./program-analysis/manticore/getting-throwing-paths.md) - - [Adding constraints](./program-analysis/manticore/adding-constraints.md) + - [Introduction to Symbolic Execution](./program-analysis/manticore/symbolic-execution-introduction.md): + - [Running with Manticore](./program-analysis/manticore/running_under_manticore.md) + - [Finding Throwing Paths](./program-analysis/manticore/getting_throwing_paths.md) + - [Adding Constraints](./program-analysis/manticore/adding_constraints.md) - [Exercises](./program-analysis/manticore/exercises/README.md) - [Example](./program-analysis/manticore/exercises/example.md) - [Exercise 1](./program-analysis/manticore/exercises/exercise1.md) diff --git a/resources/tob_blogposts.md b/resources/tob_blogposts.md index 7a817bd9..e7eb36a3 100644 --- a/resources/tob_blogposts.md +++ b/resources/tob_blogposts.md @@ -1,20 +1,20 @@ -# Trail of Bits blogposts +# Trail of Bits Blog Posts -The following contains the blockchain related blogposts made by Trail of Bits. +The following contains blockchain-related blog posts made by Trail of Bits. -- [Trail of Bits blogposts](#trail-of-bits-blogposts) - - [Consensus algorithms](#consensus-algorithms) - - [Fuzzing compilers](#fuzzing-compilers) +- [Trail of Bits Blog Posts](#trail-of-bits-blog-posts) + - [Consensus Algorithms](#consensus-algorithms) + - [Fuzzing Compilers](#fuzzing-compilers) - [General](#general) - [Guidance](#guidance) - [Presentations](#presentations) - [Tooling](#tooling) - [Upgradeability](#upgradeability) - - [Zero-knowledge](#zero-knowledge) + - [Zero-Knowledge](#zero-knowledge) -## Consensus algorithms +## Consensus Algorithms -Research in the distributes systems area +Research in the distributed systems area | Date | Title | Description | | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | @@ -22,108 +22,23 @@ Research in the distributes systems area | 2019/10/25 | [Formal Analysis of the CBC Casper Consensus Algorithm with TLA+](https://blog.trailofbits.com/2019/10/25/formal-analysis-of-the-cbc-casper-consensus-algorithm-with-tla/) | Verification of finality of the Correct By Construction (CBC) PoS consensus protocol | | 2019/07/12 | [On LibraBFT’s use of broadcasts](https://blog.trailofbits.com/2019/07/12/librabft/) | Liveness of LibraBFT and HotStuff algorithms | | 2019/07/02 | [State of the Art Proof-of-Work: RandomX](https://blog.trailofbits.com/2019/07/02/state/) | Summary of our audit of ASIC and GPU-resistant PoW algorithm | -| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not paralelizable, but easily verifiable functions | +| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | -## Fuzzing compilers +## Fuzzing Compilers -Our work in the topic of fuzzing the `solc` compiler +Our work on the topic of fuzzing the `solc` compiler | Date | Title | Description | | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| 2021/03/23 | [A Year in the Life of a Compiler Fuzzing Campaign](https://blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/) | Results and feature of fuzzing solc | +| 2021/03/23 | [A Year in the Life of a Compiler Fuzzing Campaign](https://blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/) | Results and features of fuzzing solc | | 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | ## General -Security research, analyses, announcements, and writeups +Security research, analyses, announcements, and write-ups | Date | Title | Description | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | Low-level writeup of the work done to make Solana compiler work on ARM64 | -| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | Summary of "Do You Really Need a Blockchain? An Operational Risk Assessment" report | -| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | Summary of "Are Blockchains Decentralize? Unintended Centralities in Distributed Ledgers" report | -| 2020/08/05 | [Accidentally stepping on a DeFi lego](https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/) | Writeup of a vulnerability in yVault project | -| 2020/05/15 | [Bug Hunting with Crytic](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Description of 9 bugs found by Trail of Bits tools in public projects | -| 2019/11/13 | [Announcing the Crytic $10k Research Prize](https://blog.trailofbits.com/2019/11/13/announcing-the-crytic-10k-research-prize/) | Academic research prize promoting open source work | -| 2019/10/24 | [Watch Your Language: Our First Vyper Audit](https://blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/) | Pros and cons of Vyper language and disclosure of vulnerability in the Vyper's compiler | -| 2019/08/08 | [246 Findings From our Smart Contract Audits: An Executive Summary](https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/) | Publication of data aggregated from our audits. Discussion about possibility of automatic and manual detection of vulnerabilities, and usefulness of unit tests | -| 2018/11/19 | [Return of the Blockchain Security Empire Hacking](https://blog.trailofbits.com/2018/11/19/return-of-the-blockchain-security-empire-hacking/) | -| 2018/02/09 | [Parity Technologies engages Trail of Bits](https://blog.trailofbits.com/2018/02/09/parity-technologies-engages-trail-of-bits/) | | -| 2017/11/06 | [Hands on the Ethernaut CTF](https://blog.trailofbits.com/2017/11/06/hands-on-the-ethernaut-ctf/) | First write-up on Ethernaut | - -## Guidance - -General guidance - -| Date | Title | Description | -| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -| 2021/02/05 | [Confessions of a smart contract paper reviewer](https://blog.trailofbits.com/2021/02/05/confessions-of-a-smart-contract-paper-reviewer/) | Six requirements for a good research paper | -| 2018/11/27 | [10 Rules for the Secure Use of Cryptocurrency Hardware Wallets](https://blog.trailofbits.com/2018/11/27/10-rules-for-the-secure-use-of-cryptocurrency-hardware-wallets/) | Recommendations for the secure use of hardware wallets. | -| 2018/10/04 | [Ethereum security guidance for all](https://blog.trailofbits.com/2018/10/04/ethereum-security-guidance-for-all/) | Announcement of office hours, Blockchain Security Contacts, and Awesome Ethereum Security | -| 2018/04/06 | [How to prepare for a security review](https://blog.trailofbits.com/2018/04/06/how-to-prepare-for-a-security-audit/) | Checklist for before having a security audit | - -## Presentations - -Talks, videos, and slides - -| Date | Title | Description | -| ---------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| 2019/01/18 | [Empire Hacking: Ethereum Edition 2](https://blog.trailofbits.com/2019/01/18/empire-hacking-ethereum-edition-2/) | Talks include: `Anatomy of an unsafe smart contract programming language`, `Evaluating digital asset security fundamentals`, `Contract upgrade risks and recommendations`, `How to buidl an enterprise-grade mainnet Ethereum client`, `Failures in on-chain privacy`, `Secure micropayment protocols`, `Designing the Gemini dollar: a regulated, upgradeable, transparent stablecoin`, `Property testing with Echidna and Manticore for secure smart contracts`, `Simple is hard: Making your awesome security thing usable` | -| 2018/11/16 | [Trail of Bits @ Devcon IV Recap](https://blog.trailofbits.com/2018/11/16/trail-of-bits-devcon-iv-recap/) | Talks include: `Using Manticore and Symbolic Execution to Find Smart Contract Bugs`, `Blockchain Autopsies`, `Current State of Security` | -| 2017/12/22 | [Videos from Ethereum-focused Empire Hacking](https://blog.trailofbits.com/2017/12/22/videos-from-ethereum-focused-empire-hacking/) | Talks include: `A brief history of smart contract security`, `A CTF Field Guide for smart contracts`, `Automatic bug finding for the blockchain`, `Addressing infosec needs with blockchain technology` | - -## Tooling - -Description of our tools and their use cases - -| Date | Tool | Title | Description | -| ---------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | -| 2022/08/17 | slither | [Using mutants to improve Slither](https://blog.trailofbits.com/2022/08/17/using-mutants-to-improve-slither/) | Inserting random bugs into smart contracts and detecting them with various static analysis tools - to improve Slither's detectors | -| 2022/07/28 | slither | [Shedding smart contract storage with Slither](https://blog.trailofbits.com/2022/07/28/shedding-smart-contract-storage-with-slither/) | Announcement of the slither-read-storage tool | -| 2022/04/20 | | [Amarna: Static analysis for Cairo programs](https://blog.trailofbits.com/2022/04/20/amarna-static-analysis-for-cairo-programs/) | Overview of Cairo footguns and announcement of the new static analysis tool | -| 2022/03/02 | echidna | [Optimizing a smart contract fuzzer](https://blog.trailofbits.com/2022/03/02/optimizing-a-smart-contract-fuzzer/) | Measuring and improving performance of Echidna (Haskell code) | -| 2021/12/16 | slither | [Detecting MISO and Opyn’s msg.value reuse vulnerability with Slither](https://blog.trailofbits.com/2021/12/16/detecting-miso-and-opyns-msg-value-reuse-vulnerability-with-slither/) | Description of Slither's new detectors: delegatecall-loop and msg-value-loop | -| 2021/04/02 | | [Solar: Context-free, interactive analysis for Solidity](https://blog.trailofbits.com/2021/04/02/solar-context-free-interactive-analysis-for-solidity/) | Proof-of-concept static analysis framework | -| 2020/10/23 | slither | [Efficient audits with machine learning and Slither-simil](https://blog.trailofbits.com/2020/10/23/efficient-audits-with-machine-learning-and-slither-simil/) | Detect similar Solidity functions with Slither and ML | -| 2020/08/17 | echidna | [Using Echidna to test a smart contract library](https://blog.trailofbits.com/2020/08/17/using-echidna-to-test-a-smart-contract-library/) | Designing and testing properties with differential fuzzing | -| 2020/07/12 | manticore | [Contract verification made easier](https://blog.trailofbits.com/2020/07/12/new-manticore-verifier-for-smart-contracts/) | Re-use Echidna properties with Manticore with manticore-verifier | -| 2020/06/12 | slither | [Upgradeable contracts made safer with Crytic](https://blog.trailofbits.com/2020/06/12/upgradeable-contracts-made-safer-with-crytic/) | 17 new Slither detectors for upgradeable contracts | -| 2020/03/30 | echidna | [An Echidna for all Seasons](https://blog.trailofbits.com/2020/03/30/an-echidna-for-all-seasons/) | Announcement of new features in Echidna | -| 2020/03/03 | manticore | [Manticore discovers the ENS bug](https://blog.trailofbits.com/2020/03/03/manticore-discovers-the-ens-bug/) | Using symbolic analysis to find vulnerability in Ethereum Name Service contract | -| 2020/01/31 | manticore | [Symbolically Executing WebAssembly in Manticore](https://blog.trailofbits.com/2020/01/31/symbolically-executing-webassembly-in-manticore/) | Using symbolic analysis on an artificial WASM binary | -| 2019/08/02 | | [Crytic: Continuous Assurance for Smart Contracts](https://blog.trailofbits.com/2019/08/02/crytic-continuous-assurance-for-smart-contracts/) | New product that integrates static analysis with GitHub pipeline | -| 2019/07/03 | slither | [Avoiding Smart Contract \"Gridlock\" with Slither](https://blog.trailofbits.com/2019/07/03/avoiding-smart-contract-gridlock-with-slither/) | Description of a DoS vulnerability resulting from a strict equality check, and Slither's dangerous-strict-equality detector | -| 2019/05/27 | slither | [Slither: The Leading Static Analyzer for Smart Contracts](https://blog.trailofbits.com/2019/05/27/slither-the-leading-static-analyzer-for-smart-contracts/) | Slither design and comparison with other static analysis tools | -| 2018/10/19 | slither | [Slither – a Solidity static analysis framework](https://blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/) | Introduction to Slither's API and printers | -| 2018/09/06 | rattle | [Rattle – an Ethereum EVM binary analysis framework](https://blog.trailofbits.com/2018/09/06/rattle-an-ethereum-evm-binary-analysis-framework/) | Turn EVM bytecode to infinite-register SSA form | -| 2018/05/03 | echidna | [State Machine Testing with Echidna](https://blog.trailofbits.com/2018/05/03/state-machine-testing-with-echidna/) | Example use case of Echidna's Haskell API | -| 2018/03/23 | | [Use our suite of Ethereum security tools](https://blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/) | Overview of our tools and documents: Not So Smart Contracts, Slither, Echidna, Manticore, EVM Opcode Database, Ethersplay, IDA-EVM, Rattle | -| 2018/03/09 | echidna | [Echidna, a smart fuzzer for Ethereum](https://blog.trailofbits.com/2018/03/09/echidna-a-smart-fuzzer-for-ethereum/) | First release and introduction to Echidna | -| 2017/04/27 | manticore | [Manticore: Symbolic execution for humans](https://blog.trailofbits.com/2017/04/27/manticore-symbolic-execution-for-humans/) | First release and introduction to Manticore (not adopted for EVM yet) | - -## Upgradeability - -Our work related to contracts upgradeability - -| Date | Title | Description | -| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -| 2020/12/16 | [Breaking Aave Upgradeability](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/) | Description of Delegatecall Proxy vulnerability in formally-verified Aave contracts | -| 2020/10/30 | [Good idea, bad design: How the Diamond standard falls short](https://blog.trailofbits.com/2020/10/30/good-idea-bad-design-how-the-diamond-standard-falls-short/) | Audit of Diamond standard's implementation | -| 2018/10/29 | [How contract migration works](https://blog.trailofbits.com/2018/10/29/how-contract-migration-works/) | Alternative to upgradability mechanism - moving data to a new contract | -| 2018/09/05 | [Contract upgrade anti-patterns](https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/) | Discussion of risks and recommendations for Data Separation and Delegatecall Proxy patterns. Disclosure of vulnerability in Zeppelin Proxy contract. | - -## Zero-knowledge - -Our work in Zero-Knowledge Proofs space - -| Date | Title | Description | -| ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -| 2022/04/18 | [The Frozen Heart vulnerability in PlonK](https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vulnerability-in-plonk/) | | -| 2022/04/15 | [The Frozen Heart vulnerability in Bulletproofs](https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/) | | -| 2022/04/14 | [The Frozen Heart vulnerability in Girault’s proof of knowledge](https://blog.trailofbits.com/2022/04/14/the-frozen-heart-vulnerability-in-giraults-proof-of-knowledge/) | | -| 2022/04/13 | [Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK](https://blog.trailofbits.com/2022/04/13/part-1-coordinated-disclosure-of-vulnerabilities-affecting-girault-bulletproofs-and-plonk/) | Introducing new "Frozen Heart" class of vulnerabilities | -| 2021/12/21 | [Disclosing Shamir’s Secret Sharing vulnerabilities and announcing ZKDocs](https://blog.trailofbits.com/2021/12/21/disclosing-shamirs-secret-sharing-vulnerabilities-and-announcing-zkdocs/) | | -| 2021/02/19 | [Serving up zero-knowledge proofs](https://blog.trailofbits.com/2021/02/19/serving-up-zero-knowledge-proofs/) | Fiat-Shamir transformation explained | -| 2020/12/14 | [Reverie: An optimized zero-knowledge proof system](https://blog.trailofbits.com/2020/12/14/reverie-an-optimized-zero-knowledge-proof-system/) | Rust implementation of the MPC-in-the-head proof system | -| 2020/05/21 | [Reinventing Vulnerability Disclosure using Zero-knowledge Proofs](https://blog.trailofbits.com/2020/05/21/reinventing-vulnerability-disclosure-using-zero-knowledge-proofs/) | Announcement of DARPA sponsored work on ZK proofs of exploitability | -| 2019/10/04 | [Multi-Party Computation on Machine Learning](https://blog.trailofbits.com/2019/10/04/multi-party-computation-on-machine-learning/) | Implementation of 3-party computation protocol for perceptron and support vector machine (SVM) algorithms | +| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | A low-level write-up of the work done to make the Solana compiler work on ARM64 | +| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of the "Do You Really Need a Blockchain? An Operational Risk Assessment" report | +| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of the "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | From f95ce33fc0cf06ba08dd4ccade0f9de3117fcd6e Mon Sep 17 00:00:00 2001 From: 0xphaze <0xphaze@gmail.com> Date: Wed, 12 Apr 2023 14:34:03 +0100 Subject: [PATCH 2/7] Run format --- resources/tob_blogposts.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/resources/tob_blogposts.md b/resources/tob_blogposts.md index e7eb36a3..9e20c146 100644 --- a/resources/tob_blogposts.md +++ b/resources/tob_blogposts.md @@ -22,23 +22,23 @@ Research in the distributed systems area | 2019/10/25 | [Formal Analysis of the CBC Casper Consensus Algorithm with TLA+](https://blog.trailofbits.com/2019/10/25/formal-analysis-of-the-cbc-casper-consensus-algorithm-with-tla/) | Verification of finality of the Correct By Construction (CBC) PoS consensus protocol | | 2019/07/12 | [On LibraBFT’s use of broadcasts](https://blog.trailofbits.com/2019/07/12/librabft/) | Liveness of LibraBFT and HotStuff algorithms | | 2019/07/02 | [State of the Art Proof-of-Work: RandomX](https://blog.trailofbits.com/2019/07/02/state/) | Summary of our audit of ASIC and GPU-resistant PoW algorithm | -| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | +| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | ## Fuzzing Compilers Our work on the topic of fuzzing the `solc` compiler -| Date | Title | Description | -| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| Date | Title | Description | +| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | | 2021/03/23 | [A Year in the Life of a Compiler Fuzzing Campaign](https://blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/) | Results and features of fuzzing solc | -| 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | +| 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | ## General Security research, analyses, announcements, and write-ups -| Date | Title | Description | -| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | A low-level write-up of the work done to make the Solana compiler work on ARM64 | -| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of the "Do You Really Need a Blockchain? An Operational Risk Assessment" report | -| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of the "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | +| Date | Title | Description | +| ---------- | --------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | +| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | A low-level write-up of the work done to make the Solana compiler work on ARM64 | +| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of the "Do You Really Need a Blockchain? An Operational Risk Assessment" report | +| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of the "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | From fab880ede376c0b2071a80f57b666861a37c4b4d Mon Sep 17 00:00:00 2001 From: tuturu-tech <9058533+tuturu-tech@users.noreply.github.com> Date: Wed, 28 Jun 2023 13:00:36 +0200 Subject: [PATCH 3/7] Apply suggestions from code review Wording and grammar changes for CONTRIBUTING and README --- CONTRIBUTING.md | 4 ++-- README.md | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8bf7e5d8..33986b6f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -29,10 +29,10 @@ Here's a basic overview of Building-Secure-Contracts' structure: ```text . -├── development-guidelnes # High-level best practices for all smart contracts +├── development-guidelines # High-level best practices for all smart contracts ├── learn_evm # EVM technical knowledge ├── not-so-smart-contracts # Examples of common smart contract issues, including descriptions, examples, and recommendations -├── program-analysis # How to utilize automated tools for securing contracts +├── program-analysis # How to utilize automated tools to secure contracts ├── resources # Various online resources └── ... ``` diff --git a/README.md b/README.md index da3238df..aa0d2d61 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,16 @@ ![](https://github.com/crytic/building-secure-contracts/workflows/CI/badge.svg) ![](https://github.com/crytic/building-secure-contracts/workflows/Echidna/badge.svg) -Brought to you by [Trail of Bits](https://www.trailofbits.com/), this repository offers guidelines and best practices for developing secure smart contracts. Contributions are welcome, so please participate by adhering to our [contributing guidelines](https://github.com/crytic/building-secure-contracts/blob/master/CONTRIBUTING.md). +Brought to you by [Trail of Bits](https://www.trailofbits.com/), this repository offers guidelines and best practices for developing secure smart contracts. Contributions are welcome, you can contribute by following our [contributing guidelines](https://github.com/crytic/building-secure-contracts/blob/master/CONTRIBUTING.md). **Table of Contents:** - [Development Guidelines](./development-guidelines) - - [High-Level Best Practices](./development-guidelines/guidelines.md): Essential practices for all smart contracts - - [Incident Response Recommendations](./development-guidelines/incident_response.md): Advice for creating an incident response plan + - [High-Level Best Practices](./development-guidelines/guidelines.md): Best practices for all smart contracts + - [Incident Response Recommendations](./development-guidelines/incident_response.md): Guidelines for creating an incident response plan - [Secure Development Workflow](./development-guidelines/workflow.md): A high-level process to follow during code development - [Token Integration Checklist](./development-guidelines/token_integration.md): What to check when interacting with arbitrary tokens -- [Learn EVM](./learn_evm): Technical knowledge about EVM +- [Learn EVM](./learn_evm): Technical knowledge about the EVM - [EVM Opcodes](./learn_evm/evm_opcodes.md): Information on all EVM opcodes - [Transaction Tracing](./learn_evm/tracing.md): Helper scripts and guidance for generating and navigating transaction traces - [Yellow Paper Guidance](./learn_evm/yellow-paper.md): Symbol reference for easier reading of the Ethereum yellow paper @@ -28,8 +28,8 @@ Brought to you by [Trail of Bits](https://www.trailofbits.com/), this repository - [Program Analysis](./program-analysis): Using automated tools to secure contracts - [Echidna](./program-analysis/echidna): A fuzzer that checks your contract's properties - [Slither](./program-analysis/slither): A static analyzer with both CLI and scriptable interfaces - - [Manticore](./program-analysis/manticore): A symbolic execution engine that proves correctness properties - - Each tool comes with: + - [Manticore](./program-analysis/manticore): A symbolic execution engine that proves the correctness of properties + - For each tool, this training material provides: - A theoretical introduction, an API walkthrough, and a set of exercises - Exercises that take approximately two hours to gain practical understanding - [Resources](./resources): Assorted online resources @@ -37,4 +37,4 @@ Brought to you by [Trail of Bits](https://www.trailofbits.com/), this repository # License -Secure-contracts and building-secure-contracts are licensed and distributed under the [AGPLv3 license](https://github.com/crytic/building-secure-contracts/blob/master/LICENSE). Please contact us if you require an exception to the terms. +secure-contracts and building-secure-contracts are licensed and distributed under the [AGPLv3 license](https://github.com/crytic/building-secure-contracts/blob/master/LICENSE). Contact us if you're looking for an exception to the terms. From ac2681fc6225fd5c873b5333c8b004bef710ca18 Mon Sep 17 00:00:00 2001 From: tuturu-tech Date: Wed, 28 Jun 2023 13:14:36 +0200 Subject: [PATCH 4/7] fix wording and readd table to blog posts --- SUMMARY.md | 14 ++--- resources/tob_blogposts.md | 107 +++++++++++++++++++++++++++++++++---- 2 files changed, 103 insertions(+), 18 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 94e697ce..03035400 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -11,10 +11,10 @@ - [EVM Opcode Reference](./learn_evm/evm_opcodes.md) - [Transaction Tracing](./learn_evm/tracing.md) - [Yellow Paper Guidance](./learn_evm/yellow-paper.md): - - [Forks and EIPs](./learn_evm/eips_forks.md) - - [Forks and CIPs](./learn_evm/cips_forks.md) - - [Upgrades and TIPs](./learn_evm/tips_upgrades.md) - - [Forks and BEPs](./learn_evm/beps_forks.md) + - [Forks <> EIPs](./learn_evm/eips_forks.md) + - [Forks <> CIPs](./learn_evm/cips_forks.md) + - [Upgrades <> TIPs](./learn_evm/tips_upgrades.md) + - [Forks <> BEPs](./learn_evm/beps_forks.md) - [Not So Smart Contracts](./not-so-smart-contracts/README.md) - [Algorand](./not-so-smart-contracts/algorand/README.md) - [Rekeying](./not-so-smart-contracts/algorand/rekeying/README.md) @@ -93,9 +93,9 @@ - [Exercise 8](./program-analysis/echidna/exercises/Exercise-8.md) - [Manticore](./program-analysis/manticore/README.md) - [Introduction to Symbolic Execution](./program-analysis/manticore/symbolic-execution-introduction.md): - - [Running with Manticore](./program-analysis/manticore/running_under_manticore.md) - - [Finding Throwing Paths](./program-analysis/manticore/getting_throwing_paths.md) - - [Adding Constraints](./program-analysis/manticore/adding_constraints.md) + - [Running with Manticore](./program-analysis/manticore/running-under-manticore.md) + - [Finding Throwing Paths](./program-analysis/manticore/getting-throwing-paths.md) + - [Adding Constraints](./program-analysis/manticore/adding-constraints.md) - [Exercises](./program-analysis/manticore/exercises/README.md) - [Example](./program-analysis/manticore/exercises/example.md) - [Exercise 1](./program-analysis/manticore/exercises/exercise1.md) diff --git a/resources/tob_blogposts.md b/resources/tob_blogposts.md index 9e20c146..bea78fdf 100644 --- a/resources/tob_blogposts.md +++ b/resources/tob_blogposts.md @@ -10,11 +10,11 @@ The following contains blockchain-related blog posts made by Trail of Bits. - [Presentations](#presentations) - [Tooling](#tooling) - [Upgradeability](#upgradeability) - - [Zero-Knowledge](#zero-knowledge) + - [Zero-knowledge](#zero-knowledge) ## Consensus Algorithms -Research in the distributed systems area +Research in the distributes systems area | Date | Title | Description | | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | @@ -22,23 +22,108 @@ Research in the distributed systems area | 2019/10/25 | [Formal Analysis of the CBC Casper Consensus Algorithm with TLA+](https://blog.trailofbits.com/2019/10/25/formal-analysis-of-the-cbc-casper-consensus-algorithm-with-tla/) | Verification of finality of the Correct By Construction (CBC) PoS consensus protocol | | 2019/07/12 | [On LibraBFT’s use of broadcasts](https://blog.trailofbits.com/2019/07/12/librabft/) | Liveness of LibraBFT and HotStuff algorithms | | 2019/07/02 | [State of the Art Proof-of-Work: RandomX](https://blog.trailofbits.com/2019/07/02/state/) | Summary of our audit of ASIC and GPU-resistant PoW algorithm | -| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | +| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | ## Fuzzing Compilers Our work on the topic of fuzzing the `solc` compiler -| Date | Title | Description | -| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | +| Date | Title | Description | +| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | | 2021/03/23 | [A Year in the Life of a Compiler Fuzzing Campaign](https://blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/) | Results and features of fuzzing solc | -| 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | +| 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | ## General Security research, analyses, announcements, and write-ups -| Date | Title | Description | -| ---------- | --------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | -| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | A low-level write-up of the work done to make the Solana compiler work on ARM64 | -| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of the "Do You Really Need a Blockchain? An Operational Risk Assessment" report | -| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of the "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | +| Date | Title | Description | +| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | Low-level write-up of the work done to make the Solana compiler work on ARM64 | +| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of "Do You Really Need a Blockchain? An Operational Risk Assessment" report | +| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | +| 2020/08/05 | [Accidentally stepping on a DeFi lego](https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/) | Write-up of a vulnerability in yVault project | +| 2020/05/15 | [Bug Hunting with Crytic](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Description of 9 bugs found by Trail of Bits tools in public projects | +| 2019/11/13 | [Announcing the Crytic $10k Research Prize](https://blog.trailofbits.com/2019/11/13/announcing-the-crytic-10k-research-prize/) | Academic research prize promoting open source work | +| 2019/10/24 | [Watch Your Language: Our First Vyper Audit](https://blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/) | Pros and cons of Vyper language and disclosure of vulnerability in the Vyper's compiler | +| 2019/08/08 | [246 Findings From our Smart Contract Audits: An Executive Summary](https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/) | Publication of data aggregated from our audits. Discussion about possibility of automatic and manual detection of vulnerabilities, and usefulness of unit tests | +| 2018/11/19 | [Return of the Blockchain Security Empire Hacking](https://blog.trailofbits.com/2018/11/19/return-of-the-blockchain-security-empire-hacking/) | +| 2018/02/09 | [Parity Technologies engages Trail of Bits](https://blog.trailofbits.com/2018/02/09/parity-technologies-engages-trail-of-bits/) | | +| 2017/11/06 | [Hands on the Ethernaut CTF](https://blog.trailofbits.com/2017/11/06/hands-on-the-ethernaut-ctf/) | First write-up on Ethernaut | + +## Guidance + +General guidance + +| Date | Title | Description | +| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | +| 2021/02/05 | [Confessions of a smart contract paper reviewer](https://blog.trailofbits.com/2021/02/05/confessions-of-a-smart-contract-paper-reviewer/) | Six requirements for a good research paper | +| 2018/11/27 | [10 Rules for the Secure Use of Cryptocurrency Hardware Wallets](https://blog.trailofbits.com/2018/11/27/10-rules-for-the-secure-use-of-cryptocurrency-hardware-wallets/) | Recommendations for the secure use of hardware wallets. | +| 2018/10/04 | [Ethereum security guidance for all](https://blog.trailofbits.com/2018/10/04/ethereum-security-guidance-for-all/) | Announcement of office hours, Blockchain Security Contacts, and Awesome Ethereum Security | +| 2018/04/06 | [How to prepare for a security review](https://blog.trailofbits.com/2018/04/06/how-to-prepare-for-a-security-audit/) | Checklist for before having a security audit | + +## Presentations + +Talks, videos, and slides + +| Date | Title | Description | +| ---------- | ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| 2019/01/18 | [Empire Hacking: Ethereum Edition 2](https://blog.trailofbits.com/2019/01/18/empire-hacking-ethereum-edition-2/) | Talks include: `Anatomy of an unsafe smart contract programming language`, `Evaluating digital asset security fundamentals`, `Contract upgrade risks and recommendations`, `How to buidl an enterprise-grade mainnet Ethereum client`, `Failures in on-chain privacy`, `Secure micropayment protocols`, `Designing the Gemini dollar: a regulated, upgradeable, transparent stablecoin`, `Property testing with Echidna and Manticore for secure smart contracts`, `Simple is hard: Making your awesome security thing usable` | +| 2018/11/16 | [Trail of Bits @ Devcon IV Recap](https://blog.trailofbits.com/2018/11/16/trail-of-bits-devcon-iv-recap/) | Talks include: `Using Manticore and Symbolic Execution to Find Smart Contract Bugs`, `Blockchain Autopsies`, `Current State of Security` | +| 2017/12/22 | [Videos from Ethereum-focused Empire Hacking](https://blog.trailofbits.com/2017/12/22/videos-from-ethereum-focused-empire-hacking/) | Talks include: `A brief history of smart contract security`, `A CTF Field Guide for smart contracts`, `Automatic bug finding for the blockchain`, `Addressing infosec needs with blockchain technology` | + +## Tooling + +Description of our tools and their use cases + +| Date | Tool | Title | Description | +| ---------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------ | +| 2022/08/17 | slither | [Using mutants to improve Slither](https://blog.trailofbits.com/2022/08/17/using-mutants-to-improve-slither/) | Inserting random bugs into smart contracts and detecting them with various static analysis tools - to improve Slither's detectors | +| 2022/07/28 | slither | [Shedding smart contract storage with Slither](https://blog.trailofbits.com/2022/07/28/shedding-smart-contract-storage-with-slither/) | Announcement of the slither-read-storage tool | +| 2022/04/20 | | [Amarna: Static analysis for Cairo programs](https://blog.trailofbits.com/2022/04/20/amarna-static-analysis-for-cairo-programs/) | Overview of Cairo footguns and announcement of the new static analysis tool | +| 2022/03/02 | echidna | [Optimizing a smart contract fuzzer](https://blog.trailofbits.com/2022/03/02/optimizing-a-smart-contract-fuzzer/) | Measuring and improving performance of Echidna (Haskell code) | +| 2021/12/16 | slither | [Detecting MISO and Opyn’s msg.value reuse vulnerability with Slither](https://blog.trailofbits.com/2021/12/16/detecting-miso-and-opyns-msg-value-reuse-vulnerability-with-slither/) | Description of Slither's new detectors: delegatecall-loop and msg-value-loop | +| 2021/04/02 | | [Solar: Context-free, interactive analysis for Solidity](https://blog.trailofbits.com/2021/04/02/solar-context-free-interactive-analysis-for-solidity/) | Proof-of-concept static analysis framework | +| 2020/10/23 | slither | [Efficient audits with machine learning and Slither-simil](https://blog.trailofbits.com/2020/10/23/efficient-audits-with-machine-learning-and-slither-simil/) | Detect similar Solidity functions with Slither and ML | +| 2020/08/17 | echidna | [Using Echidna to test a smart contract library](https://blog.trailofbits.com/2020/08/17/using-echidna-to-test-a-smart-contract-library/) | Designing and testing properties with differential fuzzing | +| 2020/07/12 | manticore | [Contract verification made easier](https://blog.trailofbits.com/2020/07/12/new-manticore-verifier-for-smart-contracts/) | Re-use Echidna properties with Manticore with manticore-verifier | +| 2020/06/12 | slither | [Upgradeable contracts made safer with Crytic](https://blog.trailofbits.com/2020/06/12/upgradeable-contracts-made-safer-with-crytic/) | 17 new Slither detectors for upgradeable contracts | +| 2020/03/30 | echidna | [An Echidna for all Seasons](https://blog.trailofbits.com/2020/03/30/an-echidna-for-all-seasons/) | Announcement of new features in Echidna | +| 2020/03/03 | manticore | [Manticore discovers the ENS bug](https://blog.trailofbits.com/2020/03/03/manticore-discovers-the-ens-bug/) | Using symbolic analysis to find vulnerability in Ethereum Name Service contract | +| 2020/01/31 | manticore | [Symbolically Executing WebAssembly in Manticore](https://blog.trailofbits.com/2020/01/31/symbolically-executing-webassembly-in-manticore/) | Using symbolic analysis on an artificial WASM binary | +| 2019/08/02 | | [Crytic: Continuous Assurance for Smart Contracts](https://blog.trailofbits.com/2019/08/02/crytic-continuous-assurance-for-smart-contracts/) | New product that integrates static analysis with GitHub pipeline | +| 2019/07/03 | slither | [Avoiding Smart Contract \"Gridlock\" with Slither](https://blog.trailofbits.com/2019/07/03/avoiding-smart-contract-gridlock-with-slither/) | Description of a DoS vulnerability resulting from a strict equality check, and Slither's dangerous-strict-equality detector | +| 2019/05/27 | slither | [Slither: The Leading Static Analyzer for Smart Contracts](https://blog.trailofbits.com/2019/05/27/slither-the-leading-static-analyzer-for-smart-contracts/) | Slither design and comparison with other static analysis tools | +| 2018/10/19 | slither | [Slither – a Solidity static analysis framework](https://blog.trailofbits.com/2018/10/19/slither-a-solidity-static-analysis-framework/) | Introduction to Slither's API and printers | +| 2018/09/06 | rattle | [Rattle – an Ethereum EVM binary analysis framework](https://blog.trailofbits.com/2018/09/06/rattle-an-ethereum-evm-binary-analysis-framework/) | Turn EVM bytecode to infinite-register SSA form | +| 2018/05/03 | echidna | [State Machine Testing with Echidna](https://blog.trailofbits.com/2018/05/03/state-machine-testing-with-echidna/) | Example use case of Echidna's Haskell API | +| 2018/03/23 | | [Use our suite of Ethereum security tools](https://blog.trailofbits.com/2018/03/23/use-our-suite-of-ethereum-security-tools/) | Overview of our tools and documents: Not So Smart Contracts, Slither, Echidna, Manticore, EVM Opcode Database, Ethersplay, IDA-EVM, Rattle | +| 2018/03/09 | echidna | [Echidna, a smart fuzzer for Ethereum](https://blog.trailofbits.com/2018/03/09/echidna-a-smart-fuzzer-for-ethereum/) | First release and introduction to Echidna | +| 2017/04/27 | manticore | [Manticore: Symbolic execution for humans](https://blog.trailofbits.com/2017/04/27/manticore-symbolic-execution-for-humans/) | First release and introduction to Manticore (not adopted for EVM yet) | + +## Upgradeability + +Our work related to contracts upgradeability + +| Date | Title | Description | +| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | +| 2020/12/16 | [Breaking Aave Upgradeability](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/) | Description of Delegatecall Proxy vulnerability in formally-verified Aave contracts | +| 2020/10/30 | [Good idea, bad design: How the Diamond standard falls short](https://blog.trailofbits.com/2020/10/30/good-idea-bad-design-how-the-diamond-standard-falls-short/) | Audit of Diamond standard's implementation | +| 2018/10/29 | [How contract migration works](https://blog.trailofbits.com/2018/10/29/how-contract-migration-works/) | Alternative to upgradability mechanism - moving data to a new contract | +| 2018/09/05 | [Contract upgrade anti-patterns](https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/) | Discussion of risks and recommendations for Data Separation and Delegatecall Proxy patterns. Disclosure of vulnerability in Zeppelin Proxy contract. | + +## Zero-knowledge + +Our work in Zero-Knowledge Proofs space + +| Date | Title | Description | +| ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | +| 2022/04/18 | [The Frozen Heart vulnerability in PlonK](https://blog.trailofbits.com/2022/04/18/the-frozen-heart-vulnerability-in-plonk/) | | +| 2022/04/15 | [The Frozen Heart vulnerability in Bulletproofs](https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproofs/) | | +| 2022/04/14 | [The Frozen Heart vulnerability in Girault’s proof of knowledge](https://blog.trailofbits.com/2022/04/14/the-frozen-heart-vulnerability-in-giraults-proof-of-knowledge/) | | +| 2022/04/13 | [Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK](https://blog.trailofbits.com/2022/04/13/part-1-coordinated-disclosure-of-vulnerabilities-affecting-girault-bulletproofs-and-plonk/) | Introducing new "Frozen Heart" class of vulnerabilities | +| 2021/12/21 | [Disclosing Shamir’s Secret Sharing vulnerabilities and announcing ZKDocs](https://blog.trailofbits.com/2021/12/21/disclosing-shamirs-secret-sharing-vulnerabilities-and-announcing-zkdocs/) | | +| 2021/02/19 | [Serving up zero-knowledge proofs](https://blog.trailofbits.com/2021/02/19/serving-up-zero-knowledge-proofs/) | Fiat-Shamir transformation explained | +| 2020/12/14 | [Reverie: An optimized zero-knowledge proof system](https://blog.trailofbits.com/2020/12/14/reverie-an-optimized-zero-knowledge-proof-system/) | Rust implementation of the MPC-in-the-head proof system | +| 2020/05/21 | [Reinventing Vulnerability Disclosure using Zero-knowledge Proofs](https://blog.trailofbits.com/2020/05/21/reinventing-vulnerability-disclosure-using-zero-knowledge-proofs/) | Announcement of DARPA sponsored work on ZK proofs of exploitability | +| 2019/10/04 | [Multi-Party Computation on Machine Learning](https://blog.trailofbits.com/2019/10/04/multi-party-computation-on-machine-learning/) | Implementation of 3-party computation protocol for perceptron and support vector machine (SVM) algorithms | \ No newline at end of file From b8adeaa600f76adb5594bb57a78547090855c211 Mon Sep 17 00:00:00 2001 From: tuturu-tech Date: Wed, 28 Jun 2023 13:15:27 +0200 Subject: [PATCH 5/7] capitalize title --- resources/tob_blogposts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/tob_blogposts.md b/resources/tob_blogposts.md index bea78fdf..deab72b0 100644 --- a/resources/tob_blogposts.md +++ b/resources/tob_blogposts.md @@ -10,7 +10,7 @@ The following contains blockchain-related blog posts made by Trail of Bits. - [Presentations](#presentations) - [Tooling](#tooling) - [Upgradeability](#upgradeability) - - [Zero-knowledge](#zero-knowledge) + - [Zero-Knowledge](#zero-knowledge) ## Consensus Algorithms From 5b5dd3dd5333bed3016da64f0c6354fd20229da3 Mon Sep 17 00:00:00 2001 From: tuturu-tech Date: Wed, 28 Jun 2023 13:18:24 +0200 Subject: [PATCH 6/7] formatting --- resources/tob_blogposts.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/resources/tob_blogposts.md b/resources/tob_blogposts.md index deab72b0..907baa2c 100644 --- a/resources/tob_blogposts.md +++ b/resources/tob_blogposts.md @@ -14,7 +14,7 @@ The following contains blockchain-related blog posts made by Trail of Bits. ## Consensus Algorithms -Research in the distributes systems area +Research in the distributed systems area | Date | Title | Description | | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | @@ -22,16 +22,16 @@ Research in the distributes systems area | 2019/10/25 | [Formal Analysis of the CBC Casper Consensus Algorithm with TLA+](https://blog.trailofbits.com/2019/10/25/formal-analysis-of-the-cbc-casper-consensus-algorithm-with-tla/) | Verification of finality of the Correct By Construction (CBC) PoS consensus protocol | | 2019/07/12 | [On LibraBFT’s use of broadcasts](https://blog.trailofbits.com/2019/07/12/librabft/) | Liveness of LibraBFT and HotStuff algorithms | | 2019/07/02 | [State of the Art Proof-of-Work: RandomX](https://blog.trailofbits.com/2019/07/02/state/) | Summary of our audit of ASIC and GPU-resistant PoW algorithm | -| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | +| 2018/10/12 | [Introduction to Verifiable Delay Functions (VDFs)](https://blog.trailofbits.com/2018/10/12/introduction-to-verifiable-delay-functions-vdfs/) | Basics of VDFs - a class of hard to compute, not parallelizable, but easily verifiable functions | ## Fuzzing Compilers Our work on the topic of fuzzing the `solc` compiler -| Date | Title | Description | -| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| Date | Title | Description | +| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ | | 2021/03/23 | [A Year in the Life of a Compiler Fuzzing Campaign](https://blog.trailofbits.com/2021/03/23/a-year-in-the-life-of-a-compiler-fuzzing-campaign/) | Results and features of fuzzing solc | -| 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | +| 2020/06/05 | [Breaking the Solidity Compiler with a Fuzzer](https://blog.trailofbits.com/2020/06/05/breaking-the-solidity-compiler-with-a-fuzzer/) | Our approach to fuzzing solc | ## General @@ -39,10 +39,10 @@ Security research, analyses, announcements, and write-ups | Date | Title | Description | | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | Low-level write-up of the work done to make the Solana compiler work on ARM64 | -| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of "Do You Really Need a Blockchain? An Operational Risk Assessment" report | -| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | -| 2020/08/05 | [Accidentally stepping on a DeFi lego](https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/) | Write-up of a vulnerability in yVault project | +| 2022/10/12 | [Porting the Solana eBPF JIT compiler to ARM64](https://blog.trailofbits.com/2022/10/12/solana-jit-compiler-ebpf-arm64/) | Low-level write-up of the work done to make the Solana compiler work on ARM64 | +| 2022/06/24 | [Managing risk in blockchain deployments](https://blog.trailofbits.com/2022/06/24/managing-risk-in-blockchain-deployments/) | A summary of "Do You Really Need a Blockchain? An Operational Risk Assessment" report | +| 2022/06/21 | [Are blockchains decentralized?](https://blog.trailofbits.com/2022/06/21/are-blockchains-decentralized/) | A summary of "Are Blockchains Decentralized? Unintended Centralities in Distributed Ledgers" report | +| 2020/08/05 | [Accidentally stepping on a DeFi lego](https://blog.trailofbits.com/2020/08/05/accidentally-stepping-on-a-defi-lego/) | Write-up of a vulnerability in yVault project | | 2020/05/15 | [Bug Hunting with Crytic](https://blog.trailofbits.com/2020/05/15/bug-hunting-with-crytic/) | Description of 9 bugs found by Trail of Bits tools in public projects | | 2019/11/13 | [Announcing the Crytic $10k Research Prize](https://blog.trailofbits.com/2019/11/13/announcing-the-crytic-10k-research-prize/) | Academic research prize promoting open source work | | 2019/10/24 | [Watch Your Language: Our First Vyper Audit](https://blog.trailofbits.com/2019/10/24/watch-your-language-our-first-vyper-audit/) | Pros and cons of Vyper language and disclosure of vulnerability in the Vyper's compiler | @@ -112,7 +112,7 @@ Our work related to contracts upgradeability | 2018/10/29 | [How contract migration works](https://blog.trailofbits.com/2018/10/29/how-contract-migration-works/) | Alternative to upgradability mechanism - moving data to a new contract | | 2018/09/05 | [Contract upgrade anti-patterns](https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/) | Discussion of risks and recommendations for Data Separation and Delegatecall Proxy patterns. Disclosure of vulnerability in Zeppelin Proxy contract. | -## Zero-knowledge +## Zero-Knowledge Our work in Zero-Knowledge Proofs space @@ -126,4 +126,4 @@ Our work in Zero-Knowledge Proofs space | 2021/02/19 | [Serving up zero-knowledge proofs](https://blog.trailofbits.com/2021/02/19/serving-up-zero-knowledge-proofs/) | Fiat-Shamir transformation explained | | 2020/12/14 | [Reverie: An optimized zero-knowledge proof system](https://blog.trailofbits.com/2020/12/14/reverie-an-optimized-zero-knowledge-proof-system/) | Rust implementation of the MPC-in-the-head proof system | | 2020/05/21 | [Reinventing Vulnerability Disclosure using Zero-knowledge Proofs](https://blog.trailofbits.com/2020/05/21/reinventing-vulnerability-disclosure-using-zero-knowledge-proofs/) | Announcement of DARPA sponsored work on ZK proofs of exploitability | -| 2019/10/04 | [Multi-Party Computation on Machine Learning](https://blog.trailofbits.com/2019/10/04/multi-party-computation-on-machine-learning/) | Implementation of 3-party computation protocol for perceptron and support vector machine (SVM) algorithms | \ No newline at end of file +| 2019/10/04 | [Multi-Party Computation on Machine Learning](https://blog.trailofbits.com/2019/10/04/multi-party-computation-on-machine-learning/) | Implementation of 3-party computation protocol for perceptron and support vector machine (SVM) algorithms | From 6337c7fc076ef5620e8da177425d1741b0490055 Mon Sep 17 00:00:00 2001 From: tuturu-tech Date: Wed, 28 Jun 2023 15:23:26 +0200 Subject: [PATCH 7/7] readd arithmetic checks link --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index aa0d2d61..f765c086 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ Brought to you by [Trail of Bits](https://www.trailofbits.com/), this repository - [Learn EVM](./learn_evm): Technical knowledge about the EVM - [EVM Opcodes](./learn_evm/evm_opcodes.md): Information on all EVM opcodes - [Transaction Tracing](./learn_evm/tracing.md): Helper scripts and guidance for generating and navigating transaction traces + - [Arithmetic Checks](./learn_evm/arithmetic-checks.md): A guide to performing arithmetic checks in the EVM - [Yellow Paper Guidance](./learn_evm/yellow-paper.md): Symbol reference for easier reading of the Ethereum yellow paper - [Forks <> EIPs](./learn_evm/eips_forks.md): Summaries of the EIPs included in each Ethereum fork - [Forks <> CIPs](./learn_evm/cips_forks.md): Summaries of the CIPs and EIPs included in each Celo fork _(EVM-compatible chain)_