blockchains-security-toolkit

History

BT3GL /baɪtɡɝɫ/ fe7d558b85 Update README.md		2022-04-12 02:16:28 +04:00
..
hacking-address.md	organizing directories	2022-04-12 02:15:14 +04:00
README.md	Update README.md	2022-04-12 02:16:28 +04:00
research-papers.md	organizing directories	2022-04-12 02:15:14 +04:00

☠️ Security

tx.origin is used: you want to replace it by “msg.sender” because otherwise any contract you call can act on your behalf.
Avoid potential reetrancy bugs:

msg.sender.transfer(amount);
balances[msg.sender] -= amount;

Inline assembly should be used only in rare cases.
Unclear semantics: now is alias for block.timestamp not current time; use of low level call, callcode, delegatecall should be avoided whenever possible; use transfer whenever failure of ether transfer should rollnack the whole transaction.
Beware of caller contracts: selfdestruct can block calling contracts unexpectedly.
Invocation of local functions via this: never use this to call functions in the same contract, it only consumes more gas than normal call.
Transferring Ether in a for/while/do-while loop should be avoid due to the block gas limit.
ERC20 decimals should have uint8 as return type.

Uniswap Oracle Attack Simulator by Euler
- "Given current concentrated liquidity profile of the ABC/WETH pool, what would it cost the attacker to move a N-minute TWAP of the ABC price to x?"
Hacking the Blockchain by Immunifi
Thinking About Smart Contract Security by Vitalik
Spoof tokens on Ethereum