Security: Introduction to Diligence

As we’ve drilled into your head many times now, smart contract development is different than traditional software development:

• Smart contract development is new and it is constantly changing.
• Smart contracts are immutable. They cannot be modified (only re-deployed).
• High cost of failure. More similar to hardware and financial services programming.
• Smart contracts information is public and anyone can call your public functions.

We’ve gone over many of the common attack vectors, discussed smart contract best practices and showed you design patterns to increase security for your distributed applications. Much of this information came from the brilliant minds at Diligence, the auditing and smart contract security arm of ConsenSys.

Diligence provides audits for the largest names in the blockchain sector, including Aave, 0x, Covantis, Aragon, Omisego, Horizon and more.

Along with audits, Diligence also provides automated security analysis through two main tools: MythX and Scribble.

MythX

MythX is a smart contract security service for Ethereum built by ConsenSys Diligence. As part of the bootcamp, we have gotten a free month of the developer plan for every student from the ConsenSys Diligence team.

Promo code = ESvxp6CQ

Steps to Get Started

1. Go to https://mythx.io/
2. Click the “sign up”button
3. Complete the registration form.
4. You will then have an option to choose a plan. Please select “Try MythX & Buy Scans” This will allow you to set up a MythX account with no charge.
5. Go to the dashboard Billing tab click “Buy a pack of 3 scans today for $9.99”
6. Enter your promo code x9naNrvz in the box provided and proceed through check with no charge

Scribble

Diligence also provides another analysis tool called Scribble, which is “Fuzzing as a Service.”

Fuzzing is a general computer security automation method that essentially runs millions of tests against your codebase. There’s a bit of structure involved, but the overall concept is applicable to all other computer security industries.

In the following lesson, Joran Honig will walk you through the basic concepts behind Scribble and through three exercises to help you learn how to use Scribble!

Additional Material

• Video: Security by Design and Smart Contract Audits (Shayan Eskandari)
• Series: Diligence YouTube Channel
• Video: Shift Left and DevSecOps (Joran Honig) Talk from TruffleCon2020 where Joran goes through the concept of “Shift Left” as it applies to security best practices.
• Video: Shift Left and Automated Tooling (Joran Honig)
• Articles: Collection of Smart Contract Best Practices from Diligence

Scribble

• Article: Introducing Scribble
• Article: Introducing Scribble Generator Article: Writing Properties — A New Approach to Testing Article: Four Effective Strategies To Come Up with Scribble Annotations

Other Security Options

Outside of the tools we’ve provided so far, there are other great security analysis tools:

Tools

• OpenZeppelin Defender Less of a security tool per se and more like an operating system or dashboard for your smart contracts. This allows you to monitor your smart contracts, respond to exploits or bugs by adjusting access control, and private transaction relayers.
• Slither A static analysis framework for Solidity built by the auditing firm Trail of Bits. It is written in Python, is open-source and you can read more about it here.
• Manticore “A symbolic execution tool for analysis of smart contracts and binaries” as well as WASM modules. Also built by Trail of Bits! Read more here.
• Ethersplay An EVM Disassembler which takes as input raw EVM bytecode (your contract you’re deploying) and analyzes it at the Assembly level. It can provide a flow graph of all the functions in the bytecode. Another tool from Trail of Bits, it also can let you know where Manticore has scanned.
• Echidna A fuzzer like Scribble. It is “a Haskell program designed for fuzzing/property-based testing of Ethereum smarts contracts. It uses sophisticated grammar-based fuzzing campaigns based on a contract ABI to falsify user-defined predicates or Solidity assertions.” (source) Also from Trail of Bits.

Learning

• Blocksec CTFs An amazing collection of blockchain Capture The Flag (CTF) exercises and write-ups
• Article: Ethereum Quirks and Vulnerabilities Discussion around attack vectors on Ethereum
• Ethernaut Phenomenal CTF / Wargame series of exercises for blockchain security. Be sure to checkout the EthernautDAO, organized in part by the designing of Ethernaut.
• DamnVulnerableDeFi A DeFi-oriented CFT
• Capture the Ether Another blockchain CTF, written by Steve Marx
• CipherShastra Another CTF-style learning challenge
• Diligence Public Audits, OpenZeppelin Audits Another great way to learn to audit is to read reports from the best organizations doing them. Trail of Bits is not blockchain-specific, but you can see their public security “reviews” here.

Audits

• Thread: Before an Audit @Tincho, a security researcher at OpenZeppelin, walks through the things you absolutely should do before submitting your code for an audit
• Code 423n4 “A community-driven approach to competitive smart contract audits.” A great way to get into auditing — no experience necessary.
• Immunefi A collection of bug bounties for blockchain projects anyone can contribute.
• Article: Introducing Solidify (Coinbase) We haven’t gotten a chance to try this one, but Coinbase offering a new tool for smart contract analysis. This is not an endorsement of this, just letting you know it exists!