Skip to main content

One post tagged with "vulnerabilities"

View All Tags

Daniel Choi

Introduction

In software development (and more commonly in the blockchain ecosystem), many often interact with Open Source Software (OSS) to either draw inspiration from or simply copy-paste. The latter case described is a very common scenario for smart contract development and many developers fork another project's code and piggy back off of another person's/team's work.

IRL

During the token craze of 2021, new tokens were being minted every hour and there have been many of these tokens that have been copied - sometimes with very minor modifications. Using another person's/team's code is always risky and could potentially introduce a "zero-day" vulnerability. An example of this would be the case of Grim Finance's exploit. Grim Finance had forked Beefy Finance's smart contracts and have made changes according to their protocol's needs. Beefy Finance had uncovered a vulnerability with their smart contracts, which allowed for a reentrancy attack. The same attack vector was what caused Grim Finance to become hacked.

Another project that had introduced a "zero-day" vulnerability was Compound Finance. In the Compound Finance code, there was a rounding error which could be used by an attacker to manipulate empty markets. The same way Compound Finance was attacked, other similar protocols that forked their code were also attacked. Some of these protocols include Onyx, Hundred Finance, Midas Captial, and Lodestar Finance (NOT to be confused with the Lodestar Ethereum 2 client!!!).

A similar case is with Meter, an unaffiliated fork of Chainbridge . Meter had introduced a vulnerability that was not present in the base Chainbridge smart contracts. Improper modifications to the code had opened the smart contract to different attack vectors. More information regarding this can be found here.

Transparency, Collaboration, Pacing and Audits

As part of an on-going effort to make the blockchain ecosystem into a safer environment for users to interact with and participate in, developers must take ownership and responsibility for their shortcomings. In many cases, projects do not make known to the developers/owners of the code base that they will be using and forking their code. This may be due to a project's desire to stay stealth, or they wish to hide the fact they explicitly copied another project's code. Whichever the case, the argument could be made that if the "forkers" had made known to the "forkee", there could have been a collaborative effort to mitigate known vulnerabilities or work together to uncover new ones. Transparency (as well as humility) is an important part in building a stronger community of developers so we can help shoulder these type of burdens.

Timing is very important when it comes to go-to-market strategies. The same execution in different times could produce significantly opposing results. During bull markets, there is a pressure to release a token (or blockchain project) as fast as humanly possible. During the rush and chaos, blunders could be made and sleep-deprived developers could make a simple but critical mistake. It is imperative to note that smart contracts (as long as not upgradeable) cannot be modified. Once a smart contract is deployed, the source code remains forever, unable to change. Thus, a smart contract should be - ideally - without possibilities for a present attack nor future ones. To get closer to this goal, getting one's smart contracts audited is paramount, especially when it will deal with money and valuable assets. Especially when re-using code and introducing new logic, these things should be audited, even if the base contracts that were forked were already audited.

Here Comes ChainSafe

ChainSafe is a blockchain development company that loves to work with the community and wants to support a conducive environment for growth and collaboration. As part of that, ChainSafe offers services such as Smart Contract Auditing, Engineering Services, and R&D Consultancy, which people can utilize for their project. ChainSafe also offers OSS dev tooling that could be used and we encourage you to engage with us in our Community. Let's work together to stay [Chain]safe.