hack3r-0m

## cheatsheet.sol
// SPDX-License-Identifier: MIT
// ^ recommended, included machine readable in bytecode metadata
// Software Package Data Exchange is an open standard

pragma solidity ^0.8.7;
// ^ floating pragma, min 0.8.7 max excluding 0.9.0
// same as complex pragma: pragma solidity >=0.8.7 <0.9.0;
// major.breakingchanges.bugfixes
// only makes the compiler check for compatibility and throws error if not matching!
// should only be floating during development, fixed everywhere during testing & deployment

## sending-ether-cheat-sheet.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              27 stars
            
          
                karmacoma-eth
                / sending-ether-cheat-sheet.md
            
            
              Last active Nov 26, 2021
            
              
                Sending Ether Cheat Sheet
              
          
      View sending-ether-cheat-sheet.md
  
      
    Sending Ether Cheat Sheet
TLDR
🥇 Instead of sending Ether, use the withdrawal pattern
🥈 If you really need to send Ether, use a safe wrapper like OpenZeppelin's Address.sendValue(addr, amount)
🥉 If you really need to send Ether without dependencies, use (bool success, ) = addr.call{value: amount}("")

  
## thorchain_vulnerability_tss.md

      
              1 file
            
          
              0 forks
            
          
              1 comment
            
          
              1 star
            
          
                HildisviniOttar
                / thorchain_vulnerability_tss.md
            
            
              Last active Nov 13, 2021
            
              
                THORChain vulnerability TSS
              
          
      View thorchain_vulnerability_tss.md
  
      
    TSS Churn with 2 evil nodes
Currently TSS works by the system auto-generating a set of TSS invitees that collectively generate a new vault pubkey outside of process. Each node that participates in the signing ceremony then posts in their results into THORChain as a MsgTssPool.
Two evil nodes are able to front-run a TSS signing ceremony by posting in a fake TSS result and voting twice, which achieves consensus and creates a vault controlled by attacker, stealing funds (before the valid tx arrives).
Note: #thorsec team found a similar bug allowing spoofing ID which was patched in https://gitlab.com/thorchain/thornode/-/merge_requests/1922 - this vulnerability is similar but works even with the original ID spoof patch. After disclosure, MR 1922 also incorporated fixes to stop this attack presented below.
Difficulty

  
## .ethrc.sh
# Ethereum helper methods
# source this in your .bashrc or .zshrc file with `. ~/.ethrc`

# --- Token addresses ---
aave=0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9
comp=0xc00e94Cb662C3520282E6f5717214004A7f26888
crv=0xD533a949740bb3306d119CC777fa900bA034cd52
dai=0x6B175474E89094C44Da98b954EedeAC495271d0F
gtc=0xDe30da39c46104798bB5aA3fe8B9e0e1F348163F
mkr=0x9f8F72aA9304c8B593d555F12eF6589cC3A579A2

## parseErc20Transfer.js
const converter = require("hex2dec");
const Eth = require("ethjs");
const eth = new Eth(new Eth.HttpProvider(process.env.INFURA));

async function getERC20TransferByHash(hash) {
  const ethTxData = await eth.getTransactionByHash(hash);
  if (ethTxData === null) throw "TX NOT FOUND";
  if (
    ethTxData.input.length !== 138 ||
    ethTxData.input.slice(2, 10) !== "a9059cbb"

## catch.py
#!/usr/bin/python3

from python_graphql_client import GraphqlClient
from json import dumps
from asyncio import run
from re import compile as re_compile
from pytimeparse import parse

reg = re_compile(r'^(\d+(\.\d+)?)')
handle = None

## transparent.vim
" for transparent background
function! AdaptColorscheme()
   highlight clear CursorLine
   highlight Normal ctermbg=none
   highlight LineNr ctermbg=none
   highlight Folded ctermbg=none
   highlight NonText ctermbg=none
   highlight SpecialKey ctermbg=none
   highlight VertSplit ctermbg=none
   highlight SignColumn ctermbg=none

## dydxFlashLoanTemplate.sol
// SPDX-License-Identifier: AGPL-3.0-or-later

// The ABI encoder is necessary, but older Solidity versions should work
pragma solidity ^0.7.0;
pragma experimental ABIEncoderV2;

// These definitions are taken from across multiple dydx contracts, and are
// limited to just the bare minimum necessary to make flash loans work.
library Types {
    enum AssetDenomination { Wei, Par }

## ChildERC20.sol
// File: contracts/child/ChildToken/ChildERC20.sol

pragma solidity 0.6.6;

contract ChildERC20 is
    ERC20,
    IChildToken,
    AccessControlMixin,
    NativeMetaTransaction,
    ChainConstants,

## api.js
const axios = require('axios').default
const API_BASE_URL = 'https://api.spacexdata.com/v3'

const API = axios.create({
  baseURL: API_BASE_URL
})

/*
 * setting interceptors to be able
 * to know response time of the each request
	// SPDX-License-Identifier: MIT
	// ^ recommended, included machine readable in bytecode metadata
	// Software Package Data Exchange is an open standard

	pragma solidity ^0.8.7;
	// ^ floating pragma, min 0.8.7 max excluding 0.9.0
	// same as complex pragma: pragma solidity >=0.8.7 <0.9.0;
	// major.breakingchanges.bugfixes
	// only makes the compiler check for compatibility and throws error if not matching!
	// should only be floating during development, fixed everywhere during testing & deployment
	# Ethereum helper methods
	# source this in your .bashrc or .zshrc file with `. ~/.ethrc`

	# --- Token addresses ---
	aave=0x7Fc66500c84A76Ad7e9c93437bFc5Ac33E2DDaE9
	comp=0xc00e94Cb662C3520282E6f5717214004A7f26888
	crv=0xD533a949740bb3306d119CC777fa900bA034cd52
	dai=0x6B175474E89094C44Da98b954EedeAC495271d0F
	gtc=0xDe30da39c46104798bB5aA3fe8B9e0e1F348163F
	mkr=0x9f8F72aA9304c8B593d555F12eF6589cC3A579A2
	const converter = require("hex2dec");
	const Eth = require("ethjs");
	const eth = new Eth(new Eth.HttpProvider(process.env.INFURA));

	async function getERC20TransferByHash(hash) {
	const ethTxData = await eth.getTransactionByHash(hash);
	if (ethTxData === null) throw "TX NOT FOUND";
	if (
	ethTxData.input.length !== 138 \|\|
	ethTxData.input.slice(2, 10) !== "a9059cbb"
	#!/usr/bin/python3

	from python_graphql_client import GraphqlClient
	from json import dumps
	from asyncio import run
	from re import compile as re_compile
	from pytimeparse import parse

	reg = re_compile(r'^(\d+(\.\d+)?)')
	handle = None
	" for transparent background
	function! AdaptColorscheme()
	highlight clear CursorLine
	highlight Normal ctermbg=none
	highlight LineNr ctermbg=none
	highlight Folded ctermbg=none
	highlight NonText ctermbg=none
	highlight SpecialKey ctermbg=none
	highlight VertSplit ctermbg=none
	highlight SignColumn ctermbg=none
	// SPDX-License-Identifier: AGPL-3.0-or-later

	// The ABI encoder is necessary, but older Solidity versions should work
	pragma solidity ^0.7.0;
	pragma experimental ABIEncoderV2;

	// These definitions are taken from across multiple dydx contracts, and are
	// limited to just the bare minimum necessary to make flash loans work.
	library Types {
	enum AssetDenomination { Wei, Par }
	// File: contracts/child/ChildToken/ChildERC20.sol

	pragma solidity 0.6.6;

	contract ChildERC20 is
	ERC20,
	IChildToken,
	AccessControlMixin,
	NativeMetaTransaction,
	ChainConstants,
	const axios = require('axios').default
	const API_BASE_URL = 'https://api.spacexdata.com/v3'

	const API = axios.create({
	baseURL: API_BASE_URL
	})

	/*
	* setting interceptors to be able
	* to know response time of the each request