Skip to content

Instantly share code, notes, and snippets.

Maurelian maurelian

Block or report user

Report or block maurelian

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View RustSecurity.md

About rust security and auditing

  • Review clippy warnings; most of the time these are benign or irrelevant, but they can help spotting red flags.
  • Build and run all the unit tests, assess the code coverage and keep note of the un(der)tested component.
  • Review the dependencies listed in Cargo.toml and Cargo.lock: Will the latest version be used? (preferable but not always the right choice) Are these established, trustworthy packages? You may use the subcommand cargo-audit (thanks @dues__ for the pointer).
  • Look for unsafe code blocks, and evaluate the risk (can an attacker control the input used in these blocks? etc.)
  • Look for risky uses of unwrap(), which can cause panics, as opposed to pattern-matched error
View gist:c6078a6a6e0a7bcf3fed22bc9e363330
This post links my 3Box profile to my Github account! Web3 social profiles by 3Box.
✅ did:muport:QmfDuJZ7fXN9PQCFEqpGdQuQhw5RePG6zBhmt75BZnpmh5 ✅
Create your profile today to start building social connection and trust online at https://3Box.io/
View delegatesToLib.asm
======= /Users/primary/Projects/Audits/0x-monorepo/contracts/exchange/contracts/src/delegatesToLib.sol:Math =======
EVM assembly:
/* "/Users/primary/Projects/Audits/0x-monorepo/contracts/exchange/contracts/src/delegatesToLib.sol":25:312 library Math {... */
dataSize(sub_0)
dataOffset(sub_0)
/* "--CODEGEN--":132:134 */
0x0b
/* "--CODEGEN--":166:173 */
dup3
View delegatesToLib.sol
pragma solidity ^0.5.9;
library Math {
function add(uint a, uint b) public returns (uint){
return a + b;
}
}
contract UsesMath {
using Math for uint;
View audit_prep_checklist.md

Feel free to copy and paste this list into a README, issue or elsewhere in your project.

Audit prep checklist (reference)

  • Documentation (A plain english description of what you are building, and why you are building it. Should indicate the actions and states that should and should not be possible)
    • For the overall system
    • For each unique contract within the system
  • Clean code
    • Run a linter (like EthLint)
    • Fix compiler warnings
View nsloc.md

NSLOC stands for 'Normalized Source Code', which is a custom measurement we use (among others) when evaluating the complexity of a codebase.

To get the NSLOC count of a file:

  1. For all functions, reduce any multiline function declarations to a single line.
  2. Remove all comments
  3. Remove all empty lines
  4. Count the remaining lines

Example:

@maurelian
maurelian / SpankChainHack.sol
Last active Oct 12, 2018
ctrl+f for 'Hack Note' for a few annotations of red flags
View SpankChainHack.sol
// Taken from https://etherscan.io/address/0xf91546835f756da0c10cfa0cda95b15577b84aa7#code
// Story: https://medium.com/spankchain/we-got-spanked-what-we-know-so-far-d5ed3a0f38fe
// Newsletter: https://tinyletter.com/smart-contract-security/archive
pragma solidity ^0.4.23;
// produced by the Solididy File Flattener (c) David Appleton 2018
// contact : dave@akomba.com
// released under Apache 2.0 licence
contract Token {
/* This is a slight change to the ERC20 base standard.
View typechecking.sol
pragma solidity ^0.4.0;
contract ISomething {
function fooSomething() returns(uint);
}
contract BarGuy {
// This internal function use the type system for additional safety guarantees onthe input addres.
function barThing (ISomething _iSomething) internal returns(uint){
uint x = _iSomething.fooSomething();
View gist:6c6ee72b2d63efc5d17db5d07cc04a85
pragma solidity ^0.4.24;
contract Delegator {
bytes32 controllerLookupName = 0xabba;
function() external payable {
// Do nothing if we haven't properly set up the delegator to delegate calls
// if (controllerLookupName == 0) {
// return;
View learningToLearn1.md

Learning to learn (how a contract system works): Week 1

One of the biggest challenges in auditing is quickly ramping up on a system. The faster I can do this, the more time and capacity I have for finding real issues with it. I'm working my way through the extremely popular "Learning to Learn" course on Coursera, in order to help me improve at this.

My notes summarize the course content, and describe specific implications for how to learn and understand a smart contract system more quickly and deeply.

Focused and Diffuse modes of thinking

Learning and understanding require a combination of two modes of thought: Focused and Diffuse.

You can’t perform that action at this time.