EigenLayer Integration for developers and auditors This article is valid for EigenLayer v0.2.5 (M2), as opposed to the first mainnet version M1. EigenLayer has been in the hype tornado for the past few months as it enables services secured with POS like L2s, bridges, oracles, collectively known as Actively Validated Services (AVS), to easily bootstrap…

A Merkle Proof is a cryptographically authenticated data structure widely used to minimize on-chain data storage. For instance, a Merkle proof against a Merkle root can support airdrop claims from a smart contract. Similarly, a Merkle Patricia Trie proof can verify the existence of a key-value pair in Ethereum’s state Trie. In this blog, we’ll…

StarkNet ID recently launched a subscription feature for users. An auto-renewal contract has been implemented that facilitates the renewal of a user’s domain. This article explains the core functionality of this subscription feature, which we reviewed in our smart contract audit. Sections TLDR: Are my ETH approved for the contract safe from privileged roles? Technical…

In the upcoming Cancun hardfork, Ethereum will add a new exciting feature to its Ethereum Virtual Machine (EVM). Transient storage (EIP-1153) will be available to developers as a new data location for storing data with the lifespan of one transaction. The EIP states that transient storage “behaves identically to storage, except that transient storage is…

TL;DR Assertions do not add any constraints Recently we stumbled upon Circom’s assert() statements that were used to enforce some constraints in a project implementing a UTXO-based optimistic privacy-preserving L2. Sadly, it is not a magic tool that allows programmers to go over the complexity of expressing some non-trivial constraints. This article is not meant…

Having smart contracts audited is necessary if they are to serve a meaningful purpose. It is also essential that all stakeholders of a project read its audit report. This is so that the project and its security outlook is understood at a deeper level. However, audit reports are technical documents and reading them can prove…

How can a DeFi project’s entire liquidity become inaccessible in an instant? In this article, we explore a type of Denial-of-Service attack vector. Namely, Denial-of-service by affecting internal token balances. This particular vulnerability arises when a Balancer multi-token flash loan is taken out for tokens with double entry points. First, we will go over the…

On April 14, we informed Curve and affected projects about a read-only reentrancy vulnerability in some Curve pools. More specifically, the value of function get_virtual_price can be manipulated by reentering it during the removal of liquidity. Now, since all teams secured their projects, we are happy to share the technical details. Background Curve is an…

It’s easy to get tricked by lies and deception when you’re blinded by beauty. Taking off rose-colored glasses can be heartbreaking but getting them smashed on your face will be disastrous. Oracle manipulations are quite similar. They deceive you into not seeing the true value of something. Once you realize, the world around you is…

Proof of Stake is coming Ethereum’s Merge is coming soon™ and will be moving the network from PoW to PoS. This is a consensus layer change and will have relatively few effects on the application layer. However, there is a consensus layer change that can affect the security model of certain smart contracts: The way…