We offer service of RIDE smart-contract security audit.
We will make you sure that your project will not remain a security holes.
Persons
Ilya “buggzy” Teterin. Expert in information security since 2001, mostly “white-hat”
Artem “bodrych” Badrtdinov. Graduated information security specialist.
Case: Neutrino stablecoin
What is Neutrino stablecoin: algorithmic stablecoin project backed by WAVES founder Sasha Ivanov
Description: Attacker can predict exchange rate of stablecoin and get extremely large profit from trading
Threat: Balance of smart-contract will smoothly flow to attacker
Limitation: no
Type of attack: weak architecture solution
Proof in blockchain:
https://wavesexplorer.com/address/3P6bXu74Bf3dF4B19Y15i4rfB9BngzLFeu9/tx
Case: WAVESBET
What is WAVESBET: blockchain gambling software backed by John McAfee
Description: Attacker can create specific transaction to get 100% change of winning his bet.
Threat: Withdraw all tokens from contract by one action.
Limitation: Attacker must be mining node owner.
Type of attack: manipulation of random number generator in blockchain.
Case: Ventuary DAO
What is Ventuary DAO: crowdfunding platform backed by WAVES LABS incubator
Description: Attacker can arbitrarily multiply his account value then withdraw all tokens from contract.
Threat: Withdraw all tokens from contract by several transactions.
Limitation: Attacker should have an account with successful crowdfunding campaign
Type of attack: double spend
Proof in blockchain (triple spend, actually unlimited):
https://wavesexplorer.com/tx/AR8sqidQLukEtM9dhBMRMMZ2MjgGPtSB3Vr7jMGUnB81
https://wavesexplorer.com/tx/FY8xyob8aDZobcLo4yGRKad3uhE28wj36DH4Q2aeeTEE
https://wavesexplorer.com/tx/4xa7ViuEouVQ5JnL7ZE6gSQyNghVatSUVQPnJVRNn68K
Case: play2win (ethereum)
What is play2win: Top1 ranked by dappradar in category “ethereum/gambling”
Description: Attacker can predict bet result and cancel bet if it is unlucky
Limitation: Owners of game is generally disabling payout by this contract even if bet has been won. But sometimes payouts is enabled and attacker can finally win a one or two bets before payouts is disabled.
Treat: Attacked withdraws balance by winning all his bets
Type of attack: Bet cancelation inside currently mined block
Case: space dice (ethereum)
What is space dice: Indie-game in ethereum blockchain, currently rethinked to commit-reveal arch because of described breach
Description: Attacker can predict bet result and cancel bet if it is unlucky
Limitation: None
Treat: Attacked withdraws balance by winning all his bets
Type of attack: Bet cancelation inside currently mined block
Contacts
Telegram: @buggzy2 @bodrych