hack3r-0m

TSS Churn with 2 evil nodes

Currently TSS works by the system auto-generating a set of TSS invitees that collectively generate a new vault pubkey outside of process. Each node that participates in the signing ceremony then posts in their results into THORChain as a MsgTssPool.

Two evil nodes are able to front-run a TSS signing ceremony by posting in a fake TSS result and voting twice, which achieves consensus and creates a vault controlled by attacker, stealing funds (before the valid tx arrives).

Note: #thorsec team found a similar bug allowing spoofing ID which was patched in https://gitlab.com/thorchain/thornode/-/merge_requests/1922 - this vulnerability is similar but works even with the original ID spoof patch. After disclosure, MR 1922 also incorporated fixes to stop this attack presented below.

Difficulty

Sending Ether Cheat Sheet

TLDR

🥇 Instead of sending Ether, use the withdrawal pattern

🥈 If you really need to send Ether, use a safe wrapper like OpenZeppelin's Address.sendValue(addr, amount)

🥉 If you really need to send Ether without dependencies, use (bool success, ) = addr.call{value: amount}("")

Moved into a GitHub repository: cheatsheet.sol🔗

Upgrade to at least 0.8.4

Using newer compiler versions and the optimizer gives gas optimizations and additional safety checks for free!

The advantages of versions 0.8.* over <0.8.0 are:

Safemath by default from 0.8.0 (can be more gas efficient than some library based safemath).
Low level inliner from 0.8.2, leads to cheaper runtime gas. Especially relevant when the contract has small functions. For

log4j RCE Exploitation Detection

You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228

Grep / Zgrep

This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log

	pragma solidity 0.6.6;
	pragma experimental ABIEncoderV2;

	import "https://github.com/Uniswap/uniswap-v2-core/blob/master/contracts/interfaces/IUniswapV2Pair.sol";
	import "https://github.com/Uniswap/uniswap-lib/blob/master/contracts/libraries/FixedPoint.sol";
	import "https://github.com/Uniswap/uniswap-lib/blob/master/contracts/libraries/FullMath.sol";
	import "https://github.com/Uniswap/uniswap-lib/blob/master/contracts/libraries/Babylonian.sol";
	import "https://github.com/Uniswap/uniswap-lib/blob/master/contracts/libraries/BitMath.sol";

	library SafeMath {

	#!/usr/bin/python3

	from python_graphql_client import GraphqlClient
	from json import dumps
	from asyncio import run
	from re import compile as re_compile
	from pytimeparse import parse

	reg = re_compile(r'^(\d+(\.\d+)?)')
	handle = None

	const converter = require("hex2dec");
	const Eth = require("ethjs");
	const eth = new Eth(new Eth.HttpProvider(process.env.INFURA));

	async function getERC20TransferByHash(hash) {
	const ethTxData = await eth.getTransactionByHash(hash);
	if (ethTxData === null) throw "TX NOT FOUND";
	if (
	ethTxData.input.length !== 138 \|\|
	ethTxData.input.slice(2, 10) !== "a9059cbb"

	# Ethereum helper methods
	# source this in your .bashrc or .zshrc file with `. ~/.ethrc`

	# --- Solidity sandbox ---
	# https://github.com/maurelian/solidity-sandbox
	scratch() {
	dir=$(pwd)
	cd ~/Documents/projects/solidity-sandbox \|\| exit
	bash newTest.sh $1
	cd "$dir" \|\| exit

	import { BigNumber, providers, Wallet } from "https://esm.sh/ethers";
	import { FlashbotsBundleProvider, FlashbotsBundleResolution } from "https://esm.sh/@flashbots/ethers-provider-bundle";

	const FLASHBOTS_AUTH_KEY = Deno.env.get('FLASHBOTS_AUTH_KEY');
	const WALLET_PRIVATE_KEY = Deno.env.get('WALLET_PRIVATE_KEY');

	const GWEI = BigNumber.from(10).pow(9);
	const PRIORITY_FEE = GWEI.mul(3);
	const LEGACY_GAS_PRICE = GWEI.mul(12);
	const BLOCKS_IN_THE_FUTURE = 2;