Over the past few months, we have been conducting short “security reviews”, typically one or two days in duration. In some ways, these are similar to audits, but in other ways they’re quite different. In this post, I’ll share what these engagements are like and why you might want to hire us for one.
Photo by Evan Dennis on Unsplash The DeFi space has had a tumultuous couple months, with a number of attacks as well as unexploited vulnerabilities being reported. Bugs are unavoidable, but there are many things that can be done to reduce their frequency, and mitigate their negative effects. As auditors, we want to help, but in order to really get developers to truly prioritize security, users need to start asking tough questions, and putting their money into the protocols that can answer them thoughtfully.
The security risk profile for blockchain protocols and application is quite demanding. With high incentives to play foul and potentially severe consequences for all participants. No wonder we were surprised to find out that security was not yet explicitly part of Ethereum’s core change management process. Good thing, this finally changed.
This morning, I saw a link to Dharma’s IndestructibleRegistry. The idea behind this registry is that it keeps track of contracts that cannot be destroyed. It does this by verifying the contract’s bytecode on chain. In this post, I’ll show you how I managed to trick that verification and destroy an “indestructible” contract.