Really coin smart contract bug let

really coin smart contract bug let

Pricing from 199 DAI per user. https://mythx.io/plans

  • Mythril Developed by some of the team that were behind MythX. Utilises dynamic symbolic execution. Open source and free to use.
  • Securify Online and open-source security scanner for Ethereum smart contracts that performs static analysis. Online version is free to use, but requires signing over rights to submitted source code.
  • Manticore Open source dynamic symbolic execution analysis tool. Can analyse Ethereum smart contracts and Linux ELF binaries. Appears to be actively maintained with multiple contributions to its Github repository over the last 3 months.
  • Smartcheck Online and open source static analysis tool that translates Ethereum Solidity code into an XML based representation on which it checks against security patterns.

  • Available at: https://www.bestpractice.ai/studies/jpmorgan_reduced_lawyers_hours_by_360_000_annually_by_automating_loan_agreement_analysis_with_machine_learning_software_coin [Accessed 14 Nov. 2018].

    [6] J. P. Morgan 2016 Annual Report. [online] Available at: https://www.jpmorganchase.com/corporate/investor-relations/document/2016-annualreport.pdf [Accessed 14 Nov.
    2018].

    [7] J. P. Morgan (@jpmorgan) “Showcasing Innovation: A quick look at how $JPM is using machine learning.” Feb 28, 2017, 1:41pm. Tweet. Available at: https://twitter.com/jpmorgan/status/836692784652435460

    [8] J.
    P. Morgan 2016 Annual Report. [online] Available at: https://www.jpmorganchase.com/corporate/investor-relations/document/2016-annualreport.pdf [Accessed 14 Nov. 2018].

    [9] Sennaar, Kumba. “AI in Banking – An Analysis of America’s 7 Top Banks.” TechEmergence, 29 Oct.

    Unit testing a smart contract to find errors is one of the most common method of dynamic analysis.

    Automated dynamic analysis techniques are split into two main categories: concrete and symbolic execution.

    • Concrete execution involves running the smart contract as normal against carefully crafted test cases provided by the user. A common dynamic concrete execution technique is fuzzing, where malformed input is provided to a smart contract in an attempt to discover a vulnerability.
    • Symbolic execution executes the smart contract in an emulated environment using symbolic variables and tracking the state of the smart contract throughout program execution.
      At each conditional branch the analyser follows every path and saves the path condition.

    The bank processes over 12,000 credit agreements per year, which are far less complex than contracts that might better suit human review, such as custom M&A agreements. [7]

    And the bank appears well suited to expand its use of machine learning in legal work. JPMorgan is already exploring other opportunities to tackle attorney costs.
    [8] In the short term, it intends to deploy COIN for more complex filings, such as credit-default swaps and custody agreements. [9] In the medium and long term, the bank also hopes to use machine learning to interpret altogether new regulations (questions of “first impression,” as lawyers often call them). [10] The idea is to move beyond data classification to data interpretation.

    JPMorgan is solving an important problem for its own business while encouraging a more efficient legal industry.

    The bank reports that the algorithm classifies clauses into one of about one hundred and fifty different “attributes” of credit contracts. [5] For example, it may note certain patterns based on clause wording or location in the agreement.

    The software reviews in seconds the number of contracts that previously took lawyers over 360,000 man-hours. JPMorgan’s economic incentive to develop the product is thus self-evident.

    But what’s more: the algorithm is more accurate than human lawyers. [6] So the bank’s investment in the technology is not just about costs, but also about quality since COIN improves the accuracy of the contract review process.

    While automated “technology-assisted legal review” solutions are not new, JPMorgan benefits from the large scale and low variability it has in credit contracts.

    Its Github repository does not show much sign of recent activity.

  • Octopus Octopus supports basic analysis of smart contracts allowing contract disassembly, control flow analysis and conversion byte code into an Intermediate Representation. Although it is one of the few tools we found that supports both Ethereum’s EVM and EOS’ WASM byte code formats, it currently cannot run a vulnerability analysis. That is planned in the future through dynamic symbolic execution. Its Github repository does not show much sign of recent activity.
  • Conclusion

    Automated vulnerability analysis is a burgeoning field that will help secure smart contracts.

    There are a variety of tools available, but these primarily target the Ethereum ecosystem.

    The haul totaled $31 million in tokens on the Ethereum or Polygon blockchains, both of which the MonoX protocol supports.

    The hack specifically used the same token for both the tokenIn and tokenOut functions, which are used to exchange the value of one token for another. After each trade, MonoX calculates new prices for both tokens and updates the pricing.

    The price of tokenIn—the token provided by the user—decreases when the swap is completed, while the price of tokenOut—the token received by the user—increases. The hacker dramatically inflated the price of the MONO token by using the same token for both tokenIn and tokenOut because the tokenOut price change overwrote the tokenIn price update.

    On the Ethereum and Polygon blockchains, the hacker then swapped the token for $31 million worth of tokens.

    Blockchain startup MonoX Finance said on Wednesday that a hacker stole $31 million by exploiting a bug in software the service uses to draft smart contracts.

    The company uses a decentralized finance protocol known as MonoX that lets users trade digital currency tokens without some of the requirements of traditional exchanges. “Project owners can list their tokens without the burden of capital requirements and focus on using funds for building the project instead of providing liquidity,” MonoX company representatives say here. “It works by grouping deposited tokens into a virtual pair with vCASH, to offer a single token pool design.”

    An accounting error built into the company’s software let an attacker inflate the price of the MONO token and to then use it to cash out all the other deposited tokens, MonoX Finance revealed in a post.

    After coming up with an adequate compensation plan we will work on unpausing after our security partners have given the OK

  • Contacted large exchanges to monitor and possibly stop any wallet address linked to the attack
  • Collaborated with our security advisers to make progress in identifying the hacker and how to mitigate future risk
  • Cross-referenced Tornado Cash wallet interactions with wallets that also used our platform
  • Searched for any metadata left by front end interactions with our Dapp
  • Detailed and mapped wallet addresses that could be considered ‘suspicious’ based on their interaction with our product.
  • The analyser can then use the accumulated path conditions to reason on how to exactly trigger an identified vulnerability.

    But how does dynamic analysis fare against static analysis?

    Advantages of Dynamic analysis.

    • Vulnerabilities identified are highly reproducible as you have the inputs or path conditions required to trigger the vulnerability
    • It allows for analysis of smart contracts in which you do not have access to the actual code.

    Drawbacks of Dynamic analysis.

    • Fuzzers typically require carefully crafted test cases to avoid identifying only shallow vulnerabilities.
    • Similar to static analysis, fuzzers have limited semantic insight into what parts of the input caused a vulnerability to be tirggered. This makes it more difficult to trace a vulnerability back to the exact location in the code.

    Leave a Reply

    Your email address will not be published.