Dedaub is excited to participate in ETHDenver 2024. During the conference, Dedaub will showcase its advanced security technology solutions. Its team will members discuss the safety of Web3 applications, build partnerships, and share insights to enhance security standards within the Web3 ecosystem.
Visit Dedaub at Booth #251 in Devtopia at ETHDenver 2024!
Dedaub’s booth, #251, is in the vibrant Devtopia space. We invite technology enthusiasts to visit and attend one of the Suite demos, where we’ll explore the cutting-edge capabilities of static analysis, formal verification, Monitoring, and Alerting service.
In the demo, you will have the opportunity to learn about our tools that utilize formal analysis and statistical learning to examine possible states and paths of Smart Contracts, efficiently identifying vulnerabilities. Additionally, you will see how our customizable agents can provide essential insights into on-chain activities. Check out the Demo calendar on our Dedaub booth playbook.
Moreover, it is an excellent opportunity to interact with our team and discover how we can safeguard your Web3 projects.
Spotlight | Dedaub Talk
One of the main events during Dedaub’s participation at ETHDenver 2024 will be a talk by co-founder Yannis Smaragdakis, a respected authority on blockchain security. The presentation is scheduled for February 29, 2024, at 4:25 PM: “All Your Contract Are Belong to Us: Analyzing All Deployed SCs”
Every time there is a need to analyze a large number of Smart Contracts, Dedaub is the default partner–in war rooms, Ethereum Foundation impact studies, and widespread bugs.
Dedaub has built on its leading EVM decompiler to produce technology for querying all EVM smart contracts ever deployed. The talk will go over cool recent cases:
Ecosystem-level threats: use in major “war rooms,” e.g., ThirdWeb vulnerability.
About @EthereumDenver 2024
ETHDenver 2024, known as the Year of the SporkWhale, will occur in Denver from February 23 to March 3, 2024. It aims to turn the city into a hub for blockchain innovation. ETHDenver is a community-owned innovation festival powered by SporkDAO that offers a variety of activities, including workshops, technical presentations, bootcamps, and networking parties. Learn more.
As a founding collaborator of the Security Alliance (SEAL), Dedaub celebrates SEAL’s public debut, a significant milestone in crypto security. The alliance consists of more than 50 Web3 and cybersecurity organizations. Its goal is to strengthen the security of the cryptocurrency ecosystem. Before its public debut, SEAL connected users, developers, and experts and offered free Web3 simulation exercises.
SEAL’s dedication to setting high-security benchmarks within the crypto ecosystem aligns with our core capabilities. Dedaub is bringing to the table world-leading technologies and expertise in static and dynamic program analysis, reverse engineering, and ethical hacking. In the context of SEAL, we can contribute to developing more robust defense mechanisms against threats and ensure the blockchain ecosystem’s safety.
Dedaub supports the Whitehat Safe Harbor initiative and SEAL proactivity. This empowers ethical hackers to use cutting-edge tools like MEV bots to monitor and safeguard projects easily. The goal is to respond to challenges and incidents like the Nomad bridge hack.
Dedaub is proud to be part of SEAL, driving towards a more secure decentralized future.
Seal’s Public Debut | The security culture
By its very nature, the crypto market fosters a rigorous security culture. Its foundation on blockchain technology—a bastion of decentralized security—demands constant vigilance and innovation from its participants. It encourages the development of sophisticated security measures designed to protect against a wide range of threats.
Crypto security constantly changes and adapts to meet the challenges of advanced threats. Its strength relies on its community’sdge and expertise, including developers, researchers, and users, who work together to protect the infrastructure. Their collective efforts safeguard the system, embodying the core values that make Web3 a unique, resilient, and ever-growing reality.
Seal’s Public Debut | The security researchers’ playground
Crypto offers an exciting platform for security researchers, including those from web2 backgrounds, due to its complex challenges, high stakes, and the immediate impact of their work. This field merges theoretical knowledge with practical application, creating a rich environment for problem-solving.
Collaborating with SEAL through initiatives like SEAL Drills allows researchers to contribute while expanding their skill set significantly. These drills offer hands-on experience in real-world scenarios, enhancing their technical skills and understanding of blockchain intricacies. SEAL Drills prepare them to face formidable challenges and fosters a collaborative learning atmosphere with seasoned experts, making an ideal space for deploying and honing their security skills.
The collective and hands-on approach is crucial, especially when considering the advanced tools at our disposal, such as MEV bots, and the legal complexities surrounding their use.
Seal’s Public Debut | The Impact of MEV Bots under the Safe Harbor Agreement
The Whitehat Safe Harbor Agreement that SEAL promotes provides a legal framework for ethical hackers to conduct emergency rescues, primarily using MEV bots. This allows the community to monitor suspicious activities and take protection actions (when a protocol is under attack) without facing legal consequences.
The open and decentralized nature of cryptocurrency, which includes public code and lack of gatekeepers, makes it susceptible to hacking attempts. Therefore, it is important that security researchers are incentivized to protect it as much as attackers are motivated to steal funds.
In the past, many developers and security researchers were discouraged from assisting due to legal ambiguity with their employers. SEAL is promoting this initiative following its community members who regretted that more people would help if a legal framework existed.
Dedaub is committed to SEAL’s mission to protect decentralization and urges the community to join the cause.
About Security Alliance (SEAL)
Security Alliance (SEAL), established with the support of blockchain innovators, has quickly become a cornerstone in the advancement of Web3 security. This alliance represents a collaborative effort among premier experts, from audit firms to ethical hackers. It is dedicated to pushing the security boundaries in the Web3 space. As one of its founding members, Dedaub has been at the forefront of this initiative, driven by a mutual commitment to bolster Web3 security.
SEAL operates as a US 501(c)(3) nonprofit organization with the mission to protect the decentralized internet. Bringing together a diverse group of security experts—including auditors, bug bounty hunters, foundation security leaders, security researchers, and ethical hackers—marks a significant step in social coordination across different web3/crypto ecosystem sectors.
The alliance innovates with several key initiatives in the crypto ecosystem’s security framework. SEAL911 and SEAL Drills, for instance, are designed to provide immediate assistance and training against security threats, showcasing SEAL’s proactive approach to community support.
Additionally, the Safe Harbor Agreement for Whitehats, spearheaded by SEAL, emphasizes the alliance’s forward-thinking strategy to prepare for and mitigate future security threats. This agreement lays down a legal framework enabling ethical hackers to contribute to the crypto ecosystem’s security without fearing legal repercussions.
We invite the community to engage and provide feedback on the Whitehat Safe Harbor Agreement proposal hosted on Github. We welcome your insights until Pi Day, March 14, 2024.
At Dedaub, we have solid expertise in Smart Contract security, which allows us to contribute significantly to protecting the Web3 ecosystem, and we have recently achieved another milestone in our mission to establish trust and improve safety in the blockchain industry.
We are thrilled to announce the launch of the Dedaub TX Simulator Snap, a tool to transform how users engage with blockchain transactions.
What is the Dedaub TX Simulator Snap?
The Dedaub TX Simulator Snap is a cutting-edge tool that enables users to simulate transactions, evaluate the reliability and credibility of the accounts involved, and determine the financial consequences of their actions. Leveraging the extensive Smart Contract Database of Dedaub in real time, it provides users with up-to-date and comprehensive insights to make informed decisions.
Grant Permissions: The Snap will request the necessary access permissions during installation.
Frequently Asked Questions (FAQs)
HOW DOES THE DEDAUB TRANSACTION SIMULATOR WORK?
The Dedaub Transaction Simulator interfaces with Dedaub’s Smart Contract database, conducting real-time simulations of transactions that mirror the conditions of the specified network.
WHAT ARE THE KEY BENEFITS OF USING THE DEDAUB TX SIMULATOR?
Cost Efficiency: Save on gas fees by avoiding reverted transactions.
Informed Decision-making: Understand the financial implications of transactions before sending them on-chain.
Detailed Analysis: Get a comprehensive overview of asset transfers, state changes, gas consumption, and more.
HOW DO YOU INSTALL AND USE THE DEDAUB TX SIMULATOR?
The Dedaub Transaction Simulator does not execute transactions on-chain. Instead, it simulates them based on the network’s current state. During the testing phase, it does not carry out any actual transactions.
WHAT NETWORKS DOES THE SIMULATOR SUPPORT?
The currently supported networks are Ethereum Mainnet, Arbitrum, Optimism, Fantom, Avalanche, and Base.
HOW DO I REACH OUT FOR SUPPORT?
For any support inquiries related to the Dedaub Transaction Simulator, please contact our support team at contact@dedaub.com or through our Discord Support Channel.
About Dedaub
Dedaub has a history of over 200 audits for leading Web3 protocols and successful white-hat hacking endeavors that have safeguarded billions in Total Value Locked (TVL). The Ethereum Foundation trusts our team. We integrate academic research with practical hacker experience to offer unparalleled security services. To learn more about our journey and services, please visit https://dedaub.com.
Hello everyone, this is Yannis Bollanos, Security Researcher at Dedaub. A few days ago, we published a tweet about the thestandard.io exploit that took place on November 6th, 2023, which you can find here: https://twitter.com/dedaub/status/1734598398055981471.
The positive response from the X audience indicates a strong interest in the topic. As a result, I have decided to expand it into a blog post that can be used as a reference in the future.
Thestandard.io exploit occurred on November 6th, 2023, and according to Crypto.news, approximately 280K EUROs were at risk. Fortunately, most of the funds have been recovered, so this is a hack story with a happy ending.
After the excitement and tension of the moment subside, it is important to reflect on what happened and how we can prevent similar attacks in the future. It’s a great opportunity to re-emphasize that protocols should use defensive checks/assertions at every point their code interacts with a decentralized exchange (DEX).
The @thestandard.io protocol issues coins to users who open over-collateralized positions, helping the protocol’s assets maintain a stable value by adjusting liquidity provision by actual market rates.
In the @thestandard.io attack scenario, a SmartVault contract oversees the management of each user’s position, taking responsibility for adequately verifying the position’s liquidity. Users can issue coins by calling `mint`:
The SmartVault allows the exchanging of deposited collateral tokens through Uniswap’s V3 router (0xe592427a0aece92de3edee1f18e0157c05861564 on Arbitrum). Here is where things get interesting:
With amountOutMinimum set to 0, the swap operation would succeed no matter the extent of the slippage incurred.
There were no other safeguards in place to ensure a fair exchange for the value provided in the contract.
This enabled the owner of the vault contract to initiate a swap on a pool that might have been maliciously ’tilted,’ allowing for an exchange at an arbitrarily different price from the market price.
There are two ways to profit from this:
(1) Utilize a flash loan and purposely sandwich the swap operation between a tilting and an un-tiling swap on the pool. This is a fairly typical attack pattern commonly used in exploits.
OR
(2) Have the swap operation occur on a pool, the liquidity of which (as well as the execution price) is entirely controlled by the attacker. This can be done only on freshly created pools or in pools with near-0 liquidity.
The attacker chose option (2) since a Uniswap V3 pool for PAXG-WBTC didn’t exist then. Here’s how everything is put together to form the attack:
Attack Transaction:
The attacker creates the Uniswap v3 PAXG-WBTC pool
The attacker flash borrows 10 WBTC ( and a tiny extra amount to provide as initial liquidity)
The attacker provides 10 WBTC as collateral and mints as many EUROs as possible
The attacker provides liquidity to the PAXG/WBTC pool. WBTC and PAXG are at a 1:1 ratio within the tick range in which liquidity is minted. This is over-valuing PAXG by a lot.
The attacker swaps the deposited WBTC for PAXG, and the swap operation goes through the attacker-controlled pool. The vault is now under-collateralized, in terms of real value: the PAXG it obtained has much less value than the EUROs issued.
The attacker then burns all of his liquidity on Uniswap, and he notably receives ~9.9 WBTC. At this point, the attacker still holds the originally minted EUROs.
The attacker swaps 10k of his EUROs for USDCs. Some USDCs are then employed to obtain the few remaining WBTCs needed to repay the flash loan.
In the end, the attacker walks away with 280k EUROs and ~8.5k USDC.
Fortunately, the attacker has returned ~240k EUROs back to the protocol:
Smart Contract developers should not solely rely on assumptions about on-chain liquidity/asset prices. The code should consistently enforce these assumptions (within a reasonable deviation).
Transaction simulation tools improve developer and user experience when operating decentralized Web3 applications (Smart Contracts running on programmable blockchains).
These tools can lower the risk and guesswork during development, deployment, and subsequent operation of Web3 applications. And they’re particularly useful in hostile security environments such as public blockchains.
Transaction simulation tools allow developers and users to “dry-run” the execution of transactions on the blockchain without committing the state changes of this transaction to the ledger.
For example, an end user can deposit funds in a yield farming vault and understand what proportion of the vault the deposit would be entitled to.
Another example is the simulation of a decentralized autonomous organization (DAO) proposal to evaluate its integrity and functionality, ensuring it’s not malicious before implementation.
In this article, we will explore the user experience and security issues that users and developers face when interacting with Web3 applications and how transaction simulation tools can help mitigate them.
By the end of this article, you’ll better understand what transaction simulation tools do, how they work, and how they can improve both user and developer experience.
The Need for Transaction Simulation Solutions in Blockchain
Web3 applications, such as DeFi applications, enable novel financial primitives with many more possibilities for end users. However, the complexity and irreversibility of blockchain transactions have led to unexpected fund losses for many users, often due to poorly designed interfaces in these applications.
Loss of funds is not the only issue for Web3 applications. We often face reverted or out-of-gas transactions, wasting funds, which is especially detrimental to our experience when interacting with Web3 applications.
The impact of these challenges is not limited to regular end-users. Developers and Web3 teams face the complex task of ensuring their contracts perform as intended.
Interacting with a blockchain protocol in a complex manner, for instance, through a multisig account, is a highly daunting task. Typically, it can be accomplished by forking the blockchain, but this is time-consuming.
Real-world scenarios underscore how critical transaction simulation solutions are. For instance, in platforms Yearn Finance or Uniswap Labs, where complex financial transactions are constant, the necessity to simulate transactions is invaluable.
In these cases, simulations allow users to review the outcomes of Smart Contract transactions in a controlled environment, giving teams time to identify and address potential issues before running them on-chain.
Types of Transaction Simulation Solutions Available
The market offers a variety of transaction simulation solutions, each catering to different needs and preferences.
Browser Extensions are popular for their ease of use, integrating with web browsers to offer simulation capabilities alongside wallet interactions.
In-Wallet Simulations integrate with the wallet software, providing a seamless experience for users to simulate transactions within the wallet interface.
Standalone Tools are comprehensive software solutions. These offer advanced features and greater flexibility for complex simulations. Developers and organizations needing detailed analyses and custom simulation scenarios prefer standalone tools.
Advantages of Using Transaction Simulation Tools
ERROR PREVENTION
Error prevention is a crucial advantage of transaction simulation tools, as they enable developers to simulate transactions in a controlled environment.
This process helps identify and correct errors before executing them on the blockchain, significantly reducing the likelihood of costly mistakes such as failed transactions that consume resources without achieving their intended outcomes.
Consequently, these tools greatly enhance blockchain applications’ overall reliability and efficiency.
EDUCATIONAL VALUE
For newcomers to blockchain development, transaction simulation solutions are invaluable educational resources. They provide a hands-on, risk-free platform for understanding the intricacies of blockchain transactions.
They allow developers to experiment with different scenarios, gaining practical insights into the operation of Smart Contracts. This experiential learning accelerates any developer’s expertise in blockchain technology, empowering them to build more sophisticated and secure dApps.
Choosing the Right Transaction Simulation Solution
Selecting an appropriate transaction simulation solution is crucial for blockchain developers. These tools come in various forms, each suited to different needs and environments.
Factors to Consider:
Network Support: Ensure the tool supports all relevant blockchain networks your project interacts with. For instance, if your Smart Contract runs on Ethereum and Polygon, the chosen transaction simulation solution must accommodate both.
Ease of Integration: Assess how seamlessly the tool integrates into your existing development. A smooth integration minimizes disruptions and maintains development flow.
User Experience: Assess the tool’s user interface and usability. A good simulator should offer clear insights into the transaction process, aiding decision-making and error identification.
Type of Tool: Decide between browser extensions and wallet-based simulators. Browser extensions are generally more flexible and accessible to test across various wallets, whereas wallet-based solutions offer a more integrated experience.
EVALUATION CRITERIA:
Reliability and Support: Investigate the tool’s performance history and the provider’s responsiveness to support queries and updates.
Track Record: Consider the provider’s reputation within the blockchain community. Long-standing, positively reviewed tools often indicate reliability and efficacy.
RECOMMENDATIONS:
Opt for solutions that prioritize security and accuracy in transaction simulation.
Avoid tools that are overly complex or do not offer transparent processes, as these can hinder rather than help your development efforts.
Stay informed about the latest developments in transaction simulation technologies to ensure your choice remains relevant and effective.
Selecting the right tool is crucial. It must meet technical requirements and adhere to the highest security and efficiency standards in the blockchain space.
Dedaub Watchdog Transaction Simulator
The Dedaub Watchdog Transaction Simulator allows users to simulate transactions when interacting with complex Smart Contracts before committing to the main chain.
It allows an understanding of all the various actions that would happen without the risk of losing funds. The Dedaub Watchdog transaction simulation provides three approaches, depending on specific use cases:
Through the Dedaub Simulation API, developers can integrate simulation directly into their applications.
Through the read/write/simulate feature on any Smart Contract page in Watchdog.
When used by an end-user, such as in the latter two approaches, the transaction simulation presents relevant information in convenient formats through the Watchdog UI.
One such format is the (i) trace format, which contains all intermediate Smart Contract functions called, new Smart Contracts created, and events fired.
The other format contains fund transfer, and (ii) includes the amount of funds transferred, both for the user and other participants in the transaction.
(Trace format above)
(funds transferred above)
When used by Web3 users, an important use case is checking the legitimacy and reliability of the accounts and Smart Contracts involved in the transaction. By simulating transactions, users can also gain insight into potential outcomes, allowing them to identify risks proactively.
The Dedaub Watchdog Transaction Simulator leverages the Dedaub Smart Contract database. The database offers detailed, real-time information on all deployed Smart Contracts on-chain, providing deep insights into the workings of Smart Contracts.
Conclusion
In conclusion, transaction simulation tools, particularly those exemplified by the Dedaub Watchdog Transaction Simulator, represent an advancement in Web3 application development and user interaction. They provide an extra layer of security and insight, allowing developers and end-users to identify and rectify potential issues in Smart Contract transactions promptly. These tools prevent costly errors and fund losses and serve as educational resources for those new to blockchain technology. With their ability to simulate complex financial transactions in a controlled environment, transaction simulation solutions enhance the efficiency, reliability, and overall user experience of interacting with Web3 applications.
Web3 Monitoring continuously tracks blockchain activities, such as transactions and smart contract interactions, to identify anomalies, ensure security, and maintain operational transparency across decentralized networks. Web3 Monitoring empowers developers and organizations with real-time insights to safeguard their projects.
Why Blockchain Monitoring is Important
The need for security on the blockchain is ever-increasing, and the demands for innovative security solutions have also surged in recent years. The complexity of hacks and security breaches leaves no room for errors as the blockchain has shown to be unforgiving by design in punishing any possible lapses. In the last few years, attacks from private transaction pools have increased because attackers can bypass traditional defenses and exploit vulnerabilities without detection, limiting current security approaches and elucidating the need for more proactive measures. As codebases strengthen to counter these security risks, social engineering presents malicious actors with new ways to defraud people, hence the increased need for monitoring activity on the blockchain.
Web3 monitoring involves:
Analyzing activities over a specific timeframe can deliver security insights regarding potential malicious actors.
Establishing baselines of behavior and identifying anomalies based on user preferences and previous interactions.
Real-time wallet and token activity notifications to identify significant transfers and other risk indicators.
The customizable blockchain monitoring solution provided by Dedaub to detect on-chain activities, establish periodic executions, and create a custom alert using an enhanced PostgreSQL database to give a consistent view of blockchain data and maintain high efficiency in on-chain real-time monitoring embodies all the qualities of a sound Web3 monitoring system.
Web3 Monitoring as a Post-Audit Best Practice
Relying solely on smart contract audits to protect against hacks and security breaches is now considered outdated. While audits reduce the likelihood of attacks, they do not guarantee a secure system in the long run.
One important reason for this is that audits focus more on the codebase itself. Still, audits may only partially cover security issues arising from dependencies or the underlying blockchain architecture. In the blockchain environment, where threats are dynamic and evolving, new sophisticated attack vectors that may evade standard checks and vulnerabilities can occur, making a contract previously considered secure and vulnerable.
Contrary to public opinion that hacks occur suddenly, most attacks come with indicative signals usually present before the attack. By monitoring these stages of potential attack flags and signs with real-time monitoring, we finally have a system to cover security gaps and bolster the results of adequately audited smart contracts. Real-time monitoring of on-chain activity like transactions, multi-sig wallet operations, governance proposals, stacking, node infrastructure, and financial risks due to market manipulations to find out malicious incidents before they happen and prevent any breach that could have occurred in real-time can prove to solve about 98% of all security breaches. Monitoring helps to give risk insights and provide real-time detection of risks based on blockchain and meme pool data, allowing for recovery actions before any compromise.
How Dedaub Enhances Real-time Blockchain Monitoring
Dedaub’s real-time smart contract monitoring reinforces post-audit safeguards by identifying suspicious activities and offering fully customizable multichain protection against threats and unforeseen behaviors across Ethereum and other EVM-compatible chains.
The Dedaub Security Suite allows users to set up monitoring bots and queries to track on-chain activities and trigger custom actions through webhooks for free. It also flags unusual transactions and lets users stay alert to specific on-chain events with seamless cross-chain queries to ensure efficient monitoring.
With the monitoring star rating system, query ratings are now possible, allowing users to share their experiences and contribute to an expanding library of insights to help new and existing users find the best tools to achieve their goals faster and enhance functionality. The enhanced monitoring editor makes the query writing process quicker and easier to understand. It also gives suggestions in queries, together with an advanced error reporting system, to identify any issues arising from variables. The ability to join on-chain data with off-chain metadata also gives an essential edge in real-time monitoring.
Using multichain monitoring agents offers a network-agnostic solution that simplifies the process of tracking activity across multiple blockchains simultaneously. With the new cross-chain contract lists, managing data from various blockchain networks can be achieved through a single unified list.
Moreover, the advanced RPC fetch functions allow users to incorporate data directly from external REST APIs into their monitoring queries framework, increasing the capability and accuracy of real-time monitoring.
The latest version of Dedaub’s Security Suite introduces cutting-edge blockchain transaction monitoring features, including cross-chain capabilities, public function-based similarity, and an enhanced monitoring editor. These tools empower developers and organizations to maintain robust oversight with advanced security and efficiency. Learn more.
Smart Contract Audit Essentials: Navigating the Web 3 Landscape with Expertise and Security
With blockchain platforms, Smart Contract Audits play a critical role in ensuring the security and reliability of decentralized applications. These audits are routine checks and an indispensable part of the development process, safeguarding all transactions and agreements that define the blockchain ecosystem.
Smart Contracts, with their immutable and autonomous nature, demand absolute precision in their code. Any oversight or vulnerability can lead to significant financial losses or erode trust in the technology.
At Dedaub, we blend academic thoroughness with a hacker’s practical acumen to delve deep into Smart Contract code. The main goal of a Smart Contract Audit is to eliminate faults. Our approach is to understand the intricacies of each contract and its potential pitfalls, to provide solutions that fortify its foundation.
To date, we have conducted over 200 rigorous audits for leading blockchain protocols and safeguarded billions in Total Value Locked (TVL).
Leading blockchain clients such as the Ethereum Foundation, Chainlink, and Coinbase have placed their trust in us, not just for our ability to spot vulnerabilities but for our commitment to elevating the standards of blockchain security.
The Critical Role of Audits in Blockchain Security
At its core, a Smart Contract Audit is a meticulous process where experts scrutinize the code of a blockchain Smart Contract (SC) to identify vulnerabilities, inefficiencies, and potential exploits.
The systematic examination of Smart Contract Audits is crucial in the blockchain domain, where SCs play a pivotal role in automating, verifying, and enforcing the terms of a digital contract. This is essential when using blockchain technology because transactions are irreversible, making the accuracy and security of SCs essential.
Smart Contract Audits combine automated tools with expert reviews. The process starts with thoroughly analyzing the contract’s design and architecture. It continues with a detailed line-by-line code examination to uncover hidden issues.
Auditors look for common vulnerabilities like reentrancy attacks, overflow/underflow issues, gas limit problems, and more nuanced logic errors that could compromise the contract’s functionality.
Dedaub is a reliable partner with expertise and dedication to excellence. We specialize in ensuring that Smart Contracts adhere to the highest security and reliability standards, regardless of the protocol used.
The Dedaub Audit Methodology
At Dedaub, each of our Smart Contract Audits is a meticulously crafted process. Each one uniquely combines academic precision with practical hacking insights. This comprehensive approach is structured into five stages, ensuring a thorough and effective audit tailored to each project’s needs.
Stage 1: Cost and Schedule Proposal
Our process begins with carefully assessing the Smart Contract’s codebase, considering its scope and complexity. We formulate a cost-effective proposal and a realistic timeline that aligns with your project’s deadlines and budget constraints. This initial stage sets the groundwork for a well-organized audit process.
Stage 2: Audit Commencement
In the second stage, our experts dedicate the agreed time to analyze your Smart Contract thoroughly. This phase includes ongoing interaction with your development team. This fosters a collaborative and efficient audit, where we examine every aspect of the Smart Contracts to identify potential vulnerabilities.
Stage 3: Preliminary Findings Delivery
We then categorize and detail the findings in a preliminary report, classifying them by risk level: Critical, High, Medium, Low, or Advisory. A discussion session with your team is held at this stage to clarify any issues and set the groundwork for the next improvement steps.
Stage 4: Issue Resolution Process
At this stage, your developers work to address the identified issues, guided by our tailored advice provided in the initial report. This collaborative approach ensures the effective implementation of solutions to enhance the contract’s security and functionality.
Stage 5: Final Review and Report
In the final stage, we conduct a comprehensive post-mitigation review to confirm the resolution of all issues. The process culminates with a detailed final report documenting the entire audit process and its outcomes. This results in a clear roadmap for ongoing Smart Contract security.
Dedaub’s audit methodology is designed to ensure precise and practical auditing of Smart Contracts. Our approach helps to enhance the security issues of blockchain projects by effectively identifying and addressing potential vulnerabilities
The EIP 6404 and EIP 6466 is a study to assess the potential impact of Ethereum Improvement Proposals (EIPs) 6404 and 6466. In a project commissioned by the Ethereum Foundation, Dedaub undertook an extensive study to assess the potential impact of Ethereum Improvement Proposals (EIPs) 6404 and 6466.
These EIPs proposed significant modifications to the Ethereum network, particularly in the serialization algorithm for transactions and receipts. This shift involved moving from the Recursive Length Prefix (RLP) format to the Simple Serialize (SSZ) format.
This change directly impacted the Receipts Root and Transactions Root fields in the execution layer headers, presenting a complex challenge for existing Smart Contracts on the Ethereum mainnet.
The Challenge
The primary concern was the potential disruption to contracts relying on RLP for proofs, especially those critical to decentralized bridges. These bridges play a crucial role in creating proofs about historical transaction logs.
Our objective was to quantify and qualify the extent of potential disruption and identify specific on-chain patterns verifying commitments in this new manner. This required a detailed, semi-automated examination of all Smart Contracts on the Ethereum network, analyzing their recent behavior to gauge the impact of these changes.
Our Approach
We analyzed various Smart Contracts, identifying those critical to projects and assessing possible mitigating actions. Our team concentrated on evaluating the impact of these changes, especially on projects involving cross-chain bridges, and considered both on-chain solutions like upgrades and off-chain strategies like modifying oracles.
Findings and Impact
Our study revealed that the changes proposed in the EIPs notably affected a handful of projects, predominantly cross-chain bridges. Some of the key projects impacted included:
Interestingly, our findings showed that out of the two proposed EIPs, only EIP-6466 (Receipts Root EIP) significantly impacted the inspected protocols. This was due to its effect on log-inclusion proofs, a common method for conducting cross-chain message passing.
Why Choose Dedaub for Smart Contract Audits?
If you’re looking to get a Smart Contract audit for your blockchain project, choosing the right partner is important. Dedaub is a reliable and trustworthy choice in this regard, not just because of our technical expertise but also because of the values we stand for – integrity, innovation, and the empowerment of blockchain talent. Our approach is rooted in these core values, directly translating into our high-quality audits.
Integrity in Every Audit
At Dedaub, integrity is at the forefront of everything we do. This means conducting audits with the utmost honesty, thoroughness, and transparency. Our clients’ trust in us is integral to their success.
Our commitment to integrity ensures that every audit is conducted with meticulous attention to detail, offering our clients a true and complete assessment of their Smart Contract’s security.
Pioneering Innovation
Innovation is key in the rapidly evolving blockchain landscape. Our team constantly explores the latest advancements in blockchain technology and Smart Contract development. This pursuit of innovation enables us to provide cutting-edge solutions to our clients, ensuring their Smart Contracts are resilient against current and future security threats.
Empowering Blockchain Talent
We believe in empowering the next generation of blockchain professionals. Through our Smart Contract Audits, we secure our clients’ projects and share knowledge and insights that contribute to the overall growth of the blockchain community.
By educating and nurturing talent, we’re helping to build a more secure and robust blockchain ecosystem.
These core values of Dedaub translate into a thorough and forward-thinking audit service that contributes positively to the broader blockchain community. Choosing Dedaub means partnering with a team that is deeply invested in the success and security of your project, as well as the advancement of the entire blockchain industry.
The Future of Smart Contract Audits, Embracing ZK Audits and Beyond
The landscape of Smart Contract Auditing is constantly evolving and is being influenced by groundbreaking trends and innovations. One of these trends is the emergence of Zero-Knowledge (ZK) proofs, a pivotal technology that is reshaping how audits are conducted. At Dedaub, we are always at the forefront of these advancements and are integrating them to offer more robust and sophisticated audit services.
Our team has a combination of cryptography expertise and hands-on knowledge of ZK-proof systems and technologies. Our auditors invest significant time in continuous education on foundational knowledge and applied knowledge, with a recent emphasis on the domain of zero-knowledge proofs.
Conclusion
The significance of Smart Contract Audits in fortifying the Web3 ecosystem cannot be overstated. As the digital landscape evolves, these audits form the backbone of trust and security, ensuring blockchain technologies function as intended and uphold the highest standards of reliability and integrity.
Dedaub, with our unique blend of academic rigor and practical expertise, stands as a vanguard in this field. We offer comprehensive audits that safeguard against vulnerabilities and fortify the foundations of decentralized applications.
We invite you to leverage our extensive experience and expertise. Contact us at Dedaub to discuss how we can elevate the security and performance of your Smart Contracts, paving the way for a safer, more robust Web3 future. More info.
Dedaub Security Suite (former Watchdog) is a comprehensive security system designed for Smart Contract analysis and transaction monitoring. To make the most of Dedaub Security Suite’s offers, we’ve released a detailed step-by-step tutorial to guide you through its various capabilities.
Let’s delve into how this tutorial empowers you to harness the full potential of Watchdog.
Smart Contract Security Tools | Static Analysis
Smart Contract security is always evolving, and staying ahead of threats is crucial. Dedaub Security Suite‘s Static Analysis serves as your first line of defense, rigorously examining contract bytecode to flag potential vulnerabilities before they manifest into real threats. Our tutorial shows you how to navigate this preemptive feature for a stronger, more resilient codebase.
Deep-dive into contract bytecode to identify looming vulnerabilities with Watchdog’s state-of-the-art static analysis engine.
Benefit from various warning types, alerting you to diverse potential issues.
Harness the power of extensive warning categorization and tagging, including tens of warning categories, such as reentrancy, signature malleability, and untrusted transfers.
Craft your own code queries to scrutinize specific vulnerabilities, behaviors, or attributes in contracts (such as balances, allowances, or recent transactions).
Blockchain is a fast-paced world, and reactive strategies don’t work too well. Dedaub Security Suite‘s Transaction Monitoring empowers you to respond, anticipate, and preempt security threats with real-time blockchain surveillance. Learn to set up intricate filters and monitoring systems via our in-depth tutorial.
Conduct deep transaction analysis for nuanced insights into contract interactions, down to minor details.
Use advanced filters to focus on the events most critical to your project’s security.
Leverage macros to calculate and extract specific data values for even deeper transaction scrutiny.
Access detailed transaction logs, replete with decoded function calls, emitted events, and vital status information.
Tailor your monitoring scope by setting transaction amount or frequency conditions, sharpening your project’s risk management.
Smart Contract Security Tools | Reports
Regular updates on your project’s security posture are not a luxury but a necessity. Dedaub Security Suite‘s Reports feature goes beyond mere data compilation, offering actionable insights to inform your strategic decision-making. Master the generation and interpretation of these comprehensive reports through our tutorial.
Receive meticulous, in-depth reports to dissect and understand contract vulnerabilities in detail.
Expect rigorously compiled quarterly reviews to gauge your project’s security landscape consistently.
Benefit from an added layer of human scrutiny, focusing on high-severity vulnerabilities that automated systems might overlook.
Development Support: Safety Before Deployment
Deploying a Smart Contract is irreversible and any vulnerabilities can become permanent liabilities. Our tutorial allows you to utilize Watchdog’s Development Support feature for critical pre-deployment assessments. Learn how to upload project snapshots and scrutinize them against potential security flaws.
Seamlessly upload snapshots of your projects that are still in the development phase.
Utilize support for popular development frameworks such as Foundry and Hardhat.
Engage pre-deployment checks to catch vulnerabilities before they become part of the blockchain.
Use the project snapshot feature for an additional layer of pre-deployment scrutiny.
Unleash Dedaub Security Suite”s full capabilities, gaining the right expertise. Learn the nitty-gritty details to take full control of your Smart Contract security. Watch our comprehensive step-by-step tutorial now!
Location: Remote‑first (United States preferred) · Full‑time
About the role
As a Senior Business Development Manager at Dedaub, you will expand our footprint across enterprises, financial institutions, and Web3 foundations. Your mission is to drive new revenue from smart contract audits, white-glove SaaS, and R&D collaborations.
This is a strategic, hybrid role that combines hunter and farmer approaches. You must break into new accounts and strengthen ties across Dedaub’s client base. You’ll bridge market demand and product innovation, shaping our offerings based on client needs.
This remote-first role suits a self-managing, technically fluent, and enterprise-savvy professional who thrives on autonomy and has a strong understanding of security and compliance.
The Mission
Own net‑new revenue for Dedaub’s enterprise security offerings (smart‑contract audits, SaaS offerings, and research grants). You will open, negotiate and close six and seven‑figure, multi‑year deals with Fortune 1000, Web‑scale fintech and top‑tier Web3 foundations, while feeding market insights straight back to product and research.
Key Responsibilities
Research and identify new partnership opportunities and projects that are an excellent fit for Dedaub’s services
Hunting and Farming: Dedaub already serves an extensive and diverse customer base. Apart from acquiring new customers, we want to deepen existing relationships by driving cross-sell and upsell opportunities across our full range of security services and solutions.
Enterprise account strategy: Map buying centers (security, compliance, protocol engineering, legal) and build multi‑threaded relationships up to C‑level.
Craft the value story: Translate low‑level security findings into executive‑ready business cases (risk reduction, regulatory readiness, cost of breach).
Influence Dedaub’s offerings: Funnel client pain points to engineering; partner with research leads to scope bespoke engineering work.
Conference & community presence: Represent Dedaub on stage and in closed‑door round‑tables at Consensus, Devcon, Token 2049, Solana Breakpoint etc. and arrange targeted side events.
Collaborate to win: Work with marketing on ABM campaigns, with solutions architects on POCs, and with executive leadership on strategic partnerships.
Sales Forecasting: Proven ability to assess deal status with up to 80% accuracy, distinguishing between committed, upside, and pipeline opportunities.
Required Experience & Skills
Experience with quota‑carrying sales or BD in cybersecurity, DevOps, fintech or enterprise software.
Proven record of closing complex deals with lengthy procurement review cycles.
Fluent in technical risk language: can hold your own on smart‑contract architecture, threat modeling, and compliance.
Executive‑level written & verbal communication; comfortable building decks, commercials and SOWs from scratch.
Startup athlete: self‑managing, problem-solver, data‑driven. Thrives with high autonomy and ambiguous problems.
Nice‑to‑haves
Direct exposure to Ethereum, Solana, SUI/Aptos or other blockchain runtimes.
Existing network in Tier‑1 exchanges, custodians, banks or Web3 foundations.
Experience selling both professional service + SaaS offerings.
Mastery of discovery and MEDDIC/BANT (or similar) qualification frameworks.
About Dedaub
Dedaub safeguards blockchain applications through a unique blend of advanced program analysis technology coupled with a globally recognized team of security researchers. Our researchers have top academic qualifications and high-stakes white‑hat hacking expertise, and have discovered vulnerabilities in Ethereum, Uniswap, Chainlink and dozens of DeFi protocols. We work hand‑in‑hand with ecosystems such as the Ethereum Foundation, EigenLayer and ZKsync. Our next stage of growth is to bring these capabilities to large enterprises, Web3 foundations, and regulated financial institutions that are moving onchain.
Auditing Smart Contracts Code | Mitigating Security Issues in Blockchain
Introduction
Have you ever wondered how secure your smart contracts are? In the Wild West of blockchain technology, ensuring their safety and reliability is paramount. Let’s take a dive into the world of smart contract code audits and discover why it’s a game-changer for blockchain applications.
What Are Smart Contract Security Audit?
Definition and Basic Concepts
So, what’s a smart contract, anyway? Think of it as a self-executing contract in which the terms between buyer and seller are directly written into lines of code. They reside on a blockchain, ensuring transparency and immutability.
Importance in Blockchain Technology
Smart contracts are the lifeblood of decentralized applications (dApps). They automate agreements, reduce the need for intermediaries, and make transactions more efficient. But great power comes great responsibility and security is a must. If they’re not adequately secured, they can be a hacker’s playground.
The Need for Smart Contracts Audit Services
Common Vulnerabilities in Smart Contracts
You might be surprised how many smart contracts have vulnerabilities lurking beneath the surface. From reentrancy attacks to integer overflows, the list of potential pitfalls is long and winding. Learn More.
Consequences of Unsecured Smart Contracts
An unsecured smart contract is like leaving your wallet open on a public bus. Hackers can exploit vulnerabilities to steal funds, manipulate data, or even shut down entire platforms. Remember the Curve Finance of 2023? It resulted in a loss of $70 million! Learn more.
Smart Contract Audit | Process
Cost and Schedule Proposal
The audit process starts with estimating the cost and timeline based on the smart contract’s complexity and scope. The assessment is aligned with the project’s deadlines and budget for a smooth process from start to finish.
Audit Commencement
After the terms are agreed upon, auditors analyze the contract thoroughly and communicate regularly with the development team for continuous feedback and adjustments to ensure optimal outcomes.
Preliminary Findings Delivery
During the audit, a preliminary report categorizes identified vulnerabilities by risk level: Critical, High, Medium, Low, or Advisory. The development team is engaged in a discussion to clarify the issues and understand the required steps for resolution.
Issue Resolution Process
After the preliminary findings are delivered, the development team fixes the identified vulnerabilities. Auditors provide guidance to ensure that the issues are correctly addressed according to the security recommendations offered.
Final Review and Report
Once the issues are resolved, auditors conduct a final review to verify that all vulnerabilities have been adequately mitigated. They then issue a comprehensive final audit report documenting the process, the findings, and the remediation efforts.
Smart Contract Audit | Methodology
A thorough, smart contract audit involves a blend of technical expertise and collaborative review. The process typically involves multiple senior security researchers, alongside cryptography or financial modeling specialists, to address each project’s unique complexity. Their hands-on, multi-phase approach—paired with advanced automated tools—ensures code security and optimization while considering integrations with external protocols like oracles and AMMs. Learn more.
Team Composition
A successful smart contract audit is conducted by at least two senior security researchers alongside cryptography or financial modeling specialists, carefully selected to match the complexity and nature of the smart contracts being analyzed.
Meticulous Code Review
The audit process involves a thorough, line-by-line review of the entire codebase. Both auditors thoroughly examine every contract within the audit scope, ensuring a deep understanding of the code and forming a mental model of its interactions and assumptions. This hands-on approach is critical to identifying potential vulnerabilities.
Critical Strategies in Smart Contract Auditing
Two-Phase Review Auditing:
Phase A: The auditors focus on the contract’s intended functionality and legitimate use cases, gaining a complete understanding of the contract’s expected behavior.
Phase B: The auditors adopt an adversarial mindset, actively attempting to exploit weaknesses by abusing the system’s flexibility to subvert its security assumptions.
Collaborative Challenges
The two senior auditors continuously challenge each other’s findings throughout the audit. This back-and-forth ensures no stone is left unturned. By explaining complex code elements, they push each other to uncover potential blind spots or overlooked vulnerabilities.
Multi-Level Thinking
Auditors analyze the code at the level of individual functions and consider how different parts of the system interact. This approach helps identify complex attack vectors that could arise from unexpected combinations of contract components.
Use of Advanced Tools
Automated tools also play a critical role. Projects are uploaded to automated analysis systems, including static analysis, AI-driven testing, property based testing, and fuzzing tools. Auditors manually review the output from over 70 algorithms, supplemented by custom tests they create to explore possible issues further.
Gas Efficiency and Integrations
Beyond security, auditors also identify inefficiencies in gas usage and provide optimization recommendations. Additionally, we thoroughly examine external integrations with protocols like AMMs, lending platforms, and oracles to ensure they function as expected and align with their specifications.
Choosing a Smart Contract Auditor
Qualifications to Look For
Auditors possess varying levels of expertise. Look for professionals with a strong blockchain security and cryptography background and a track record of successful audits.
Questions to Ask Potential Auditors
Don’t hesitate to ask direct questions when choosing an auditor. Understanding their process and tools is essential, as is ensuring they stay updated on the latest security trends. Key questions include:
What specific projects have they audited before?
Are those projects similar in complexity or structure to yours?
For example, if your project involves a liquidity pool, selecting an auditor with extensive experience in similar environments can provide deeper insights into potential vulnerabilities. Familiarity with the same functions or libraries your contract uses allows the auditor to identify issues faster and offer more targeted recommendations for improvement.
Check References and Post-Audit Security
When selecting an auditor, it’s crucial to assess their experience and check for references and testimonials from past clients. Positive feedback from reputable projects can be a strong indicator of their reliability.
Additionally, it’s wise to research whether their audited projects have maintained security post-audit. Websites like Rekt News Leaderboard provide valuable insights into projects that have been hacked after their audits.
If a project repeatedly appears on these lists after an audit, it could signal issues with the thoroughness of the auditor’s work or missed vulnerabilities. Always cross-check testimonials with such resources to ensure the auditors can deliver long-term security, not just pass initial checks.
Best Practices
Provide Clear Documentation
Ensure you supply the auditors with concise but comprehensive documentation. This should include both high-level project overviews and detailed code explanations. The goal is to align the auditors’ understanding of the project’s intent with its technical implementation.
Consistent Naming and Comments
Use consistent naming conventions and comments throughout your code. Well-documented code can significantly reduce auditors’ time interpreting complex logic and help them focus on identifying vulnerabilities.
Establish a Communication Channel
Maintain an open line of communication between your team and the auditors. Whether it’s a walkthrough of your code or real-time questions during the audit, responsiveness is key to keeping the process efficient and focused.
Ensure Your Project Is Ready
Before the audit begins, compile your project without errors and thoroughly test it. This allows auditors to concentrate on complex security issues and concerns rather than debugging fundamental functionality issues. Deploying your code on a testnet and testing it against edge cases can save valuable time.
Recognize the Scope of an Audit
Do not substitute audits for thorough testing or assume you will find all bugs. Use audits to identify security vulnerabilities, especially in adversarial environments. Functional correctness issues may not be within the auditor’s purview unless clearly communicated.
The Future of Smart Contract Auditing
Emerging Technologies
Artificial intelligence (AI) and machine learning (ML) will transform smart contract auditing by automating vulnerability detection and improving accuracy. These technologies enable advanced static analysis, pattern recognition, and anomaly detection, and allow auditors to identify potential risks more efficiently and precisely.
Regulatory Considerations
Regulatory compliance is becoming increasingly crucial in smart contract auditing as governments establish more explicit frameworks for blockchain technology.
In the European Union, the Markets in Crypto-Assets Regulation (MiCA), introduced by the European Securities and Markets Authority (ESMA), is a significant step toward regulating digital assets. MiCA aims to ensure transparency, consumer protection, and market integrity across the EU.
As this regulation takes effect, auditors will need to ensure that smart contracts comply with security standards and regulatory requirements like those outlined in MiCA. This includes ensuring that smart contracts meet criteria for transparency, risk management, and governance, making compliance a critical part of the auditing process.
Conclusion
A Web3 project Audit is absolutely essential. As blockchain technology continues to reshape industries, ensuring the security and reliability of smart contracts will be more critical than ever. So, are your smart contracts up to the task?
FAQs
Q1: How often should you audit smart contracts?
A: Ideally, before any major release or after significant code changes. Regular audits help maintain security over time.
Q2: Can automated tools replace human auditors?
A: Not entirely. While they can catch many issues, a human auditor’s nuanced understanding is irreplaceable.
Q3: How much does a smart contract audit cost?
A: Costs vary based on the complexity of the contract and the auditor’s expertise. It’s an investment in security.
Q4: What is a reentrancy attack?
A: A reentrancy attack is a common vulnerability where an attacker repeatedly calls a function before the previous execution is completed, potentially draining funds. Learn More.
Q5: Should you audit all smart contracts?
A: Even though auditing is not mandatory, you should strongly consider it to prevent security breaches and build user trust.
