Bias via Abort

In the commit-then-reveal protocol each user chooses a secret and shares their commitment to the secret with other users. Later, users reveal their secrets and a random value is calculated by combining the secrets. This approach is susceptible to attacks where a user can choose not to reveal their secret to bias the randomness generation to their advantage "bias-via-abort"

Citation: E. Syta, P. Jovanovic, E. Kokoris-Kogias, N. Gailly, L. Gasser, I. Khoffi,
M. J. Fischer, and B. Ford. Scalable Bias-Resistant Distributed Randomness. In 38th IEEE Symposium on Security and Privacy, May 2017.

see

1. https://www.nrel.gov/docs/fy21osti/77521.pdf
2. https://github.com/livnev/auction-grinding/blob/master/grinding.pdf

https://twitter.com/gauntletnetwork/status/1549834606781808641

Describe the bug
Execution environment aware contracts

Minimal Reproduction Repo / Steps to Reproduce

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment:

You can also provide output through the command like such as running printenv

Additional context
Add any other context about the problem here.

See https://twitter.com/jakeandbakenft/status/1553805625666174976

Source context:

Opensea implemented a new feature and it's being exploited.

You can buy an item on behalf of a different wallet address.

People are buying on behalf of @GaryVee, @Pranksy, and other influencers. Wallet trackers show it as them buying the NFT themselves. Then people fomo in.

See this twitter thread

https://twitter.com/jacklongarzo/status/1513587622282772487?s=21

Attackers can profit by sandwiching calls that result in bad debt being distributed
among depositors, such as liquidate and handleBadDebt. As a consequence,
protocols floating assets depositors decrease their assets in a higher than fair
proportion.

By redeeming their deposits before, and depositing again right after spreadBadDebt
takes place, attackers avoid being distributed bad debt, and also profit by obtaining
cheaper market shares. The amount of profit depends on how much debt is being
distributed. Also, if the network transaction fees are low enough the malicious holder
can trigger this sandwich attack to every single liquidate call and take profits in the
event of debt being distributed. The ratio between the shares used by the malicious
holder to perform this attack and the current pool liquidity determines how much do
bystanders lose.

The malicious holder (Alice) simply needs to redeem the shares just before a
liquidate call and deposit again in order to repurchase them at a discounted price. It
can be seen how the value of the shares held by Annie (bystander) changes depending
on the case (usual liquidation and sandwich liquidation).

1.Before Liquidation (NO SANDWICH)
Assets that Alice gets if withdraws = 30000000000000000000000
Alice Shares = 30000000000000000000000
Alice DAI Balance = 20000000000000000000000
Assets that ANNIE (Bystander) gets if withdraws = 100000000000000000000
Floating Assets = 64100000000000000000000

After Liquidation (NO SANDWICH)
Assets that Alice gets if withdraws = 29610480782867678343497
Alice Shares = 30000000000000000000000
Alice DAI Balance = 20000000000000000000000
Assets that ANNIE (Bystander) gets if withdraws = 98701602609558927811
Floating Assets = 63267727272727272727273

2.Before Liquidate (WITH SANDWICH)
Assets that Alice gets if withdraws = 30000000000000000000000
Alice Shares = 30000000000000000000000
Alice DAI Balance = 20000000000000000000000
Assets that ANNIE (Bystander) gets if withdraws = 100000000000000000000
Floating Assets = 64100000000000000000000

After Liquidation (WITH SANDWICH)
Assets that Alice gets if withdraws = 29999999999999999999999
Alice Shares = 30750522619519326674773
Alice DAI Balance = 20000000000000000000000
Assets that ANNIE (Bystander) gets if withdraws = 97559317515329245534
Floating Assets = 63267727272727272727273

Recommendation

Fixed by clearing the bad debt by subtracting from the earningsAccumulator instead
of distributing the bad debt over the users. The clearBadDebt function allows partial
debt clearing. When the earningsAccumulator does not suffice to clear all the debt,
the call will not revert and the bad debt can be cleared when more earnings are
available. This effectively addresses the sandwich attack reported in this issue.

Offchain oracle response liveliness not checked.

No liveness checks are performed while retrieving oracle data. As a result, prices could
be outdated yet used anyways affecting deposits, borrows, repayments, and any other
source that relies on Chainlink’s prices.

The data retrieval from the rate conversion wrapper does not check the retrieved price
and the success condition. As a result, the PriceFeedWrapper.latestAnswer() could
return negative or invalid data yet used anyways across the market.
The mentioned function has the following implementation:

function latestAnswer() external view returns (int256) {
int256 mainPrice = mainPriceFeed.latestAnswer();
(, bytes memory data) =
address(wrapper).staticcall(abi.encodeWithSelector(conversionSelector, baseUnit));
uint256 rate = abi.decode(data, (uint256));
return int256(rate.mulDivDown(uint256(mainPrice), baseUnit));
}

On the other hand, Auditor.assetPrice() is implemented as follows:

function assetPrice(IPriceFeed priceFeed) public view returns (uint256) {
if (address(priceFeed) == BASE_FEED) return basePrice;
int256 price = priceFeed.latestAnswer();
if (price <= 0) revert InvalidPrice();
return uint256(price) * baseFactor;
}

The low level staticcall function has two returns, a boolean success and bytes
data. Currently, the decoded rate has no rules as the price has in assetPrice(). Also,
there are no checks that ensure that the boolean return is true.

Recommendation

Check both the boolean return and the retrieved rate if possible.

https://snapshot.org/#/cow.eth/proposal/0x812273c78abe1cea303d8381e1fb901a4cb701715fd24f4b769d0a0b3779b3e2

Describe the bug
we dont document any of this actually

Minimal Reproduction Repo / Steps to Reproduce

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Environment:

You can also provide output through the command like such as running printenv

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
Backend servers are often used for things like compounders, apis, oracles, etc.. This requires remote access, usually through SSH. Default SSH configurations are dogshit, often permitting root access with password enable ssh.

Describe the solution you'd like

• Add SSH as an off-chain attack

Describe alternatives you've considered
Telnet? /s

https://gist.github.com/rossgalloway/e7d28830b66ea0fcf9bbd4bb9cd6f46b

https://github.com/runtimeverification/verified-smart-contracts/wiki/List-of-Security-Vulnerabilities

Withdrawal credentials protection

A known security vulnerability for delegated staking applications is the possibility of users
front-running the initial deposit and registering their own withdrawal credentials

see https://research.lido.fi/t/mitigations-for-deposit-front-running-vulnerability/1239

Price Manipulation via Donation Attacks

example from CREAM Finance attack

Here is the exploit: donate double existing amount yUSD to yUSD Vault. This doubles the value of yUSD so crYUSD collateral have doubled in value

https://github.com/Crypto-Virus/cream-finance-exploit-example/blob/master/contracts/Attack.sol

See
https://ethereum-magicians.org/t/address-eip-4626-inflation-attacks-with-virtual-shares-and-assets/12677

https://github.com/freight-trust/defi-threat/blob/969df30f5e8208cf261f78784c8881565975efa4/src/v2/types.ts#L17

Add a alphanumeric modifier (e.g. ...+A or ...+R) for unambiguous threat status

When do dynamic DeFi rate curves reduce capital efficiency?

From the unpublished paper:
https://gauntlet.network/reports/pid

The two major designs proposed for PID controlled interest rate curves are Euler Finance's reactive rates [2, 3] and Mars Protocol. Currently, only Mars Protocol has implemented $[13,14]$ and deployed a proportional interest rate controller to production. Euler Finance has signalled that they would introduce reactive rates pending further research. However, it appears that neither of these teams has formally analyzed their PID interest protocols.

We note that most PID designs in DeFi are either proportional (P) or proportional integral (PI) controllers. The PI controllers correspond to the utilization of time-weighted average quantities (akin to the Uniswap V3 TWAP oracle [9]). There are two reasons derivatives of rate changes are less useful in practice. First, the rate of change of an interest rate is more easily manipulable given the constraints of blockchains, such as large confirmation times. Moreover, the only reason to adjust a rate based on its gradient is to provide fixed-interest rate protocols. However, most fixed-interest rate protocols such as Yield and Notional, use more transaction cost efficient mechanisms than a PID controller [11]. As such, whenever DeFi enthusiasts talk about PID controlled interest rates, they usually only mean a P or PI controller.

profitability in the worst case for lenders: when there is no supply or demand elasticity. The supply and/or demand elasticity of a protocol refers to the expected rate of change of supply or demand in the protocol as a function of a rate change. We usually have the supply elasticity be positive when rates increase whereas the demand elasticity is negative. However, in many DeFi protocols there are a large swath of users who are completely inelastic to rate changes [5]. This means that the worst case condition of the attack is often true.

We also analyze how this attack is related to capital efficiency in the protocol. We demonstrate that the attack has low profitability if there is excess capital within the pool (e.g. the utilization rate and the target utilization rate are low and the supplied assets dwarf the demand). Similarly, if the protocol can time-lock assets (e.g. force a user who to supply or borrow for a minimum time period), the protocol can make such an attack significantly more expensive However, both of these options are very capital inefficient states for a lending protocol.
Our solution for mitigating this attack involves three components:

1. Using a PI controller which is more expensive to attack (see Appendix A)
2. Separating supply and demand curves (akin to what Compound V3 does [7])
3. Having the controller depend not only on utilization but also supply and demand elasticities

We also note that any off-chain optimization of interest rate curves should take attack profitability into account (which is what Gauntlet has focused on making sure we have battle tested before we roll out interest rate optimization recommendations).

Problem

The off-chain attacks section is pretty cool, and not something a lot of people consider. However the google sheets does not really mention any resources, guides, etc.. to combat against this. So I've provided some below:

Container Security

Docker has a number of features which can be used to help mitigate, and contain the damage from container escapes. This includes things like apparmor, seccomp, etc.. For example a really good thing to add to all your docker compose files is the following:

    read_only: true
    restart: always
    security_opt:
      - apparmor:docker-default
      - seccomp=/home/foobar/seccomp_default.json
      - no-new-privileges
    tmpfs:
       - /tmp

There more you can do, so i've listed some resources below:

• https://docs.docker.com/engine/security/rootless/
• https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#introduction
• https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
• https://docs.docker.com/engine/security/userns-remap/#enable-userns-remap-on-the-daemon

SSH Security

Somewhat a followup to #11, so some simple recommendations:

• disable root ssh access
• disable password ssh access
• enable public key ssh access
• enable 2fa based ssh

I use the following script to bootstrap 2FA ssh on all new servers, etc..

#!/bin/bash

# references
# https://www.digitalocean.com/community/tutorials/how-to-configure-multi-factor-authentication-on-ubuntu-18-04
# https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

# we use nullok so that we dont brick ourselves if we havent configured 2fa before running this


sudo apt install libpam-google-authenticator

# enables 2fa for ssh
echo "auth required pam_google_authenticator.so nullok" | sudo tee --append /etc/pam.d/sshd
# enables 2fa for login and sudo requests
echo "auth required pam_google_authenticator.so nullok" | sudo tee --append /etc/pam.d/common-auth
echo "[WARN] if you want to enable 2fa for desktop environments make sure to edit '/etc/pam.d/gdm' or similar"
# this makes ssh aware of ssh
echo "AuthenticationMethods publickey,password publickey,keyboard-interactive" | sudo tee --append /etc/ssh/sshd_config
# enable challenge response
sudo sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
sudo systemctl restart sshd

echo "please comment out '@include common-auth' in /etc/pam.d/sshd to disable password prompts"
echo "[INFO] please run the google-authenticator command"

Beyond the above here are some resources

• https://www.ssh.com/academy/ssh/config
• https://linux-audit.com/audit-and-harden-your-ssh-configuration/
• https://man.openbsd.org/sshd_config

Developer Workstation Security

Developer workstation security is super important, if your workstation is compromised the ability to pivot to other attacks will be greatly increased.

Windows

💀

Mac OSX

🤷

Linux

• https://madaidans-insecurities.github.io/guides/linux-hardening.html