đź’¬"Hmm, those guys are using .codehash to check if a contract was already deployed. Did they research the opcode? Why are they assuming it is always 0?"
- See how developer assumptions are questioned from the very beginning
💬"Ok, lets research the EIP for this opcode and check…
I analyzed the report of a contest I participated in on
@code4rena
.
One specific finding by
@milotruck
taught me a LOT. It was so simple, yet only 3 out of 125 auditors found it.
WHY ? - They asked the right questions!!
I'm doing a breakdown of the mental model that empowered…
A short summary of the exploit:
đź“Ś It's a p2p lending protocol, that has the functionality to sanction lenders/borrowers
đź“Ś When sanctioned an escrow vault is deployed for that account to hold it's funds. If sanction is lifted funds get returned to the account
📌…
My main goal here is to explain why I missed the bug and analyze the proper approach of those awesome auditors.
đź“ŚMake sure you've red the finding first
This is what I was thinking when going through the above code logic:
đź’¬"Hmm, this contract uses .codehash to check if an escrow vault was already deployed for this account.
Wait what is .codehash ?"
Then I googled it and red the first definition I stumbled upon:
- & I though:…
As you can see, there is nothing complex about the exploit, it's dead simple actually. Yet ONLY 2% found it.
Let that sink in - 2% PERCENT!
WHY?
Because they asked the right questions and questioned everything, all the time!
What's the morale of the story?
âś… ALWAYS DOUBT EVERY ASSUMPTION made in the code you audit
âś…KEEP ASKING QUESTIONS, until you find one that sparks your creativity
âś…BE CRITICAL and take nothing for granted, research it