Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Gnosis Chain's native token xDAI contains the non-standard hook callAfterTransfer in their token. This surprised many protocols, leading to security issues down the road.

Hundred Finance is a fork of Compound. It does not implement the checks-effects-interactions pattern that is recommended to prevent reentrancy, even though it mentions it. Because of this and the hook, a reentrancy attack is possible.

First, an attacker deposited 2 million as collateral of one asset. Then, they borrowed assets based upon their collateral - 1.5 million. However, the borrow amount variable update for a user is after the transfer.

Since we have the hook in the transfer, we can reenter the smart contract without the users borrowed amount being updated. As a result, an attacker can enter the contract and borrow funds from a different asset. This allows them to borrow more funds than their collateral if this is repeated.

Agave is a fork of Aave. Although Aave tries to do the checks-effects-use pattern, one path was not secure against this. Why isn't Aave vulnerable to this then? Aave governance actively checks for reentrancy bugs prior to listing tokens on the mainnet.

Overall, a silly issue in a standard token. Defense in depth matters!