Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Seneca did virtually everything wrong and then got hacked. So, sort of a funny setup.

Seneca was supposed to do an audit with Sherlock but was suddenly closed for code licensing issues. They decided to launch with only an audit from Halborn (which reported a similar bug but not the terrible one that was used).

In the Post Mortem, Seneca details the vulnerability. The function PerformOperations contained a mechanism for making an arbitrary call to an arbitrary contract from the context of their contract at here. There is a denylist here but probably not a great one.

With an arbitrary call from the context of the Seneca smart contract, there are many paths to go. However, the easiest one is abusing allowances from other users. By making calls to tokens that had approvals from other users, a malicious actor can trick the contract to send them funds.

To me, this is a pretty clear sink within the smart contract. Arbitrary calls are catastrophic like this. This would have been quickly found by lots of people on Sherlock; it's weird that this wasn't found by Halborn tbh.

Overall, the takeaway is take security seriously! If you don't you'll get hit hard. As security folks, it's okay to call things out as insecure in order to protect users.