Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Substrate is a framework for building application specific blockchains within the Polkadot ecosystem written in Rust. Each new chain inherits the security of the main chain, which is why it's a good choice. It's used by Manta, Band protocol and many others.

Since the substrate layer requires a lot of code to be written, there are common security issues that occur. Some of these are covered in this article. Some of these, such as insecure randomness, are the same on other chains so I won't cover these in my notes.

Substrate requires a model for charging for the usage of storage. If the rental rate for the space isn't expensive enough then it's possible to make the system sluggish. In particular, hackers should check that the gas costs are corresponding to the storage that was used. There is a similar issue for Insufficient Benchmarking on external calls as well.

The second interesting issue is an arbitrary decoding vulnerability. When passing in data, if it can decode to anything, then a highly nested structure can cause performance issues.

Cross Consensus Messaging (XCM) is a mechanism for communicating with different substrate systems, similar to IBC in Cosmos. If the actions being used in this sink are not carefully sanitized and considered then arbitrary Transact instructions could be executed. In theory, this would lead to unauthorized actions or system disruptions.

The other issues that are mentioned are integer related issues, replay attacks from not checking nonces and various other things. My biggest takeaway is that this is functionality very similar to Cosmos but in a different ecosystem. I wish actual findings from substrate blockchain audits were referenced here though.