Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In Clarity, there is both tx.origin as tx-sender and msg.sender as contract-caller. Many contracts, including SIP-010 tokens, use tx-sender for authentication. This has the issue of phishing, where a user calls into a malicious contract, the contract can use the abuse the permissions to act as that user. The article dissects the implications of this design.

One interesting note to me was around requiring 1uSTX trick. Since the normal contract interactions are not expecting a function to be called, you can set the post-condition to be 0 STX. When this happens, the TX will fail. 1 STX is so little funds it's alright but it prevents the attack. Neat!