Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CosmWasm is a supposed to be a safe way to build smart contracts. In particular, it's a smart contract platform for the Cosmos ecosystem that is not vulnerable to re-entrancy and other common attacks for blockchain applications.

Bech32 is a format for Segregated Witness (SegWit) addresses. These are composed of 32 letters and numbers, where the letters all either all uppercase or lowercase. The issue is that the address has an inherit assumption on how it is used. Developers believe that either the addr_validate function will normalize it or they MUST be all lowercase.

Why is this bad? Validity checks and many other things can be bypassed. For instance, a blocklist of addresses could use this trick to reuse the contract. Additionally, a single user can create multiple of a resource, which would give them an unfair advantage in the group. Finally, tokens can be locked. In the case of CW20 tokens, an uppercase address can be used for sending but transferring only allows for lowercase.

Overall, the difference between case sensitive and case insensitive bugs has been plaguing developers for years. This is just another case of that occurring.