Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Astroport is a decentralized trading platform. Prior to being released fully, it went under two security audits on multiple features. A few of these bugs are interesting and worth calling out!

In the AMM (Automated Market Maker), there is a function to set configuration parameters, such as other deployed contracts to use. However, these functions are not backed by access control! This means that anybody cab trivially change these parameters and potentially steal funds. This same issue was found by both Oak and Halborn.

When creating a pool, there is no check that the same assets are being used to create this. As a result, we have a classic double spending problem. A user could take out more money from the pool than there fair share. This can be triggered again because of a case sensitive check for an address.

In the Oak audit, there are a few more severe issues. The first issue is a rounding problem when taking out assets with division. When taking out funds in the pool compared to one another, the division gets rounded up instead of rounded down. This resulted in money being easy to siphon from the contract.

The second major vulnerability is a gas exhaustion attack. There is an iteration through a map with an attacker controlled size. By putting in many small amounts into this, it would make the funds forever locked.

A lot of the other findings are simply "X doesn't work and user could lose funds". It is shocking how some things do not work as expected with this much money on the line. Overall, fairly good audits with good bugs!