backgroundbackground

Blog Posts TaggedSmart Contract

Comparison and Evaluation of Static Application Security Testing (SAST) Tools for Java

We evaluate and compare seven free or open-source Static Application Security Testing (SAST) tools for Java. The post highlights the importance of SAST tools in detecting security vulnerabilities in software development and provides insights into improving the detection capabilities of these tools.

MetaTrust Labs
over 1 year ago
Educational

Understanding Vulnerability Propagation in the Cargo Ecosystem

The study analyzed 20,000 Rust packages and their dependencies to understand vulnerability propagation in the Cargo package ecosystem. Accurately calculating affected versions reduces false positives, and version ranges are not always reliable indicators. Challenges faced include a lack of security awareness and incentives for package maintainers. The study recommends improving package review mechanisms, providing incentives for security, and implementing security governance strategies to reduce the risk of software supply chain attacks.

MetaTrust Labs
over 1 year ago
Educational

Lesson Learned from ChatGPT Incident: Managing Open Source Vulnerabilities with MetaScan

OpenAI announced on March 24th that a weakness in the Redis client open-source library, redis-py, was responsible for the data breach. In addition to performing a thorough security assessment of smart contract code, MetaScan's Open Source Analyzer is specifically designed to pinpoint vulnerabilities in the open source software components utilized in the project.

Xue Bing
over 1 year ago
Educational

Deep Security Analysis of the ASKACR attack

On March 21, 2023, at 01:39:47 PM +UTC, the attacker(0xb189943) created and manipulated many new contracts, which gained ASKACR tokens from the ASKACR contract itself. Finally, the attacker gained 28,633 BSC-USD from the attack.

Daniel Tan
over 1 year ago
Analysis

How the 120k ETH was recovered from the exploiter of Wormhole attacker

On February 2, 2022, at 18:24:13 UTC, a mysterious attacker launched an attack on the Wormhole cross-chain bridge on the Solana blockchain. Ultimately, the attacker successfully obtained 120,000 WETH from the Solana chain and transferred it to Ethereum through the cross-chain bridge. Without going into the specifics, we know that the attacker has successfully transferred the acquired WETH to their address on Ethereum. Afterward, the attacker disappeared and left behind this shocking event…

BradMoon
almost 2 years ago
Analysis

A Powerful Formal Verification Engine for Solidity Smart Contracts

Smart Contracts are computer programs that enable decentralized applications on the blockchain. They are usually written in Turing-complete programming languages like Solidity, which is similar to JavaScript. In Solidity, a contract is a first-class object that can extend its capabilities by inheriting other contracts or delegating tasks to them. However, the complexity of this composability also makes smart contracts vulnerable to many security threats.

MetaTrust Labs
almost 2 years ago
Educational

Security Analysis of BRA Flash loan attack

This blog post analyzes the BRA flash loan attack, which involved a series of transactions on the Binance Smart Chain. The attacker used a flash loan to borrow 1000 WBNB, which was then used to purchase and sell BRA tokens, resulting in an increase in circulation and a profit of approximately $310,000. The post also suggests using MetaTrust's Prover engine to troubleshoot ERC20 tokens for vulnerabilities and provides tips for preventing similar attacks.

BradMoon
almost 2 years ago
Analysis

Defrost Finance Event Analysis

An analysis of the Defrost Finance project hack that occurred on December 23, 2022. The hack involved a re-entrancy attack and a rug pull, resulting in the loss of over $12 million. This post provides transaction information, attack processes, and an analysis of the vulnerabilities that led to the hack. MetaScan has the ability to scan for these types of risks.

BradMoon
almost 2 years ago
Analysis

From the Source: Analysis of DFX Finance Attack

An analysis of the DFX Finance attack, focusing on the smart contract code. The attacker exploited a vulnerability in the Curve contract that allowed them to re-enter the deposit function and deposit borrowed tokens, which were then treated as repayment. The attack demonstrates the importance of carefully evaluating the impact of each callback and checking dependent state variables to avoid similar problems.

BradMoon
about 2 years ago
Analysis