A comprehensive introduction to smart contract security audit and preparation of relevant interview questions.
BlockApex 
August 25, 2021 On August 10, 2021, the cross-chain platform Poly Network was attacked, resulting in assets worth over $600M being stolen.
Poly Network is an interoperability protocol that allows different heterogeneous blockchains to work with each other on one platform. By hacking into the Poly Network platform, the attacker was able to drain funds from more than one blockchain. Ethereum, Binance Smart Chain, and Polygon were targeted in the attack.
After the attack, Poly Network attempted to negotiate with the hacker via a naive statement released on Twitter, urging him to return the assets he had stolen. Interestingly enough, the hacker actually responded to the negotiation by creating embedded messages within Ethereum transactions- taunting the Poly Network team for their negligence. After publishing several messages on the blockchain (including a Q&A session where the hacker essentially interviews himself), the attacker went on to return most of the stolen funds.
The unusual trajectory of this incident begs the question of where to place the blame in these kinds of attacks. Many (including the attacker himself) argue that a cross-chain protocol like Poly Network should have never had this kind of vulnerability to begin with, and that it is their responsibility to provide their users with the kind of security to prevent this from happening.
Before we discuss this further, let us first break down the details of the actual hack that took place.
The Poly Network defines itself as “built to implement interoperability between multiple chains in order to build the next generation internet infrastructure”. In simple terms, it is a collection of smart contracts that allow transactions to take place between different blockchains. A user could, for example, use Poly Network to transfer tokens from the Ethereum blockchain to the Binance Smart Chain.
Like most cross-chain projects, Poly Network had a privileged contract that determined when to trigger messages between the blockchains. This contract was named as EthCrossChainManager and contained an important function known as verifyHeaderAndExecuteTx. This function did three things:
You can think of the EthCrossChainManager as the “boss” of the DeFi platform, deciding the execution of contracts after verifying the header of the block and the transactions within it. EthCrossChainManager is the keeper of another contract, called EthCrossChainData. This contract stored important information such as cross-chain data as well as the public key of the Keeper. The EthCrossChainData contract worked as an accountant to the boss, i.e EthCrossChainManager, storing important cross-chain information.
One major flaw in the design of the executeCrossChainTx function within the EthCrossChainManager was that it did not have a check preventing it from executing the EthCrossChainData contract- all it did was check if it was a contract.
The attacker exploited this vulnerability and passed a carefully crafted sighash to the verifyHeaderAndExecuteTx, which subsequently called the executeCrossChainTx function. This function then executed the EthCrossChainData contract’s function putCurEpochConPubKeyByte, a method which was used to store the address of the keeper.
By doing this, he was able to change the keeper of the EthCrossChainData contract to an address of his own (i.e, convince the accountant that his boss was someone else). The attacker could then create transactions at will and withdraw any amount of funds from the contract. As the keeper was now modified, all other normal transactions on the chain were then reverted.
By the time the Poly Network community had discovered that assets had been compromised, over $600m worth of funds had been stolen. They then published the accounts which held the stolen assets, urging members of the blockchain community to blacklist tokens coming from them. Cryptocurrency firm Tether went on to freeze $33 million USDT connected with the hack as well.
Soon after, Poly Network released a statement on Twitter urging the hackers to return the assets they had stolen. The statement, beginning with “Dear hacker” was quickly met with ridicule for its naive approach to solving the problem- coming off as more of a desperate plea rather than the beginning of a negotiation.
The attacker was also an interesting case, going on to taunt the Poly Network team for their carelessness. Several transactions were discovered on the Ethereum blockchain via Blockchain explorer included messages which were from the hacker’s address. There was even a Q&A included in these messages in which he discussed his motives behind the attack, claiming it was just “for fun” and that he wasn’t interested in the money- his only goal was to make Poly Network “learn something from these hacks”.
As of 13 August, almost all of the funds have been returned. All that is left is the $33 million USDT frozen by Tether.
What was essentially the biggest hack in the history of cryptocurrency became a valuable lesson on the importance of security and just how powerless big organizations can become in the face of powerful hackers.
The transparent nature of smart contracts can make it very easy for someone to exploit them, while at the same time be a roadblock preventing them from cashing in their loot. Many believe the motivation for returning the stolen assets may have stemmed from this fear, instead of the more noble reason the attackers had painted. However, this is questionable in itself regarding the core philosophy of anonymity that blockchain stands on. If the fear of being tracked led the attackers to return their money, is this technology really anonymous?
Figuring out where to place the blame in these kinds of incidents is also difficult. Online, the hacker was met with great admiration for the feat he had achieved, supporting him in his views of this being the result of Poly Network’s negligence. At the same time, the assets that had been stolen were of the general public and the attacker had no right to take them away.
Regardless of whose fault it was, the key lesson put forth by this incident is that of security. This hack greatly established the importance of designing the architecture of your code. In this case, the hacker was able to steal millions of dollars worth of funds due to a design flaw that should have been taken care of.
We can no longer afford to cut corners in ensuring our smart contracts are rock-solid in every way- the likelihood of losing more than can be borne is far too big.
Poly Network got lucky this time, though there can be no guarantee of a favorable outcome in the next hack.
A comprehensive introduction to smart contract security audit and preparation of relevant interview questions.
BlockApex 
September 8, 2022 Rain Protocol lets you build web3 economies at any scale.Rain scripts are a combination of low level functions (opcodes) like addition and subtraction and very high level functions like fetching an ERC20 balance at a given snapshot ID (Open Zeppelin), or fetching a chainlink oracle price.
BlockApex
June 10, 2023 Jimbo's Protocol is a decentralized finance (DeFi) system built on the Arbitrum chain. The protocol uses a semi-stable floor price for its ERC-20 token, $JIMBO, backed by a treasury of Ether (ETH). However, despite its pioneering efforts to maintain on-chain liquidity and price floors, Jimbo's Protocol recently faced a Flash loan attack.
BlockApex
September 7, 2023 BlockApex (Auditor) was contracted by LightLink (Client) for the purpose of conducting a Smart Contract Audit/ Code Review. This document presents the findings of our analysis, which started on 12th June ‘2023.
BlockApex
July 28, 2023 Learn how Fuzz Driven Development (FDD) transforms software testing by assisting programmers and testers in overcoming prejudices for improved code quality, security, and performance.
BlockApex
August 11, 2023 omposable smart contracts bring about certain problems in particular during the auditing phase. One of these is the hindering of end-to-end (E2E) testing. Often it is the case that for calling even just one function of a composable smart contract, multiple other contracts are required to be deployed.
BlockApex
February 7, 2022 The main contract is called Chainpals Token. The minting and transfer of the complete supply is done during deployment. This means new tokens can only be minted if the old ones are burnt.
BlockApex
July 1, 2022 The purple team exercises allow for regular testing of controls to ensure they still function as expected. Combining red and blue functions also means that the blue team does not have to learn the red-team skills, or take the time to recreate attack behaviors themselves.
BlockApex
May 9, 2022 Lets understand the smart contract storage model in Ethereum and EVM-based chains and how you can access the public and private variables of any smart contract deployed on the blockchain. We can do this by using cast storage.
BlockApex
August 29, 2022 
