bytes032
commented
1 year ago Open bytes032 opened 1 year ago
bytes032
commented
1 year ago bytes032
commented
1 year ago for audits, your biggest resource will be to not only look at cosmos audits, but any audit / hacks / etc that branch out to cross chain level hacks or etc. When it comes to auditing protocols in the blockchain level, its more useful to understand how overarching concepts work rather than to learn specific patterns. For example, when bridging tokens, one side of the bridge must communicate with the other. This can be done using a bot (which zetachain does, most chains do, in zetachains case it's the evm client for evm related communication, and bitcoin client for Bitcoin). When this happens, you want to see how this communication happens and figure out if there's a way to abuse certain bugs
for example the first bug in that audit report, it was as simple as knowing that the communication between the zevm and zetachain occurred through specific events emitted from a specific contract
so we look at the code that searches for the events and noticed that it was grabbing every emitted event in the chain, as opposed to only filtering on the specific contract
so we can just spoof events from our own contract and send funds across chains for free
this type of bug can exist in a non cosmos chain bridge too (like optimism or etc). The pattern in the code would be completely different, but the underlying concept would remain the same
defsec
commented
1 year ago
Project 101 / FAQ (“5 minutes to coding”)
The auditing 101 deliverable should be something like: