Smart Contract Security - One Last Huzzah

Support

--- ### One Last Huzzah Alright, we can't let the test passing deceive us. If you recall from a couple lessons ago our `statefulFuzz_constantProductFormulaStaysTheSameY` test is only checking one side of our pool, the change in poolToken amounts. ```js function statefulFuzz_constantProductFormulaStaysTheSameY() public { assertEq(handler.actualDeltaY(), handler.expectedDeltaY()); } ``` Let's write another function to test our `weth` swaps as well, it's going to look _basically_ the same, just swap out our `actualDeltaY`s for `actualDeltaX`s ```js function statefulFuzz_constantProductFormulaStaysTheSameX() public { assertEq(handler.actualDeltaX(), handler.expectedDeltaX()); } ``` Run the test and let's see what we get. ```bash forge test --mt statefulFuzz_constantProductFormulaStaysTheSameX -vvvv ``` ::image{src='/security-section-5/26-one-last-huzzah/one-last-huzzah1.png' style='width: 100%; height: auto;'} It errors! We can see that our expectedDeltaX and our actualDeltaX are wildly different. _What could possibly be going on here?_ > **Protip:** Rather than scrolling through all the function calls in our test's trace, often the steps that lead to our issue can be found in the most recent function execution near the bottom. ::image{src='/security-section-5/26-one-last-huzzah/one-last-huzzah2.png' style='width: 100%; height: auto;'} I've highlighted the most recent execution in the image above. We notice immediately that the function being called is `swapPoolTokenForWethBasedOnOutputWeth`. Things seems fairly unremarkable until we reach the actual swap of tokens when `swapExactOutput` is called. We would expect this function to execute two transfers, one from the `swapper` to `TSwapPool` and another from `TSwapPool` to the `swapper`. For some reason our function is calling transfer _three times_. This is the point where we would need to step into the code base and understand what exactly is being done within `swapExactOutput`. For some reason we're getting transfers called when we don't expect them. Let's look at that function within TSwapPool.sol. ```js function swapExactOutput( IERC20 inputToken, IERC20 outputToken, uint256 outputAmount, uint64 deadline ) public revertIfZero(outputAmount) revertIfDeadlinePassed(deadline) returns (uint256 inputAmount) { uint256 inputReserves = inputToken.balanceOf(address(this)); uint256 outputReserves = outputToken.balanceOf(address(this)); inputAmount = getInputAmountBasedOnOutput(outputAmount, inputReserves, outputReserves); _swap(inputToken, inputAmount, outputToken, outputAmount); } ``` It looks like it's calling an internal `_swap` function, let's go there. ```js function _swap(IERC20 inputToken, uint256 inputAmount, IERC20 outputToken, uint256 outputAmount) private { if (_isUnknown(inputToken) || _isUnknown(outputToken) || inputToken == outputToken) { revert TSwapPool__InvalidToken(); } swap_count++; if (swap_count >= SWAP_COUNT_MAX) { swap_count = 0; outputToken.safeTransfer(msg.sender, 1_000_000_000_000_000_000); } emit Swap(msg.sender, inputToken, inputAmount, outputToken, outputAmount); inputToken.safeTransferFrom(msg.sender, address(this), inputAmount); outputToken.safeTransfer(msg.sender, outputAmount); } ``` BINGO! TSwap is transferring extra tokens! This is similar to our `fee on transfer` issue seen earlier and in fact, `fee on transfer` tokens would break this protocol as well. ```js /* * @dev Every 10 swaps, we give the caller an extra token as an extra incentive to keep trading on T-Swap. */ ``` This is breaking our invariant! ### Wrap Up This was a lot of work to find this bug, there's no denying that, but fuzz test suites are so incredibly powerful, mastering them is worth putting the time in for given the advantages they bring to this process when a code base is very complex, such as automation. As I've mentioned a few times, it's _ok_ if you don't get this immediately. These are advanced concepts. I encourage you to become comfortable at least in so far as the examples of fuzzing provided in [**sc-exploits-minimized**](https://github.com/Cyfrin/sc-exploits-minimized/tree/main/src/invariant-break) We've learnt a tonne so far about `invariants` and `Weird ERC20s` and it's easy to see how important checking for these tokens can be. Hopefully this fuzzing exercise has showing you the power that comes with properly understanding a protocol's core `invariants` and trying to break them through this methodology. There's a great article on [**Nascent.xyz**](https://www.nascent.xyz/idea/youre-writing-require-statements-wrong) I encourage you to read. It covers the concept of having an invariant baked into the protocol design directly (sometimes called `FREI-PI`) and is actually something later versions of Uniswap actually do.

One Last Huzzah

Patrick explains how fuzz testing and formal verification methods can be used together to detect bugs in Solidity smart contracts.

Solidity Developer

Smart Contract Security

Course Introduction

Duration: 25min

Section 1: Review

Duration: 1h 18min

Section 2: What is a smart contract audit

Duration: 35min

Section 3: Your First Audit | PasswordStore

Duration: 2h 28min

Section 4: Puppy raffle

Duration: 5h 03min

Section 5: TSwap

Duration: 5h 22min

1. Introduction

Learn to find bugs without code inspection. Topics include fuzzing, AMMs, constant product formula, Uniswap/Curve Finance concepts, and more. Duration: 5min

2. Phase 1: Scoping

Beginning our scoping phase of TSwap a fork of Uniswap V1. Duration: 9min

3. Primer On This Review

Learn about protocol invariance without code. Study DEXs & DeFi Security Reviews. Explore TSWAP Protocol Docs w/ Diagrams & Videos. Duration: 2min

4. What is a DEX?

Decentralized exchanges explained through Uniswap and TSwap Duration: 3min

5. What is an AMM?

We're walked through what an AMM is and how it works in DeFi. Duration: 10min

6. Liquidity Providers

An explanation on liquidity providers and the sources of AMM fees for traders. Duration: 11min

7. How AMMs Work

Patrick further details AMMs and how they function in this quick review on How AMMs Work. Duration: 5min

8. TSwap Recon Continued

TSwap - Create New Pools, Swap Tokens via Multiple Pools, Liquidity Providers. Duration: 3min

9. Invariant & Properties Introduction

In-depth explanation of blockchain protocol invariants and fuzz testing. Examples from ERC-20 & ERC-721 tokens. Duration: 3min

10. Stateful And Stateless Fuzzing

Patrick details the differences between stateful and stateless fuzz testing and how each can be used to break protocol invariants. Duration: 10min

11. Stateless And Stateful Fuzzing Practice

Patrick emphasizes the importance of practice to master stateful and stateless fuzz testing. Duration: 5min

12. Stateless Fuzzing

Patrick walks through stateless fuzzing to catch an invariant break in TSwap! Duration: 9min

13. Where Stateless Fuzzing Fails

Patrick walks through some testing failures and how Foundry can be configured to achieve better results. Duration: 11min

14. Fuzzing Where Method 1 Fails

Introduction to different methods of fuzzing when we have no luck with Method 1. Duration: 18min

15. Stateful Fuzzing Method 2

A second approach to stateful fuzzing by Patrick. Duration: 14min

16. Debugging Fuzz Sequences

Uncover a broken invariant and debug the output sequence of our fuzz testing in this TSwap lesson. Duration: 7min

17. Fuzzing Recap

Stateful/Stateless Fuzzing, Handler Method Importance, ERC20 Exploit, TSWAP Testing & Bugs. Duration: 2min

18. Weird Erc20s

Patrick discusses various ERC20 quirks that can affect a protocol's security including missing return values and fee-on-transfer tokens. Duration: 4min

19. Writing Stateful Fuzz Test Suite

Stateful Fuzzing & Manual Review for TSWAP Bugs Duration: 1min

20. Constant Product Formula Explained

Explore the constant product formula and test it's implementation in TSwap through Fuzz and Unit testing. Duration: 9min

21. Invariant.t.sol

Patrick walks us through the invariant testing we perform on TSwap in invariant.t.sol. Duration: 17min

22. Handler.t.sol

Implementing the deposit function within our testing handler. Duration: 18min

23. Handler Swap Function

Implementing the swap function within our testing handler. Duration: 12min

24. Final Invariant And Tweaks

Comparing Deltas in Handler Test - Quick Guide. Demonstrates how to set up and run an assertion test for deltas in a handler. Duration: 3min

25. Debugging The Fuzzer

Debug Solidity Test Failures with Foundry Duration: 8min

26. One Last Huzzah

Patrick explains how fuzz testing and formal verification methods can be used together to detect bugs in Solidity smart contracts. Duration: 10min

27. Notes On Invariants

Covers security tools like fuzzing, Echidna, and mutation/diff testing to detect issues stresses the importance of testing & learning from history. Duration: 4min

28. Recon: Manual Review Introduction

In this video, Patrick discusses the importance of manual codebase review along with tooling, specifically focusing on TSWAP pool. Duration: 2min

29. Slither

Patrick runs through using Slither on the TSwap repo. Duration: 2min

30. Aderyn

Using Cyfrin's Aderyn to find some non-critical bugs in TSwap! Duration: 2min

31. PoolFactory.sol

In this video, Patrick reviews PoolFactory.sol for TSwap liquidity pools, covering structure, functions, variables, bugs, and best practices. Duration: 6min

32. Manual Review: TSwapPool

Patrick discusses the security review of TSWAP pool in the context of Uniswap V1, He highlights a swap counting bug that breaks protocol invariants Duration: 3min

33. Using The Compiler As Static Analysis Tool

Importance is placed on addressing compiler warnings for potential issues and how they can help us in an audit scenario. Duration: 6min

34. Add Liquidity

Performing a manual review of the addLiquidity function and assessing risks found within! Duration: 8min

35. Remove Liquidity

Withdrawing Liquidity: Burning LP tokens to exchange for underlying money, parameters explained. Duration: 8min

36. swapExactInput

Understanding Swap Exact Input/Output & Protocol Checks in DeFi Duration: 6min

37. swapExactOutput

swapExactOutput lacks slippage protection for sudden price changes. Duration: 3min

38. sellPoolTokens

Sells pool tokens for WETH; business logic error: swap exact output instead of swap exact input. Duration: 2min

39. Checking The Last Few Functions

Patrick quickly skims the final few functions for vulnerabilities in TSwap. Duration: 2min

40. Phase 4: Reporting

Quick overview of reporting process - finding reports & appropriate tags. Multiple passes suggested for thoroughness. Duration: 5min

41. Reporting: Missing Deadline

TSWAP pool deposit function vulnerability. Deadline parameter accepted but unused, allowing MEV attacks during unfavourable market conditions. Medium impact. Duration: 4min

42. Reporting Continued

Patrick continues by showing how to report issues with examples and proofs to fix them. Duration: 10min

43. Reporting: No Slippage Protection

Slippage Protection Lacking in SwapExactOutput, Add Max Input for Safety. Patrick elaborates with a Proof-Of-Concept Scenario. Duration: 8min

44. Reporting: sellPoolTokens

Patrick highlights flawed SellPool tokens calculation. Recommends using swapExactInput & adding a MinWethToReceive w/Deadline to prevent exploitation. Duration: 4min

45. Reporting: Invariant Break & PoC

In this video, Patrick explains how to create a unit test that replicates a sequence found using fuzz testing to break an invariant. Duration: 9min

46. Reporting: Weird Erc20

Uniswap V1, TSWAP pool issues, breaks protocol invariance. Explore, and report weird ERC20s, DeFi vulnerabilities. Duration: 4min

47. Creating Pdf For Your Portfolio

Creating a PDF of your audit report to add to your GitHub portfolio! Show case your achievements! Duration: 4min

48. Recap

Recap things covered in this section. Common issues in DeFi: liquidity, price manipulation, governance attacks. Duration: 8min

49. Exercises

Learn smart contract security testing by coding a fuzz test, discover reentrancy attacks, share insights on Twitter. Upcoming sections explained. Duration: 3min

Section 6: Thunder Loan

Duration: 4h 33min

Section 7: Boss Bridge

Duration: 2h 01min

Section 8: MEV & Governance

Duration: 1h 40min