sellPoolTokens

Sells pool tokens for WETH; business logic error: swap exact output instead of swap exact input.

Solidity Developer

Smart Contract Security

1. Introduction
Learn to find bugs without code inspection. Topics include fuzzing, AMMs, constant product formula, Uniswap/Curve Finance concepts, and more. Duration: 5min
2. Phase 1: Scoping
Beginning our scoping phase of TSwap a fork of Uniswap V1. Duration: 9min
3. Primer On This Review
Learn about protocol invariance without code. Study DEXs & DeFi Security Reviews. Explore TSWAP Protocol Docs w/ Diagrams & Videos. Duration: 2min
4. What is a DEX?
Decentralized exchanges explained through Uniswap and TSwap Duration: 3min
5. What is an AMM?
We're walked through what an AMM is and how it works in DeFi. Duration: 10min
6. Liquidity Providers
An explanation on liquidity providers and the sources of AMM fees for traders. Duration: 11min
7. How AMMs Work
Patrick further details AMMs and how they function in this quick review on How AMMs Work. Duration: 5min
8. TSwap Recon Continued
TSwap - Create New Pools, Swap Tokens via Multiple Pools, Liquidity Providers. Duration: 3min
9. Invariant & Properties Introduction
In-depth explanation of blockchain protocol invariants and fuzz testing. Examples from ERC-20 & ERC-721 tokens. Duration: 3min
10. Stateful And Stateless Fuzzing
Patrick details the differences between stateful and stateless fuzz testing and how each can be used to break protocol invariants. Duration: 10min
11. Stateless And Stateful Fuzzing Practice
Patrick emphasizes the importance of practice to master stateful and stateless fuzz testing. Duration: 5min
12. Stateless Fuzzing
Patrick walks through stateless fuzzing to catch an invariant break in TSwap! Duration: 9min
13. Where Stateless Fuzzing Fails
Patrick walks through some testing failures and how Foundry can be configured to achieve better results. Duration: 11min
14. Fuzzing Where Method 1 Fails
Introduction to different methods of fuzzing when we have no luck with Method 1. Duration: 18min
15. Stateful Fuzzing Method 2
A second approach to stateful fuzzing by Patrick. Duration: 14min
16. Debugging Fuzz Sequences
Uncover a broken invariant and debug the output sequence of our fuzz testing in this TSwap lesson. Duration: 7min
17. Fuzzing Recap
Stateful/Stateless Fuzzing, Handler Method Importance, ERC20 Exploit, TSWAP Testing & Bugs. Duration: 2min
18. Weird Erc20s
Patrick discusses various ERC20 quirks that can affect a protocol's security including missing return values and fee-on-transfer tokens. Duration: 4min
19. Writing Stateful Fuzz Test Suite
Stateful Fuzzing & Manual Review for TSWAP Bugs Duration: 1min
20. Constant Product Formula Explained
Explore the constant product formula and test it's implementation in TSwap through Fuzz and Unit testing. Duration: 9min
21. Invariant.t.sol
Patrick walks us through the invariant testing we perform on TSwap in invariant.t.sol. Duration: 17min
22. Handler.t.sol
Implementing the deposit function within our testing handler. Duration: 18min
23. Handler Swap Function
Implementing the swap function within our testing handler. Duration: 12min
24. Final Invariant And Tweaks
Comparing Deltas in Handler Test - Quick Guide. Demonstrates how to set up and run an assertion test for deltas in a handler. Duration: 3min
25. Debugging The Fuzzer
Debug Solidity Test Failures with Foundry Duration: 8min
26. One Last Huzzah
Patrick explains how fuzz testing and formal verification methods can be used together to detect bugs in Solidity smart contracts. Duration: 10min
27. Notes On Invariants
Covers security tools like fuzzing, Echidna, and mutation/diff testing to detect issues stresses the importance of testing & learning from history. Duration: 4min
28. Recon: Manual Review Introduction
In this video, Patrick discusses the importance of manual codebase review along with tooling, specifically focusing on TSWAP pool. Duration: 2min
29. Slither
Patrick runs through using Slither on the TSwap repo. Duration: 2min
30. Aderyn
Using Cyfrin's Aderyn to find some non-critical bugs in TSwap! Duration: 2min
31. PoolFactory.sol
In this video, Patrick reviews PoolFactory.sol for TSwap liquidity pools, covering structure, functions, variables, bugs, and best practices. Duration: 6min
32. Manual Review: TSwapPool
Patrick discusses the security review of TSWAP pool in the context of Uniswap V1, He highlights a swap counting bug that breaks protocol invariants Duration: 3min
33. Using The Compiler As Static Analysis Tool
Importance is placed on addressing compiler warnings for potential issues and how they can help us in an audit scenario. Duration: 6min
34. Add Liquidity
Performing a manual review of the addLiquidity function and assessing risks found within! Duration: 8min
35. Remove Liquidity
Withdrawing Liquidity: Burning LP tokens to exchange for underlying money, parameters explained. Duration: 8min
36. swapExactInput
Understanding Swap Exact Input/Output & Protocol Checks in DeFi Duration: 6min
37. swapExactOutput
swapExactOutput lacks slippage protection for sudden price changes. Duration: 3min
38. sellPoolTokens
Sells pool tokens for WETH; business logic error: swap exact output instead of swap exact input. Duration: 2min
39. Checking The Last Few Functions
Patrick quickly skims the final few functions for vulnerabilities in TSwap. Duration: 2min
40. Phase 4: Reporting
Quick overview of reporting process - finding reports & appropriate tags. Multiple passes suggested for thoroughness. Duration: 5min
41. Reporting: Missing Deadline
TSWAP pool deposit function vulnerability. Deadline parameter accepted but unused, allowing MEV attacks during unfavourable market conditions. Medium impact. Duration: 4min
42. Reporting Continued
Patrick continues by showing how to report issues with examples and proofs to fix them. Duration: 10min
43. Reporting: No Slippage Protection
Slippage Protection Lacking in SwapExactOutput, Add Max Input for Safety. Patrick elaborates with a Proof-Of-Concept Scenario. Duration: 8min
44. Reporting: sellPoolTokens
Patrick highlights flawed SellPool tokens calculation. Recommends using swapExactInput & adding a MinWethToReceive w/Deadline to prevent exploitation. Duration: 4min
45. Reporting: Invariant Break & PoC
In this video, Patrick explains how to create a unit test that replicates a sequence found using fuzz testing to break an invariant. Duration: 9min
46. Reporting: Weird Erc20
Uniswap V1, TSWAP pool issues, breaks protocol invariance. Explore, and report weird ERC20s, DeFi vulnerabilities. Duration: 4min
47. Creating Pdf For Your Portfolio
Creating a PDF of your audit report to add to your GitHub portfolio! Show case your achievements! Duration: 4min
48. Recap
Recap things covered in this section. Common issues in DeFi: liquidity, price manipulation, governance attacks. Duration: 8min
49. Exercises
Learn smart contract security testing by coding a fuzz test, discover reentrancy attacks, share insights on Twitter. Upcoming sections explained. Duration: 3min