Web3 Security Cheat Sheet

Penetration Testing Wiki

Web3 Security Cheat Sheet

Solidity Attacks

  1. var misuse
  2. tx.origin vs. msg.sender
  3. send() vs. transfer()
  4. DOS in for/while if user can control mapping length
  5. variables scope in inheritance: public vs. internal
  6. unfiltered variables
  7. integer overflows
  8. selfdestruct
  9. Inheritance methods override
  10. proxy constructors hijacking: initialize() or init()
  11. DELEGATECALL transferOwnership() exploitation
  12. fallback function() {}

DeFi Attacks

  1. Amount encoding: 0xFFF, 1e-100
  2. change source address in JS object with browser debugger
  3. XSS in localStorage / sessionStorage
  4. Lack of Access Control

Solidity Global Variables

block methods:



  • block.coinbase
  • block.difficulty
  • block.gaslimit
  • block.number
  • block.timestamp
  • block.blockhash(uint blockNumber)

msg methods:

  • msg.data
  • msg.gas
  • msg.sender: immediate account that invoked the function
  • msg.sig
  • msg.value

tx methods:

  • tx.gasprice
  • tx.origin: external account that initiated the tx

contract methods:

  • contract.this
  • contract.selfdestruct
  • contract.suicide

address methods:

  • address.balance
  • address.transfer(): uint wei
  • address.send(): uint wei
  • address.call(): bytes4(sha3(“<FUNCTION>(params)”))
  • address.callcode()
  • address.delegatecall()

error handling:

  • require(<CONDITION>)
  • assert(<CONDITION>)
  • revert()

Others:

  • now
  • sha3 = keccak256()
  • sha2 = sha256()

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.