contract-diff: find bugs in smart contract forks

contract-diff: find bugs in smart contract forks

There has been plenty of hacks when a smart contract was forked and some things were changed without full understanding of the code.

To help auditors I have built https://contract-diff.xyz

This is how it works

For popular contracts like OpenZeppelin, Uniswap, Sushiswap, etc two kinds of hashes were computed: md5 hashsums & simhashes. Using hashsums we can find exact matches of contract sources. With simhashes it is possible to find contracts that are very similar to each other.

EtherScan does not verify the integrity of the included libs. With https://contract-diff.xyz you can quickly figure out which versions of libs are actually used. If a hashsum is not found in the database, but there is a contract with a similar simhash you will see a diff view.

One example is Uranium hack which was a fork of Uniswap v2:

Here you can see that there were mostly renamings but also an important change to the logic which led to $57,000,000 loss:

https://www.contract-diff.xyz/?address=0xa08c4571b395f81fbd3755d44eaf9a25c9399a4a&chain=1

I am planning to add more chains (currently only Ethereum mainnet & BSC) as well as support more contract flatenners (they are really weird). Will appreciate any feedback. Cheers!

Originally tweeted by Raz0r ( @theRaz0r ) on 16 February 2022 .

The post contract-diff: find bugs in smart contract forks first appeared on Raz0r.name .
Alt text

Мир сходит с ума, но еще не поздно все исправить. Подпишись на канал SecLabnews и внеси свой вклад в предотвращение киберапокалипсиса!

Арсений Реутов

блог о web-безопасности