Smart Contract Security Newsletter #30 - Contract security over time, Hash collisions, Vyper updates ### Connect with Diligence We will be at the following upcoming events: * [ETHDenver](https://www.ethdenver.com/) on February 14-16 * [The Stanford Blockchain Conference 2020](https://cbr.stanford.edu/sbc20/) on February 19-21 * [Webinar today at 11 am ET](https://mythx.consensys.net/security-tools-in-smart-contract-development) Join MythX Chief Hacking Officer Bernhard Mueller for practical ways to easily add security considerations to your workflow - **Wednesday, January 22nd at 11 am ET** --- ## Distilled News ### [Have Smart Contracts Become More Secure Over Time?](https://medium.com/alethio/the-security-series-a-look-at-ethereums-smart-contracts-4f096f48f2b) - alethio > We describe how we have run all distinct Ethereum bytecodes through the contract security analysis framework MythX. From this data collection, we recorded the detected weaknesses, classified them, and analysed the results. We therefore plot the safety trend over time on Ethereum, measured by daily average number of detected vulnerabilities, across deployed contract bytecodes. ### [New Smart Contract Weakness: Hash Collisions With Multiple Variable Length Arguments](https://medium.com/swlh/new-smart-contract-weakness-hash-collisions-with-multiple-variable-length-arguments-dc7b9c84e493) - Kaden Zipfel Do you know the difference between `abi.encode()` and ` abi.encodePacked()`? If not we recommend you to read the article. The bug can result in a hash collision on functions with multiple variable-length arguments. ### [Welcome Back! Security for the EIP Process](https://diligence.consensys.net/blog/2020/01/welcome-back-security-for-the-eip-process/) A recent change to [EIP-1](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1.md#what-belongs-in-a-successful-eip), now makes Security Considerations section mandatory for all EIP proposals ([discussion](https://github.com/ethereum/EIPs/pull/1963)). ### [Update on the Vyper Compiler](https://blog.ethereum.org/2020/01/08/update-on-the-vyper-compiler/) - Piper Merriam (Ethereum blog) > This fall, a preliminary security audit was performed by the Consensys Diligence team on the Python-based Vyper compiler. You can read the results for yourself [here](https://diligence.consensys.net/audits/2019/10/vyper/). > Since the existing Python-based Vyper implementation is not yet production ready, it has been moved out of the ethereum github organization into its own organization: vyperlang. The existing maintainers are planning to address the issues independently once again, but we will continue to follow the project closely here: > https://github.com/vyperlang/vyper The EF has now shifted its focus to implementing the [Vyper language in Rust](https://github.com/ethereum/rust-vyper). ## Links * [Cambrian explosion of Crypto Proofs](https://nakamoto.com/cambrian-explosion-of-crypto-proofs/) - Eli Ben-Sasson (Starkware) on Nakamoto.org * [More than $28,000 Cash for breaking RSA assumptions](https://rsa.cash/) - Ethereum Foundation * [Verifying smart contract security with Remix (Part 1): Basic bug detection and Solidity assertions](https://blog.mythx.io/howto/verifying-smart-contract-security-with-remix-part-1-basic-bug-detection-and-solidity-assertions/) - Bernhard Mueller * [Solidity v0.6.0 breaking changes explained](https://medium.com/coinmonks/solidity-v0-6-0-is-here-things-you-should-know-7d4ab5bca5f1) - Coinmonks * [Argent wallet’s new security center](https://medium.com/argenthq/introducing-your-new-argent-security-centre-bf54c1c69380) - ArgentWallet * [Building Secure Smart Contracts Documentation](https://github.com/crytic/building-secure-contracts) - Trail of Bits * [Evaluating Staking Services](https://www.attestant.io/posts/evaluating-staking-services) - Attestant