Get Into The Attacker's Mindset

Owen Thurm

18 May 202326:02

Summary

TLDRIn this video, the speaker delves into the essence of the 'attacker's mindset,' a crucial perspective for uncovering vulnerabilities and bugs in smart contracts. By adopting an offensive approach and actively seeking to disprove security protocols, auditors can significantly boost their success rate in identifying critical flaws. The speaker outlines four key steps to cultivate this mindset, including incentivizing oneself appropriately, believing vulnerabilities exist, collecting 'knobs' or potential vulnerabilities, and combining them to construct exploits. Emphasizing the importance of avoiding pitfalls that undermine this mindset, the speaker provides a real-world example demonstrating how this approach uncovered a critical risk-free trade vulnerability in a perpetuals exchange protocol.

Takeaways

😎 Adopting an attacker's mindset is crucial for uncovering vulnerabilities and bugs in smart contracts. Think offensively to find what developers, thinking defensively, may have missed.
💰 Incentivize yourself properly to find bugs by structuring your compensation based on the number and criticality of vulnerabilities discovered.
🧠 Mentally prepare yourself to believe that bugs and vulnerabilities exist in the codebase you're auditing.
📝 While auditing, collect and note down interesting behaviors, missing lines, or any peculiarities in the code ('knobs').
🧩 Combine these 'knobs' to construct unique and critical attack vectors, like puzzle pieces.
⚠️ Avoid charging upfront fees that remove the incentive to find vulnerabilities, as it may subconsciously convince you of the protocol's security.
🚫 Never assume the codebase is secure or agree with the developers' assumptions. Question everything from the ground up.
🔍 The example exploit involved delaying order execution by reverting with an 'empty position' error, then toggling the revert condition to execute the order at a favorable price.
🤖 Leverage the two-step order execution system by executing orders with outdated prices from when the order was created.
🗃️ Join communities like lab.guardianaudits.com to learn from other auditors, collaborate on audits, and access comprehensive smart contract security training.

Q & A

What is the attacker's mindset, and why is it important for smart contract auditing?
-The attacker's mindset is a way of looking at code with the intent of breaking as many things as possible, rather than verifying or proving its security. It's important because adopting this mindset makes an auditor more likely to uncover vulnerabilities by actively trying to disprove the protocol's security.
What are the four key steps to get into the attacker's mindset?
-1) Incentivize yourself correctly by structuring compensation based on the number and criticality of vulnerabilities found. 2) Personally believe that there are bugs and vulnerabilities in the codebase. 3) Collect 'knobs' or interesting pieces of behavior as you go through the code. 4) Combine the knobs to construct potential exploits.
What are the two critical mistakes that can prevent an auditor from getting into the attacker's mindset?
-1) Not getting the incentives right, such as charging all the money upfront regardless of findings, which incentivizes spending as little time as possible on the audit. 2) Not believing that vulnerabilities exist in the codebase, leading to a mindset of verifying rather than attacking.
In the GMX V2 example, what was the first 'knob' or interesting behavior noticed?
-The first knob was the two-step execution process, where a keeper executes orders using prices from the block when the order was created. This opened up the potential for a risk-free trade if the execution could be delayed until a more favorable price movement.
What was the second knob discovered, and how did it contribute to the potential exploit?
-The second knob was that limit orders that reverted with an 'empty position' error would be retried instead of canceled. This allowed for delaying the execution of the order.
What was the third knob, and how did it enable the risk-free trade?
-The third knob was the ability to set the remaining collateral amount to zero while still having non-zero size in USD and tokens. This allowed the order to revert with the 'empty position' error, delaying execution until a favorable price movement occurred.
What was the final knob that allowed toggling the exploit on and off?
-The final knob was an if statement that set the initial collateral delta amount to zero if the order size matched the position size. By decreasing the position size to match the order size, this condition could be met, allowing the order to execute without reverting.
How does the provided example demonstrate the importance of combining multiple 'knobs' to construct a successful exploit?
-The example shows how several individual behaviors or 'knobs' had to be pieced together strategically to enable the risk-free trade exploit. Each knob on its own was not sufficient, but by combining them in a specific way, a critical vulnerability was revealed.
What advice does the speaker give for finding interesting vulnerabilities and adopting the attacker's mindset?
-The speaker advises auditors to be malicious in their approach, actively trying to break things and keeping track of interesting behaviors (knobs) as they go through the code. These knobs can then be combined to construct unique and critical attack vectors.
What resources does the speaker recommend for aspiring smart contract auditors?
-The speaker recommends joining the Guardian Audits community (lab.guardianaudits.com) to connect with other auditors and participate in team audits. He also mentions a paid training resource he collaborated on, which aims to provide thorough training in smart contract security auditing.