XREX's Chief Information Security Officer (CISO) has open-sourced two Web3 security tools to enhance smart contract security development.
Editor's Note: XREX Chief Security Officer and General Manager Sun Huang has over 15 years of international cybersecurity experience and holds certifications such as Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), AWS Certified Security - Specialty (AWS ACS), among others. Recently, Sun Huang has open-sourced two Web3 security tools to assist engineers and developers in strengthening smart contract security development. In this article, Sun Huang shares the reasons behind developing these tools and provides examples demonstrating how to use them.
Table of Contents
Editor's Note: Sun Huang, XREX's Chief Information Security Officer and General Manager, has over 15 years of international cybersecurity experience, holding certifications such as Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), AWS Certified Security – Specialty (AWS ACS), among others. Recently, Sun Huang has open-sourced two Web3 security tools to assist engineers and developers in strengthening smart contract security development. In this article, Sun Huang shares the reasons behind developing these tools and provides examples of how to use them.
As the Chief Information Security Officer at XREX, I have been conducting internal training since March this year to enhance the cybersecurity team's two major skills: Web3 security analysis capabilities and threat analysis of cryptocurrency chain financial flows. I have also hosted two Web3 security workshops for XREX's product engineering team in June and July, where I subsequently open-sourced two Web3 security tools, DeFiHackLabs and DeFiVulnLabs.
Whenever a DeFi project is hacked, XREX internally analyzes the root causes of the incident and attempts to reproduce the issue. We simulate hacker attacks on smart contracts through Forking the mainnet at specific block states and observe changes in balance status. Each attack incident helps us avoid the same pitfalls and mistakes in future development.
I thought these valuable experiences should benefit more people, so in mid-June, I open-sourced a Web3 security-related tool, DeFiHackLabs, which includes Proof of Concept conceptual verification procedures accumulated from past security incidents. I used the Ethereum development tool Foundry launched by Paradigm as the framework because of its fast compilation, integration of many useful features, and ease of use. For more information on Foundry usage, refer to the Foundry Book.
Originally, my intention was to contribute to cybersecurity in the development of Web3. I casually posted on Twitter to document it. To my surprise, the next day, I received numerous Twitter notifications, only to realize that my tweet was retweeted by Paradigm's CTO, Georgios Konstantopoulos, sparking a positive response from the community.
Subsequently, many people messaged me to inquire about Solidity common vulnerabilities tutorials suitable for beginners or newcomers to the field. Understanding these needs, in early July, I open-sourced another tool, DeFiVulnLabs, which compiles common Solidity vulnerability testing and defense methods. The retweet count and daily visit count of a tweet reached 40,000, which surprised me. This indicates a high level of interest in blockchain technology development, active desire to enhance cybersecurity capabilities, and learn from past incidents. This enthusiasm is inspiring, and I look forward to continuing to contribute to Web3 security in the future.
This blog post also shares DeFiHackLabs and DeFiVulnLabs, these two sets of Web3 security tools and their usage, hoping to help everyone build smart contracts and develop DeFi projects without getting lost or stumbling in the blockchain dark forest.
Difficulty Level: Beginner
DeFiVulnLabs currently includes 19 common vulnerability types in smart contracts, as listed in the table below:
Vulnerability Type | Description |
Integer Overflow | In Ethereum Virtual Machine (EVM), integers are a fixed-size data type. Before Solidity 0.8.x, arithmetic operations could cause integer overflow issues. |