… and why you must stay up to date!

On 26th of August OpenZeppelin tweeted about a security vulnerability in TimelockController smart contract and asked all projects to migrate.

Timelock vulnerability tweet from OZ

The security advisory (link) mentions that the vulnerability “allows an actor with the executor role to…


After several security audits of HyperLedger implementations (and other custom blockchain platforms), we have selected a couple of challenges that our clients met. In this article, we present these challenges, potential security problems they introduce, and solutions to these challenges.

Common pitfalls of HyperLedger imlementations

Some of these challenges do not introduce a vulnerability directly…


TL;DR;

  1. I have solved all of the Damn Vulnerable #DeFi challenges by Zeppelin. Here I present the write-ups and lessons learned from the vulnerable contracts.
  2. Besides, I have added new category to Smart Contracts Security Verification Standard called Decentralized Finance (DeFi) basing on the challenges and recent hacks. Check this out!


Secure OAuth 2.0

Previous parts (part 1, part 2) of the series introduced the risks and described potential vulnerabilities in OAuth 2.0 implementation. This section is the crème de la crème as it is a checklist of secure OAuth 2.0. If you follow these tips, you decrease the risk dramatically.

TL;DR

In short, to…


Secure OAuth 2.0: What Could Possibly Go Wrong?

The previous section, Starting with OAuth 2 — Security check, covered the main threats which are the users’ sensitive data leakage and the account takeover. In this section I will focus on the different types of insecure implementation that can lead to those attacks.

OAuth used for authentication

One of the most common mistakes…


OAuth 2.0 is the second version of Open Authorization Framework, the industry-standard delegation protocol for authorization.

What are the main use cases?

Generally, OAuth provides to clients a “secure delegated access” to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without…


And why people do not trust them

TL;DR;

  • There are two most promising solutions that ensure most of the requirements for COVID tracing apps and mitigate the majority of security risks.
  • The decentralized approach is the only correct one but still there exists open issues, mostly coming from the fact that Authorities are treated as a trusted entity.


Ninety percent of organizations feel vulnerable to insider attacks. The main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%). The report by Cybersecurity Insiders from 2018

Additionally…


A few weeks ago I was planning to write an article explaining why it is not a good idea to use OAuth for authentication (as Auth in OAuth stands for authorization and not authentication for a reason), but the draft of OAuth 2.0 …


This story starts where the first part has ended, so if you have not read that yet, do it now.

Quick recap

I̶ ̶h̶a̶v̶e̶ ̶f̶o̶u̶n̶d̶ ̶t̶h̶a̶t̶ ̶S̶k̶y̶W̶a̶l̶l̶e̶t̶.̶c̶o̶m̶,̶ …

Damian Rusinek

Security Consultant @ Securing, PhD, Blockchain Security, Cryptography Protocols || Twitter: @drdr_zz

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store