contract-diff: find bugs in smart contract forks

There has been plenty of hacks when a smart contract was forked and some things were changed without full understanding of the code.

To help auditors I have built https://contract-diff.xyz

This is how it works 🧵

For popular contracts like OpenZeppelin, Uniswap, Sushiswap, etc two kinds of hashes were computed: md5 hashsums & simhashes. Using hashsums we can find exact matches of contract sources. With simhashes it is possible to find contracts that are very similar to each other.

EtherScan does not verify the integrity of the included libs. With https://contract-diff.xyz you can quickly figure out which versions of libs are actually used. If a hashsum is not found in the database, but there is a contract with a similar simhash you will see a diff view.

One example is Uranium hack which was a fork of Uniswap v2:

Here you can see that there were mostly renamings but also an important change to the logic which led to $57,000,000 loss:

https://www.contract-diff.xyz/?address=0xa08c4571b395f81fbd3755d44eaf9a25c9399a4a&chain=1

I am planning to add more chains (currently only Ethereum mainnet & BSC) as well as support more contract flatenners (they are really weird). Will appreciate any feedback. Cheers!

Originally tweeted by Raz0r (@theRaz0r) on 16 February 2022.


Posted

in

by

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.