MkXploit | Smart Contract Security Researcher

Your contract may think it sent ETH. What if it didn't? Day 95 of my SR Journey 🧵 A dangerous Solidity misconception: .send() and .call() DO NOT revert automatically on failure. Instead they return: bool success Meaning this can happen: 👇

https://t.co/X1sZDLkSy7{value: amount}(""""); Transfer fails. But execution continues. If you never check: require(success); Your contract assumes everything worked. Even when it didn't. This exact mistake contributed to real incidents including: 👇

One forgotten rename gave attackers ownership of an entire protocol. Day 95 of my SR Journey 🧵 Before Solidity 0.4.22... Constructors worked differently. Instead of: constructor() You had to name the constructor exactly the same as the contract. Example: 👇

It became a normal public function. Meaning anyone could call it. And become owner. Just like that. This bug became one of Ethereum's classic security lessons. Today Solidity uses: constructor() to prevent exactly this mistake. Biggest lesson: 👇

A single transaction permanently froze ~$150M worth of ETH 😱 No hack. No private key compromise. Just one function call. Day 93 of my SR Journey 🧵 In November 2017, parity had already suffered one major exploit. Then disaster struck again. Here's what happened 👇

The library itself had never been initialized. Meaning nobody owned it. So they simply called: initWallet() and became owner. Then they called: kill() The library self-destructed. Gone. Every wallet depending on that library instantly lost access to its logic.👇