Elusive Thoughts

 Introduction  As Crypto currency technologies are becoming more and more prevalent, as the time is passing by, and banks will soon start adopting them. Ethereum blockchain and other complex blockchain programs are relatively new and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1].This article is going to discuss how to perform a source code review in Ethereum Smart Contracts (SCs) and what to look for. More specifically we are going to focus in specific keywords and how to analyse them.  The points analysed are going to be: User supplied input filtering, when interacting directly with SC Interfacing with external SCs Interfacing with DApp applications SC formal verification Wallet authentication in DApp SC Programming Mindset When designing an SC ecosystem (a group of SCs, constitutes an ecosystem) is it wise to have some specific concepts ...

  Elusive Thoughts celebrates 9 years of blogging about hacking  Elusive Thoughts just created its first  non-fungible token (NFT), a digital file whose unique identity and ownership are verified on a blockchain (a digital ledger).  There is a hidden secret in my NFT, please find it. Buy my NFT at  rarible.com  

INTRODUCTION  Ethereum Smart Contracts and other complex blockchain programs are new, promising and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1].  This article is going to focus on threat modeling of smart contract applications. Threat modelling is a process by which threats, such as absence of appropriate safeguards, can be identified, enumerated, and mitigation can be prioritized accordingly. The purpose of threat model is to provide contract applications defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker.  Smart contract programming requires a different engineering mindset than we may be used to. The cost of failure can be high, and change can be difficult, ...

Introduction This article is going to focus on "Programmable Money Overflow Attacks" on Ethereum and this is the way hackers can become rich and famous. More specifically we are going to discuss the batchOverflow attack. The batchOverflow Bug was identified in multiple ERC20 Smart Contracts [3] (CVE-2018–10299), back in 2018, when Ethereum was relatively new. [1]   The batchOverflow attack is a typical integer overflow attack in the batchTransfer function of a smart contract implementation for the Beauty Ecosystem Coin (BEC). The BEC was an Ethereum ERC20 compliant token that allowed attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018 [2]. But before we move into replicating the attack, it is better if we explain a few Blockchain properties. The Code Is Law Principle   The "code is law principle" is the principle that no...

External Service Interaction & Out-of-Band Resource Loads — Updated 2026 External Service Interaction & Out-of-Band Resource Loads Host Header Exploitation // SSRF Primitives // Infrastructure Pivoting SSRF Host Header Injection CWE-918 OWASP A10:2021 Cache Poisoning Updated 2026 In the recent past we encountered two relatively new types of attacks: External Service Interaction (ESI) and Out-of-Band Resource Loads (OfBRL). An ESI [1] occurs only when a web application allows interaction with an arbitrary external service. OfBRL [6] arises when it is possible to induce an application to fetch content from an arbitrary external location, and incorporate that content into the application's own response(s). Taxonomy Note (2026): Both ESI and OfBRL are now classified under OWASP A10:2021 — SSRF and map to CWE-918 (Server-Side Request Forgery). ESI also maps to CWE-441 (Unintentional Pro...

Web Application Denial of Service Next Level In this tutorial we are going to talk on how to cause maximum down time (including operational recovery processes ) in anything that uses the word Web, this is also known as a Denial o Service Attack. Using this knowledge for malicious purposes is not something I am recommending or approve and I have zero accountability on how you use this knowledge. This is the reason I am providing also with countermeasures on the end of the post.       What Is The Landscape In the past we have seen many Denial of Service attacks, but most of them were not very sophisticated. A very good example would be the Low Orbit Ion Cannon (LOIC). LOIC performs a DoS attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.[2] All these att...