Glider: Revolutionizing Web3 Auditing and Security Analysis

Officer's Blog
2024-02-26 13:43
发布于 Mirror

In the rapidly evolving world of Web3 technology and decentralized applications, the security of smart contracts plays a critical role. As the adoption and usage of Web3 platforms continue to grow, so does the potential for vulnerabilities and exploits.

Moreover, the need for robust auditing and security analysis tools has never been more critical. The emergence of smart contracts on EVM-based blockchains has introduced a new set of challenges and complexities, demanding innovative solutions to ensure the integrity and security of decentralized applications. Remedy’s latest offering, Glider, is poised to reshape the Web3 cybersecurity landscape by ushering in a new era of advanced query-based smart contract analysis!

Smart Contract Data Tool: Pioneering a New Data Analysis Industry in Web3

The launch of Glider represents a turning point in the growth of an extensive and advanced data analysis sector within the Web3 ecosystem. Glider is poised to revolutionize the identification and remediation of vulnerabilities and threats in decentralized applications by giving security researchers access to a potent query engine specifically made for analyzing EVM-based smart contracts. This will establish new benchmarks for Web3 integrity and security.

Variant Analysis: Crucial in Web2, Imperative in Web3

*Have you ever discovered a vulnerability and wondered, “**Are there any other contracts deployed that have the same vulnerability?*” If so, ever considered how you would go about identifying those on such a large scale?

Well, this is the main principle when it comes to variant analysis.

Variant analysis is the process of taking a known problem, such as a crashing bug or security vulnerability, and finding other occurrences (or “variants”). Variant analysis has proven especially important in Web2 environments, however, becomes even more essential in Web3 as smart contracts are open source by design.

The ability to identify and address vulnerabilities at scale has become critical in Web3 Security ecosystem and we are in desperate need of a tool that can proactively identify and mitigate potential risks across integrated EVM blockchains. Thanks to Glider’s capacity for complex variant analysis Security researchers can now thoroughly examine the source code of smart contracts and uncover potential vulnerabilities and threats more successfully than ever before.

Unparalleled Source Code Analysis Capabilities

In the ever-evolving landscape of Web3 security, traditional methods of analyzing bytecode have proven to be inadequate in effectively identifying and addressing vulnerabilities. While bytecode analysis can be easier, it lacks essential semantic information and struggles to provide a comprehensive understanding of the code’s structure and behavior.

Yes, doing bytecode analysis is easier, but you miss out on a lot of information. Bytecode lacks semantic information about the code (names, language structures, etc.), and the bytecode generated cannot be easily mapped back to code (without knowing the source code) because the compiler changes the structure of the code significantly during the code generation and optimization stages.

Moreover, the prevalence of false positives in static analysis presents a significant challenge, often resulting from the limitations and generalized logic of traditional approaches! In this context, the emergence of Glider — a pioneering Web3 security tool implementing Variant analysis — marks a fundamental shift in the efficacy of security auditing. While classic static analysis tools do incorporate control flow graphs (CFG) and data flow graphs (DFG), the scalability and distribution of detector writing remain challenging. Each detector needs to be fairly generalized, contributing to high false positive rates and inefficiencies.

Glider’s approach distinguishes itself by revolutionizing the treatment of contract code, akin to managing data in a database. It offers a highly flexible and efficient solution, allowing for enhanced semantic constructs within queries. This innovative approach not only addresses the scalability and distribution challenges of detector writing but also fosters a level of flexibility and adaptability previously unattainable in the realm of Web3 security auditing.

One of the most pressing issues in traditional static analysis is the high rate of false positives, stemming from the generalized logic employed in detector writing. With Glider’s introduction, the paradigm shifts to a model where everyone has the opportunity to conduct extensive research and experimentation on large codebases in a more efficient and adaptive manner. By enabling users to develop specific queries with a significantly improved true/false positive ratio, Glider tackles the issue of false positives by promoting the collective addressal of vulnerabilities through specialized queries.

In conclusion, Glider’s implementation of Variant analysis stands as a testament to the transformation taking place in the realm of Web3 security auditing. With its innovative and scalable approach, Glider empowers security researchers to conduct in-depth analysis, improve detection capabilities, and address vulnerabilities in a manner that was previously unattainable using traditional methods. As we navigate the complexities of Web3 security, the advent of Glider provides a beacon of hope, signifying a shift towards a more secure and resilient Web3 ecosystem.

The percentage of false positives in SAST is a well-known problem. Because it’s difficult to distribute detector writing, engineers are forced to write very generalized logic in order to catch a bug, which results in an extremely low true/false positive ratio. With the distribution factor addressing the false positive issue, people can write dozens (or more) specific queries with an unbeatable ratio in place of one very generalized detector, yet when combined, they will address the type of vulnerability as a whole. Glider allows anyone to research and experiment with large code in an efficient and highly flexible way.

Discovering Vulnerabilities at Scale: A Groundbreaking Achievement

One of Glider’s most groundbreaking features is its capacity to discover vulnerabilities at scale. By running user-generated queries against all contracts deployed on integrated EVM blockchains, Glider empowers security researchers to identify vulnerabilities across multiple projects, revolutionizing the efficiency and scale of security analysis in the Web3 landscape.

Community Contribution and Open Beta Access

Remedy’s commitment to fostering a collaborative and inclusive ecosystem is reflected in Glider’s availability to all registered users during the open beta phase, free of charge, but it will require community contribution. Furthermore, as the tool enters subsequent phases, community contribution will play a pivotal role in shaping and enhancing Glider, ensuring that it remains at the forefront of Web3 security analysis.

The Transformative Potential of Glider: Shaping the Future of Web3 Cybersecurity

With its groundbreaking capabilities and commitment to community involvement, Glider has the potential to redefine the standards for smart contract auditing and security analysis in Web3. By empowering security researchers with advanced querying tools and unparalleled visibility into smart contract behaviors, Glider is set to enhance the integrity and security of decentralized applications, ultimately shaping a safer and more resilient Web3 ecosystem.


Remedy: In-Depth Review

The Hexens.io team, which brings together more than 13 years of web2 and web3 experience, is well-positioned to address decentralized security issues. Through innovative tools and training, they hope to strengthen security procedures while encouraging innovation!

Here are just a few of the revolutionary things to be implemented in R.xyz:

  • Proof Of Duplicate — powered by ZK technology — is provided by the ZK Prover, a valuable ally for hunters. Say goodbye to uncertainty and boldly declare your successes as the first person to decipher the code;

  • Enormous emerge tools with no analogs existing;

  • *Proper triage (triage by Hexens.io!) and white-hat advocate mechanism.*

The project’s team also addresses the industry’s fundamental issues by encouraging transparency, raising standards, and providing guidance.

While details are not yet publicly disclosed, the vision seems impactful to me from insights shared so far. The team demonstrates a deep understanding of the most pressing pain points around security that developers and users face today. Their solutions could provide a welcome relief from those fronts — officercia.eth

This significant project adopts a broad perspective. The R’s team also hopes to build a thorough security ecosystem that will increase web3’s scalability and protection.

The Remedy’s strategy revolves around three main cornerstones:

  1. Education: Remedy is committed to raising the bar for ethical hacking education and setting standardized benchmarks. This will encompass the formulation of a structured curriculum, the organizing of training sessions, and the provision of self-learning resources;

  2. Tools: To support ethical hackers, Remedy is developing intuitive, user-friendly, and powerful automated tools to ensure code security for the blockchain ecosystem;

  3. Community: Remedy will foster a community of ethical hackers, encouraging knowledge sharing, collective learning, and project collaboration.

Remedy also represents a mission to liberate the web3 landscape from its prevailing security shortcomings. The prevalent issues include a deficit in ethical hacker education, a void of standardization in training and licensing, and a scarcity of automated tools to ensure code safety!

So, here’s the deal: during R.xyz beta phase, joining Remedy’s bug bounty comes with exclusive perks:

  • Free project listing on R.xyz;

  • Zero success fee for Bug Bounty;

  • Professional triage by hexens.io;

  • Access to the Proof Of Duplicate interface and a range of cutting-edge tech features;

  • Full support in migrating your current program to Remedy.

  • Access to Glider!


Final Remarks

Here’s my TL;DR, afterwards: Glider is a query framework intended for use with smart contracts that are EVM-based. Based on the scenario or behavior specified in the query, a query is made to assist security researchers in finding matches in the code of all smart contracts deployed across integrated EVM blockchains. In order to find vulnerabilities at scale, queries are essential.

x.com/Hexen1337/status/1757698838410768759

In essence, it examines the contract’s source code. To give an example, glider can perform taint analysis and CFG and DFG graph analysis. The advantages of this method over the others.

These queries are continuously being run against all of the contracts that have been deployed on the blockchain as users of Glider write them. Glider can be used by security researchers to find out which other projects are impacted by the same vulnerability. In the Open beta phase, Glider will be free for anyone who signs up with Remedy, but community involvement will be needed.

To sum up, Glider marks a major advancement in Web3 cybersecurity practices and ushers in a new era of advanced smart contract auditing and security analysis. Glider is a game-changing tool that will definitely have a lasting effect on the Web3 landscape due to its innovative approach and transformative potential. It will also set new standards for security and integrity within decentralized applications.

Other important key features:

  • Glider is basically opening a new data analysis industry in Web3 with its Smart Contract Data Tool;

  • Glider is the first and only tool that can discover vulnerabilities at scale;

  • Free in the beta phase, will require community contribution.

I’d also like to invite you to monitor their TwitterTelegram & Discord for updates as the project develops and also explore the world of vulnerabilities with Vulnerability Wiki — an open-source, public, and free database for hackers wiki.r.security. Keep in mind that knowledge is power, and we’re putting it in your hands.

Access the insights, learn from the community, and enhance your hacking expertise. All in all, a stronger, safer web3 that lives up to its full potential will rely on efforts like this one!

Connect with like-minded white-hats, work together on projects, and celebrate our successes. You should also attend the Remedy team’s upcoming Glider Demos to see how it works firsthand:

https://discord.gg/ebyMtXMPmk?source=post_page-----3a3ad6add87d--------------------------------

Thank you! Stay safe!

1
粉丝
14
获赞
103
精选
数据来源区块链,不构成投资建议!
网站只展示作者的精选文章
2022 Tagge. With ❤️ from Lambda