­
Understanding Defensive Measures and Exploits in Contract Security By Gregory Pickett - All Articles - CISO Platform

Understanding%20Defensive%20Measures%20and%20Exploits%20in%20Contract%20Security.png?profile=RESIZE_710x

 

 

This blog offers insights into a hacker's perspective on defensive measures and concerns regarding detection and response capabilities. The speaker emphasizes the importance of monitoring for suspicious activities and implementing effective countermeasures to thwart potential attacks. Additionally, the blog delves into a specific exploit known as the Tendery hack, which involved a variation of price oracle misconfiguration in a DeFi platform. Through a hacker's lens, we will explore the vulnerabilities exploited and the implications for contract security.

 

 

Here is the verbatim discussion:

Successful but I'm also concerned on whether or not someone is going to see anything and if they see anything can they do something about it so that's my view constantly when I'm hacking and so I look at this the exact same way what could they have seen what could they have done to stop me if this was me so the first thing as a defender in that side I I would um you know be wondering if they are admitting events right so the thing they could have been doing then is admitting events admitting this case exchange rates also they could have been monitoring for large changes in that exchange rate that's what I'd be worried about as a hacker right and of course they also threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token because of the Des point was not being handled properly being handled at the second place or wherever supposed to be it's it one token was worth uh because that's the variable it was uh that without the decimal point it was the value of the GMX token was worth as an example eight 1 eight and eight zeros that's a large number now the actual number was much bigger and in fact this contract saw the value of one GMX token being worth more than all the Bitcoin currently in circulation yes GMX token was very much overvalued according to the contract now the GMX token uh was being used for collateral for a loan so obviously it being very valuable you could borrow a lot there you go I like my diagrams so one GMX token essentially they were able to borrow all of the either in the contract I don't think it was all of it uh but for all intens purposes why not yes all of threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token because of the Des point was not being handled properly being handled at the second place or wherever supposed to be it's it one token was worth uh because that's the variable it was uh that without the decimal point it was the value of the GMX token was worth as an example eight 1 eight and eight zeros that's a large number now the actual number was much bigger and in fact this contract saw the value of one GMX token being worth more than all the Bitcoin currently in circulation yes GMX token was very much overvalued according to the contract now the GMX token uh was being used for collateral for a loan so obviously it being very valuable you could borrow a lot there you go I like my diagrams so one GMX token essentially they were able to borrow all of the either in the contract I don't think it was all of it uh but for all intens purposes why not yes all of threat another hack the tendery hack in earlier in March a def5 platform now this is actually a variation a price Oracle misconfiguration another publicly known event now in solidity the decimal point is not explicit or strictly defined it is implicit or understood essentially the owner decides where the decimal place will be and they handle it accordingly if you have let's say this is very simplified again a number with 10 places and the number is one eight and then eight zeros right with the decimal point at the second place that's quite a different number than 1 eight and eight zeros it's much larger now throughout this contract the numbers were being handled correctly right handled with desm plat where the owner wanted it to be all except for the GMX token it was not so one GMX token because of the Des point was not being handled properly being handled at the second place or wherever supposed to be it's it one token was worth uh because that's the variable it was uh that without the decimal point it was the value of the GMX token was worth as an example eight 1 eight and eight zeros that's a large number now the actual number was much bigger and in fact this contract saw the value of one GMX token being worth more than all the Bitcoin currently in circulation yes GMX token was very much overvalued according to the contract now the GMX token uh was being used for collateral for a loan so obviously it being very valuable you could borrow a lot there you go I like my diagrams so one GMX token essentially they were able to borrow all of the either in the contract I don't think it was all of it uh but for all intens purposes why not yes all.

 

 

Highlights:

Hacker's Perspective on Defensive Measures

  • Monitoring and Detection: The speaker views defensive measures from a hacker's standpoint, focusing on the importance of detecting and responding to suspicious activities promptly.
  • Concerns and Considerations: There is a constant concern about whether defenders are effectively monitoring events and capable of taking action to prevent attacks.

Tendery Hack: Price Oracle Misconfiguration

  • Event Overview: The Tendery hack, occurring in March, highlighted a variation of price oracle misconfiguration in a DeFi platform, exploiting a decimal place error in a contract.
  • Solidity Decimal Handling: In Solidity, decimal point handling is not strictly defined, leading to vulnerabilities if not handled properly. The hack involved the overvaluation of a token, enabling the hacker to borrow a substantial amount of Ether.

 

The insights shared in this blog shed light on the ongoing battle between hackers and defenders in the digital realm. By understanding defensive measures from a hacker's perspective and examining real-world exploits like the Tendery hack, we gain valuable insights into the vulnerabilities inherent in contract security. It is imperative for defenders to enhance their monitoring and response capabilities to detect and mitigate such threats effectively. Through proactive measures and continuous improvement in security practices, the crypto ecosystem can strive towards greater resilience and trustworthiness.

 

Speaker:

Gregory Pickett is a renowned expert in the field of cybersecurity, currently serving as the Head of Cybersecurity. With extensive experience in identifying and mitigating security threats, Pickett is recognized for his deep understanding of both offensive and defensive cybersecurity strategies.

His leadership and insights have been instrumental in safeguarding digital assets and ensuring robust security protocols across various organizations.

 

https://www.linkedin.com/in/gregpickettcisspgciagpen/

 
Votes: 0
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Playbook Round Table Series (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

  • Description:

    Join us for an exclusive 6-city roundtable series across Delhi, Mumbai, Bangalore, Pune, Chennai, and Kolkata. Curated for top cybersecurity leaders, this series will spotlight proven strategies, real-world insights, and impactful playbooks from the industry’s best.

    Network with peers, exchange ideas, and contribute to shaping the Top 100 Security Playbooks of the year.

    Date : Sept 2025 - Oct 2025

    Venue: Delhi, Mumbai, Bangalore, Pune,…

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab

National Insider Risk Symposium, Washington DC, USA 2025

  • Description:

    We are excited to invite you to the 10th National Insider Risk Symposium, a premier forum bringing together leaders and experts from both the commercial and public sectors to address the evolving landscape of insider threats. CISOPlatform is a proud community partner for this event. 

    Event Details:
    Venue: National Housing Center, 1201 15th St NW, Washington, D.C. 20005
    Dates: September 17–18,…

  • Created by: Biswajit Banerjee
  • Tags: national insider risk symposium, ciso, cybersecurity events, usa events