SShortSingh.
Back to feed

Why Smart Contracts Safe on Ethereum Can Fail—and Get Exploited—on L2s

0
·1 views

Deploying smart contracts to Layer 2 networks like Polygon, Arbitrum, or Optimism carries distinct security risks that differ significantly from Ethereum mainnet, even though the EVM remains largely compatible. Key differences include block timestamp precision, sequencer behavior, and bridge trust assumptions, all of which can introduce exploitable vulnerabilities. A real-world example is the February 2022 Umbrella Network hack, in which attackers drained $3.8 million by exploiting low-liquidity conditions typical of L2 environments at launch. On Arbitrum, for instance, block.number can return the L1 block number rather than the local one, causing timing logic to behave unexpectedly, while centralized sequencers on Arbitrum and Optimism can reorder or delay transactions in ways Ethereum's mempool cannot. Security auditors who do not account for these environment-specific differences risk missing the vulnerabilities most likely to result in protocol losses.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How to Deploy Ngrok Ingress Controller on Kubernetes Without a LoadBalancer

The Ngrok Ingress Controller lets developers expose Kubernetes applications to the internet by routing traffic through Ngrok's edge, eliminating the need for a traditional LoadBalancer service. It handles traffic management, TLS, load balancing, and authentication at the Ngrok edge rather than within the cluster. Installation is done via Helm using an Ngrok API key and AuthToken, after which a sample app can be deployed and exposed through a standard Kubernetes Ingress resource tied to a static Ngrok domain. The setup also supports securing applications with GitHub OAuth and other authentication methods such as OpenID Connect and SAML, all enforced before traffic reaches the cluster. The result is a publicly accessible Kubernetes application reachable through a static Ngrok domain with minimal internal networking changes.

0
ProgrammingDEV Community ·

Developer Documents Journey Into LFX Mentorship Working on Post-Quantum Cryptography Tool

A developer has shared their experience of being selected for the Linux Foundation's LFX Mentorship Program to work on CBOMKit, a project tied to post-quantum cryptography. The mentee, guided by mentor Aditya Koranga, began the program with limited knowledge of OpenSSL and has since learned that it comprises four distinct components: libcrypto, libssl, a command-line tool, and the EVP API. Through the mentorship, they discovered that OpenSSL underpins widely used software including Nginx, PostgreSQL, and JWT libraries, often invisibly handling encryption tasks. The developer also explored how BoringSSL emerged as a Google fork following the 2014 Heartbleed vulnerability, and how Node.js now supports post-quantum algorithms natively via OpenSSL 3.5. The post reflects both the technical progress made and the gaps in understanding that remain as the mentorship continues.

0
ProgrammingDEV Community ·

How to Deploy PocketBase Open-Source Backend on Linux with Docker and HTTPS

PocketBase is an open-source Go-based backend that packages a real-time SQLite database, authentication, file storage, and an admin dashboard into a single binary. A deployment guide published on DEV Community walks developers through setting up PocketBase on a Linux server using Docker Compose, with Traefik managing automatic HTTPS via Let's Encrypt. Admin credentials are securely passed through environment variables, and the setup exposes PocketBase at a custom domain. The guide also demonstrates creating a sample collection called 'tasks' and querying it through PocketBase's REST API using curl. The tutorial is aimed at developers seeking a lightweight, self-hosted backend solution without complex infrastructure.

0
ProgrammingDEV Community ·

Differential Testing Exposes Silent PACE-to-BAC Fallback in Open-Source eMRTD Libraries

Researchers tested two widely used open-source e-passport reader libraries — gmrtd (Go) and JMRTD (Java) — by replaying identical synthetic protocol traffic against both, without any physical passport or NFC hardware. The experiment simulated a scenario where the newer PACE authentication protocol fails and the system silently falls back to the older BAC method. Both libraries completed the session successfully via BAC after PACE returned an error code, but neither surfaced an explicit indication to the application that a protocol downgrade had occurred. The findings highlight a gap that standard conformance testing misses: two libraries can behave identically in observable output while leaving applications unaware of a security-relevant negotiation failure.