The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain...
2. drdr_zz
Blockchain and smart contracts are secure…
Ethereum.org
https://www.coindesk.com/blockchains-personal-data-protection-regulations-explained/
4. Damian Rusinek
@drdr_zz
damianrusinek @ github
Security Researcher & Pentester
Assistant Professor
How come blockchains and smart contracts have such
serious security flaws when they are so highly secured?
5. drdr_zz
How I could steal tokens
(worth thousands of $) from
crypto exchange.
14. drdr_zz
What program could we
run as smart contract?
• eVoting
• Assets Management
(transfering ownership)
Why smart contracts?
• No single authority
• Trustless
• Allows public
verification
21. drdr_zz
Fact I – All your data is public
Preview votes
in transactions.
22. drdr_zz
Fact I – All your data is public
Functions
• Public functions can be executed by anyone.
• Can anyone execute maliciousFunction2() ?
23. drdr_zz
Fact I – All your data is public
Functions
• Public functions can be executed by anyone.
• Can anyone execute maliciousFunction2() ?
Functions are public by default!
24. drdr_zz
• Public function which changes the owner.
Parity Hack worth 30 mln $
https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
25. drdr_zz
• Public function which changes the owner.
Parity Hack worth 30 mln $
https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
The race!
30 mln $ 80 mln $
worth today
90 mln $ 240 mln $
26. drdr_zz
• Set visibility type to all functions.
• Do not keep secret data as plaintext in smart contract.
• Examples:
• Rock Paper Scissors
• Blind Auctions
• Use blind commitments.
Fact I – All your data is public
Hash of Value
Real Value
28. drdr_zz
Fact II – Smart contract is a program
Integer Overflow
• Ethereum Tokens – your own
cryptocurrency on Ethereum.
The attack: empty victim’s wallet.
29. drdr_zz
Fact II – Smart contract is a program
Integer Overflow
1. Balances:
• Victim -> (MAXUINT-9) tokens (e.g. founder of contract).
• Attacker -> 10 tokens.
2. Attacker transfers 10 tokens to victim.
3. Both have zero tokens.
31. drdr_zz
Fact II – Smart contract is a program
Insecure libraries
• Delete library used by mln $ worth contracts.
32. drdr_zz
Fact II – Smart contract is a program
Insecure libraries
• Delete library used by mln $ worth contracts.
https://www.trustnodes.com/2017/11/07/ether
eums-parity-hacked-half-million-eth-frozen
33. drdr_zz
• Use open source libraries that handle typical errors (e.g.
SafeMath for overflows).
• Write tests for boundary conditions.
• Verify the correctness and test libraries that you plan to
use.
Fact II - Smart contract is a program
34. drdr_zz
-
EPISODE II – SMART CONTRACTS
SECURITY
Fact III - Smart contracts have
limitations
35. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.
36. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.
37. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.
38. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.
39. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.
The attack: DoS the contract.
The idea: to prevent infinite loops.
40. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
0 ETH
1 ETH
BIDBID
100
41. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
2 ETH
BID
2 ETH
BIDBID
100
42. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
3 ETH
3 ETH
BIDBIDBID
100
43. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
3 ETH
4 ETH
BIDBIDBID
100
Further bids are blocked.
44. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
Auction
3 ETH
Further bids are blocked.
WINNER!
45. drdr_zz
• Learn the limitations of Ethereum (gas, randomness,
etc.).
• Learn the way of handling these limitations.
• Write tests for handling limitations.
Fact III - Smart contracts have limitations
46. drdr_zz
-
EPISODE II – SMART CONTRACTS
SECURITY
Fact IV - Smart contracts have specific
vulns
47. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
48. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
send Ether
49. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
send Ether
50. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
withdrawBalance
withdrawBalance
send Ether
51. drdr_zz
Online
• Remix
• Securify
• SmartCheck
How to test smart contracts?
Offline
• Solhint
• Oyente
• Myhtril
Best practices
• ConsenSys
• DASP
53. drdr_zz
• Online wallets
• Crypto exchanges
• Games
• ICOs
Popular webapps integrated with smart contracts
Attack webapp and generate
malicious transaction.
Let’s steal some tokens from the exchange.
55. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
Function Address Value
Function Short address ValueValue
56. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
Function Address Value
Function Short address ValueModified address Value
57. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
Function Address Value
Function Short address ValueModified address Value
58. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
000
Function Address Value
Function Short address ValueModified address Value
59. drdr_zz
A little misunderstanding
What user tried to do:
Send 2399.99 GNT to
the 0x79735 address.
What Ethereum understood:
Send approx. 2 * 1045 GNT to the
0x079735000000000000000000000000
0000000000 address.
0000000000000000000000000000000000
Func Short address Value
Func Padded address Shifted (padded) value
60. drdr_zz
• Deposit 1 Ethereum Token.
• Generate Ethereum address with zero-byte suffix (a
matter of seconds).
• Withdraw 1 Ethereum Token and
send address without last byte.
• Receive 256 Ethereum Tokens.
How to attack exchange?
61. drdr_zz
How I have stolen tokens from exchange?
Func Short address Value
Func Padded address Shifted (padded) value
00
• Deposited 0.47 GTN
• Withdrew approx. 120 GTN (256 times more)
62. drdr_zz
• But to whom?
• No information about the owner on exchange
website!
• Be like Sherlock and find him.
• Time is running!
Let’s report the vulnerability
63. drdr_zz
• How to responsibly disclosure the vulnerability in
smart contract?
• How to inform the owner of smart contract?
• Would you steal crypto and the look for the owner?
That is general problem
Send him an encrypted
message kept on Ethereum.
64. drdr_zz
Responsible Disclosure Ethereum Messenger
My idea
Online: https://securing.github.io/eth-rd-messenger/
GitHub: https://github.com/securing/eth-rd-messenger
This tool is used to:
• send a secret message to the owner of a personal or contract
Ethereum address, encypted with its owner ECC public key,
• decrypt the message sent to the personal address or
contract's owner.
66. drdr_zz
Vulnerabilities
Similar to classic programs
• Overflows and underflows
• Unauthorized access to
functions
• Insecure libraries
• Business logic vulns
Specific for smart contracts
• Related to Ethereum limitations
(gas limit, randomness, etc.)
• Re-entrancy
• and more
67. drdr_zz
Top10 recommendations
1. Remember that all data is public in blockchain.
2. Do not keep secret data as plaintext in smart contract.
3. Use blind commitments.
4. Set visibility type to all functions.
5. Learn the limitations of Ethereum and how to handle them.
6. Write tests for handling limitations and for boundary conditions.
7. Verify the libraries than you plan to use.
8. Use the best security practices.
9. Consider threats from apps integrating with blockchain.
10. Test your contracts and blockchain applications.
68. Thank you!
Damian Rusinek (@drdr_zz)
damian.rusinek@securing.pl
https://www.securing.biz/en/developing-secure-
blockchain-applications/index.html
How to Develop Secure Blockchain
Applications