SlideShare ist ein Scribd-Unternehmen logo

Outsmarting Smart Contracts - an essential walkthrough a blockchain security minefields

SecuRing
SecuRing

The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain...

Software
1 von 68
Downloaden Sie, um offline zu lesen
Outsmarting Smart Contracts Damian Rusinek CONFidence, 5th of June 2018 damian.rusinek@securing.pl @drdr_zz
drdr_zz Blockchain and smart contracts are secure… Ethereum.org https://www.coindesk.com/blockchains-personal-data-protection-regulations-explained/
drdr_zz …or is it?
Damian Rusinek @drdr_zz damianrusinek @ github Security Researcher & Pentester Assistant Professor How come blockchains and smart contracts have such serious security flaws when they are so highly secured?
drdr_zz How I could steal tokens (worth thousands of $) from crypto exchange.
drdr_zz BLOCKCHAIN 101
drdr_zz Blockchain 101 D U D E Distributed Unmodifiable Database Engine
drdr_zz Do I need blockchain? Do I need blockchain? No Single point of failure? NO Single point of authority? NO But really? Modifiable data? NO
drdr_zz The analogy Tor Private Communication Blockchain Unmodifiable Storage
drdr_zz The analogy Tor Private Communication Blockchain Unmodifiable Storage
drdr_zz EPISODE I – SMART CONTRACTS
drdr_zz Executable Smart contract
drdr_zz Ethereum „Ethereum is literally a computer that spans the entire world.” Ethereum White Paper
drdr_zz What program could we run as smart contract? • eVoting • Assets Management (transfering ownership) Why smart contracts? • No single authority • Trustless • Allows public verification
drdr_zz How to verify the contract? https://etherscan.io
drdr_zz How to execute smart contract? 0x2b30ea3a000000000000000000000000000 0000000000000000000000000000000000000
drdr_zz How to verify the execution?
drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact I - All your data is public
drdr_zz Fact I – All your data is public Variables
drdr_zz Fact I – All your data is public Variables
drdr_zz Fact I – All your data is public Preview votes in transactions.
drdr_zz Fact I – All your data is public Functions • Public functions can be executed by anyone. • Can anyone execute maliciousFunction2() ?
drdr_zz Fact I – All your data is public Functions • Public functions can be executed by anyone. • Can anyone execute maliciousFunction2() ? Functions are public by default!
drdr_zz • Public function which changes the owner. Parity Hack worth 30 mln $ https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
drdr_zz • Public function which changes the owner. Parity Hack worth 30 mln $ https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/ The race! 30 mln $ 80 mln $ worth today 90 mln $ 240 mln $
drdr_zz • Set visibility type to all functions. • Do not keep secret data as plaintext in smart contract. • Examples: • Rock Paper Scissors • Blind Auctions • Use blind commitments. Fact I – All your data is public Hash of Value Real Value
drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact II - Smart contract is a program
drdr_zz Fact II – Smart contract is a program Integer Overflow • Ethereum Tokens – your own cryptocurrency on Ethereum. The attack: empty victim’s wallet.
drdr_zz Fact II – Smart contract is a program Integer Overflow 1. Balances: • Victim -> (MAXUINT-9) tokens (e.g. founder of contract). • Attacker -> 10 tokens. 2. Attacker transfers 10 tokens to victim. 3. Both have zero tokens.
drdr_zz Fact II – Smart contract is a program Insecure libraries
drdr_zz Fact II – Smart contract is a program Insecure libraries • Delete library used by mln $ worth contracts.
drdr_zz Fact II – Smart contract is a program Insecure libraries • Delete library used by mln $ worth contracts. https://www.trustnodes.com/2017/11/07/ether eums-parity-hacked-half-million-eth-frozen
drdr_zz • Use open source libraries that handle typical errors (e.g. SafeMath for overflows). • Write tests for boundary conditions. • Verify the correctness and test libraries that you plan to use. Fact II - Smart contract is a program
drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact III - Smart contracts have limitations
drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded. The attack: DoS the contract. The idea: to prevent infinite loops.
drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 0 ETH 1 ETH BIDBID 100
drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 2 ETH BID 2 ETH BIDBID 100
drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 3 ETH 3 ETH BIDBIDBID 100
drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 3 ETH 4 ETH BIDBIDBID 100 Further bids are blocked.
drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract Auction 3 ETH Further bids are blocked. WINNER!
drdr_zz • Learn the limitations of Ethereum (gas, randomness, etc.). • Learn the way of handling these limitations. • Write tests for handling limitations. Fact III - Smart contracts have limitations
drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact IV - Smart contracts have specific vulns
drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance
drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance send Ether
drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance send Ether
drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance withdrawBalance withdrawBalance send Ether
drdr_zz Online • Remix • Securify • SmartCheck How to test smart contracts? Offline • Solhint • Oyente • Myhtril Best practices • ConsenSys • DASP
drdr_zz EPISODE II – SMART CONTRACTS INTEGRATION
drdr_zz • Online wallets • Crypto exchanges • Games • ICOs Popular webapps integrated with smart contracts Attack webapp and generate malicious transaction. Let’s steal some tokens from the exchange.
drdr_zz Typical withdrawal transaction 50 GTN Receiver address Function Address Parameter Value Parameter
drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueValue
drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueModified address Value
drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueModified address Value
drdr_zz Not a bug, it’s a feature Let’s use to short address. 000 Function Address Value Function Short address ValueModified address Value
drdr_zz A little misunderstanding What user tried to do: Send 2399.99 GNT to the 0x79735 address. What Ethereum understood: Send approx. 2 * 1045 GNT to the 0x079735000000000000000000000000 0000000000 address. 0000000000000000000000000000000000 Func Short address Value Func Padded address Shifted (padded) value
drdr_zz • Deposit 1 Ethereum Token. • Generate Ethereum address with zero-byte suffix (a matter of seconds). • Withdraw 1 Ethereum Token and send address without last byte. • Receive 256 Ethereum Tokens. How to attack exchange?
drdr_zz How I have stolen tokens from exchange? Func Short address Value Func Padded address Shifted (padded) value 00 • Deposited 0.47 GTN • Withdrew approx. 120 GTN (256 times more)
drdr_zz • But to whom? • No information about the owner on exchange website! • Be like Sherlock and find him. • Time is running! Let’s report the vulnerability
drdr_zz • How to responsibly disclosure the vulnerability in smart contract? • How to inform the owner of smart contract? • Would you steal crypto and the look for the owner? That is general problem Send him an encrypted message kept on Ethereum.
drdr_zz Responsible Disclosure Ethereum Messenger My idea Online: https://securing.github.io/eth-rd-messenger/ GitHub: https://github.com/securing/eth-rd-messenger This tool is used to: • send a secret message to the owner of a personal or contract Ethereum address, encypted with its owner ECC public key, • decrypt the message sent to the personal address or contract's owner.
drdr_zz DEMO https://www.youtube.com/watch?v= 8AmpXCJRwzQ&feature=youtu.be
drdr_zz Vulnerabilities Similar to classic programs • Overflows and underflows • Unauthorized access to functions • Insecure libraries • Business logic vulns Specific for smart contracts • Related to Ethereum limitations (gas limit, randomness, etc.) • Re-entrancy • and more
drdr_zz Top10 recommendations 1. Remember that all data is public in blockchain. 2. Do not keep secret data as plaintext in smart contract. 3. Use blind commitments. 4. Set visibility type to all functions. 5. Learn the limitations of Ethereum and how to handle them. 6. Write tests for handling limitations and for boundary conditions. 7. Verify the libraries than you plan to use. 8. Use the best security practices. 9. Consider threats from apps integrating with blockchain. 10. Test your contracts and blockchain applications.
Thank you! Damian Rusinek (@drdr_zz) damian.rusinek@securing.pl https://www.securing.biz/en/developing-secure- blockchain-applications/index.html How to Develop Secure Blockchain Applications

Empfohlen

Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityJohnson, Chuan Zhang CISM CCSK OSCP
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Codemotion
 
Bletchley
BletchleyBletchley
BletchleyDiogo Mónica
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
Webinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoWebinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoKaleido
 

Empfohlen

Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsWeb Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standards
Web Apps vs Blockchain dApps (Smart Contracts): tools, vulns and standardsSecuRing
 
Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Brief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityBrief Introduction to Blockchain Security
Brief Introduction to Blockchain SecurityJohnson, Chuan Zhang CISM CCSK OSCP
 
IDC - Blockchain Threat Model
IDC - Blockchain Threat ModelIDC - Blockchain Threat Model
IDC - Blockchain Threat ModelPeteLind
 
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Codemotion
 
Bletchley
BletchleyBletchley
BletchleyDiogo Mónica
 
JWTs and JOSE in a flash
JWTs and JOSE in a flashJWTs and JOSE in a flash
JWTs and JOSE in a flashEvan J Johnson (Not a CISSP)
 
Webinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoWebinar: Enterprise Blockchain Radically Simplified with Truffle and Kaleido
Webinar: Enterprise Blockchain Radically Simplified with Truffle and KaleidoKaleido
 
Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerGokul Alex
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumPrivacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumNagib Aouini
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFGokul Alex
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
Bitmark and Hyperledger Workshop: the Digital Assets and Property
Bitmark and Hyperledger Workshop: the Digital Assets and PropertyBitmark and Hyperledger Workshop: the Digital Assets and Property
Bitmark and Hyperledger Workshop: the Digital Assets and PropertyJollen Chen
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeDeploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeHorea Porutiu
 
Privacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyPrivacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyGokul Alex
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013javagroup2006
 
The Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityThe Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityKevin Cedeño, CISM, CISA
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
Hashgraph as Code
Hashgraph as CodeHashgraph as Code
Hashgraph as CodeCalvin Cheng
 
Hyperledger Fabric Application Development 20190618
Hyperledger Fabric Application Development 20190618Hyperledger Fabric Application Development 20190618
Hyperledger Fabric Application Development 20190618Arnaud Le Hors
 
Blockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsBlockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsGokul Alex
 
ICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsNagib Aouini
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyTracy Kuhrt
 
Smart Contract Testing
Smart Contract TestingSmart Contract Testing
Smart Contract TestingDilum Bandara
 
Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Mohammad Asif
 
Hyper ledger febric
Hyper ledger febricHyper ledger febric
Hyper ledger febricRohit Verma
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainAltoros
 
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...PROIDEA
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerGokul Alex
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMDiego Alberto Tamayo
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumPrivacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumNagib Aouini
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFGokul Alex
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices WorldDiogo Mónica
 
Bitmark and Hyperledger Workshop: the Digital Assets and Property
Bitmark and Hyperledger Workshop: the Digital Assets and PropertyBitmark and Hyperledger Workshop: the Digital Assets and Property
Bitmark and Hyperledger Workshop: the Digital Assets and PropertyJollen Chen
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeDeploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeHorea Porutiu
 
Privacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyPrivacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyGokul Alex
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013javagroup2006
 
The Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityThe Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityKevin Cedeño, CISM, CISA
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsLeanIX GmbH
 
Hyperledger Fabric Application Development 20190618
Hyperledger Fabric Application Development 20190618Hyperledger Fabric Application Development 20190618
Hyperledger Fabric Application Development 20190618Arnaud Le Hors
 
Blockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsBlockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsGokul Alex
 
ICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsNagib Aouini
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyTracy Kuhrt
 
Smart Contract Testing
Smart Contract TestingSmart Contract Testing
Smart Contract TestingDilum Bandara
 
Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Mohammad Asif
 
Hyper ledger febric
Hyper ledger febricHyper ledger febric
Hyper ledger febricRohit Verma
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainAltoros
 

Was ist angesagt? (20)

Blockchain and Cryptography - A Primer
Blockchain and Cryptography - A PrimerBlockchain and Cryptography - A Primer
Blockchain and Cryptography - A Primer
 
Blockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBMBlockchain a-new-disruption-in-financial-servies - IBM
Blockchain a-new-disruption-in-financial-servies - IBM
 
Privacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public EthereumPrivacy-preserving techniques using zero knowledge proof in public Ethereum
Privacy-preserving techniques using zero knowledge proof in public Ethereum
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
Bitmark and Hyperledger Workshop: the Digital Assets and Property
Bitmark and Hyperledger Workshop: the Digital Assets and PropertyBitmark and Hyperledger Workshop: the Digital Assets and Property
Bitmark and Hyperledger Workshop: the Digital Assets and Property
 
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & CodeDeploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
Deploy a blockchain web-app with Hyperledger Fabric 1.4 - Concepts & Code
 
Privacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain TechnologyPrivacy Preserving Paradigms of Blockchain Technology
Privacy Preserving Paradigms of Blockchain Technology
 
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
 
The Blockchain and the Future of Cybersecurity
The Blockchain and the Future of CybersecurityThe Blockchain and the Future of Cybersecurity
The Blockchain and the Future of Cybersecurity
 
Authorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice EnvironmentsAuthorization and Authentication in Microservice Environments
Authorization and Authentication in Microservice Environments
 
Hashgraph as Code
Hashgraph as CodeHashgraph as Code
Hashgraph as Code
 
Hyperledger Fabric Application Development 20190618
Hyperledger Fabric Application Development 20190618Hyperledger Fabric Application Development 20190618
Hyperledger Fabric Application Development 20190618
 
Blockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and AlgorithmsBlockchain Scalability - Architectures and Algorithms
Blockchain Scalability - Architectures and Algorithms
 
ICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOsICO and Cyber security - How to protect from hackers during ICOs
ICO and Cyber security - How to protect from hackers during ICOs
 
OSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger IndyOSCON 2018 Getting Started with Hyperledger Indy
OSCON 2018 Getting Started with Hyperledger Indy
 
Smart Contract Testing
Smart Contract TestingSmart Contract Testing
Smart Contract Testing
 
Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2
 
Hyper ledger febric
Hyper ledger febricHyper ledger febric
Hyper ledger febric
 
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a BlockchainA Zero-Knowledge Proof: Improving Privacy on a Blockchain
A Zero-Knowledge Proof: Improving Privacy on a Blockchain
 

Ähnlich wie Outsmarting Smart Contracts - an essential walkthrough a blockchain security minefields

CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...PROIDEA
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dAppsOWASP
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and BitcoinHugo Rodrigues
 
Kriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicákKriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicákhackersuli
 
Smart contract honeypots for profit (and fun) - bha
Smart contract honeypots for profit (and fun) - bhaSmart contract honeypots for profit (and fun) - bha
Smart contract honeypots for profit (and fun) - bhaPolySwarm
 
Blockchain School 2019 - Security of Smart Contracts.pdf
Blockchain School 2019 - Security of Smart Contracts.pdfBlockchain School 2019 - Security of Smart Contracts.pdf
Blockchain School 2019 - Security of Smart Contracts.pdfDavide Carboni
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchainsaficus
 
DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...
DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...
DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...R3
 
C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...
C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...
C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...Citrin Cooperman
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMTal Be'ery
 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Diego Alberto Tamayo
 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMDiego Alberto Tamayo
 
Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Rhea Myers
 
Ethereum wallet Intro 以太坊錢包介紹
Ethereum wallet Intro 以太坊錢包介紹Ethereum wallet Intro 以太坊錢包介紹
Ethereum wallet Intro 以太坊錢包介紹Nicholas Lin
 

Ähnlich wie Outsmarting Smart Contracts - an essential walkthrough a blockchain security minefields (20)

CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
CONFidence 2018: Outsmarting smart contracts - an essential walkthrough a blo...
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and Bitcoin
 
Kriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicákKriptovaluták, hashbányászat és okoscicák
Kriptovaluták, hashbányászat és okoscicák
 
Smart contract honeypots for profit (and fun) - bha
Smart contract honeypots for profit (and fun) - bhaSmart contract honeypots for profit (and fun) - bha
Smart contract honeypots for profit (and fun) - bha
 
Blockchain School 2019 - Security of Smart Contracts.pdf
Blockchain School 2019 - Security of Smart Contracts.pdfBlockchain School 2019 - Security of Smart Contracts.pdf
Blockchain School 2019 - Security of Smart Contracts.pdf
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
Security Model of Blockchain
Security Model of BlockchainSecurity Model of Blockchain
Security Model of Blockchain
 
DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...
DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...
DevDay: Writing a Secure CorDapp, (almost) Everything You Didn't Know You Nee...
 
C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...
C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...
C-Suite Snacks Webinar Series: How Companies are Making Money in Bitcoin and ...
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEM
 
Blockchain for Notaries
Blockchain for NotariesBlockchain for Notaries
Blockchain for Notaries
 
Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm Blockchain a-new-disruption-in-financial-servies by ibm
Blockchain a-new-disruption-in-financial-servies by ibm
 
Blockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBMBlockchain a-new-disruption-in-financial-services - IBM
Blockchain a-new-disruption-in-financial-services - IBM
 
Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015
 
Ethereum wallet Intro 以太坊錢包介紹
Ethereum wallet Intro 以太坊錢包介紹Ethereum wallet Intro 以太坊錢包介紹
Ethereum wallet Intro 以太坊錢包介紹
 

Mehr von SecuRing

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersSecuRing
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!SecuRing
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!SecuRing
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionSecuRing
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defenseSecuRing
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsSecuRing
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleSecuRing
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSSecuRing
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?SecuRing
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS appsSecuRing
 
Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?SecuRing
 

Mehr von SecuRing (20)

Developer in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4DevelopersDeveloper in a digital crosshair, 2023 edition - 4Developers
Developer in a digital crosshair, 2023 edition - 4Developers
 
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!Developer in a digital crosshair, 2022 edition - Oh My H@ck!
Developer in a digital crosshair, 2022 edition - Oh My H@ck!
 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
 
Is persistency on serverless even possible?!
Is persistency on serverless even possible?!Is persistency on serverless even possible?!
Is persistency on serverless even possible?!
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments0-Day Up Your Sleeve - Attacking macOS Environments
0-Day Up Your Sleeve - Attacking macOS Environments
 
Developer in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 editionDeveloper in a digital crosshair, 2022 edition
Developer in a digital crosshair, 2022 edition
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms20+ Ways To Bypass Your Macos Privacy Mechanisms
20+ Ways To Bypass Your Macos Privacy Mechanisms
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
 
Let's get evil - threat modeling at scale
Let's get evil - threat modeling at scaleLet's get evil - threat modeling at scale
Let's get evil - threat modeling at scale
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Budowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOSBudowanie i hakowanie nowoczesnych aplikacji iOS
Budowanie i hakowanie nowoczesnych aplikacji iOS
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
 
Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?Artificial Intelligence – a buzzword, new era of IT or new threats?
Artificial Intelligence – a buzzword, new era of IT or new threats?
 
Building&Hacking modern iOS apps
Building&Hacking modern iOS appsBuilding&Hacking modern iOS apps
Building&Hacking modern iOS apps
 
Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?Czy S w PSD2 znaczy Secure?
Czy S w PSD2 znaczy Secure?
 

Kürzlich hochgeladen

Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 

Kürzlich hochgeladen (20)

Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 

Outsmarting Smart Contracts - an essential walkthrough a blockchain security minefields

  • 1. Outsmarting Smart Contracts Damian Rusinek CONFidence, 5th of June 2018 damian.rusinek@securing.pl @drdr_zz
  • 2. drdr_zz Blockchain and smart contracts are secure… Ethereum.org https://www.coindesk.com/blockchains-personal-data-protection-regulations-explained/
  • 4. Damian Rusinek @drdr_zz damianrusinek @ github Security Researcher & Pentester Assistant Professor How come blockchains and smart contracts have such serious security flaws when they are so highly secured?
  • 5. drdr_zz How I could steal tokens (worth thousands of $) from crypto exchange.
  • 8. drdr_zz Do I need blockchain? Do I need blockchain? No Single point of failure? NO Single point of authority? NO But really? Modifiable data? NO
  • 11. drdr_zz EPISODE I – SMART CONTRACTS
  • 13. drdr_zz Ethereum „Ethereum is literally a computer that spans the entire world.” Ethereum White Paper
  • 14. drdr_zz What program could we run as smart contract? • eVoting • Assets Management (transfering ownership) Why smart contracts? • No single authority • Trustless • Allows public verification
  • 15. drdr_zz How to verify the contract? https://etherscan.io
  • 16. drdr_zz How to execute smart contract? 0x2b30ea3a000000000000000000000000000 0000000000000000000000000000000000000
  • 17. drdr_zz How to verify the execution?
  • 18. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact I - All your data is public
  • 19. drdr_zz Fact I – All your data is public Variables
  • 20. drdr_zz Fact I – All your data is public Variables
  • 21. drdr_zz Fact I – All your data is public Preview votes in transactions.
  • 22. drdr_zz Fact I – All your data is public Functions • Public functions can be executed by anyone. • Can anyone execute maliciousFunction2() ?
  • 23. drdr_zz Fact I – All your data is public Functions • Public functions can be executed by anyone. • Can anyone execute maliciousFunction2() ? Functions are public by default!
  • 24. drdr_zz • Public function which changes the owner. Parity Hack worth 30 mln $ https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
  • 25. drdr_zz • Public function which changes the owner. Parity Hack worth 30 mln $ https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/ The race! 30 mln $ 80 mln $ worth today 90 mln $ 240 mln $
  • 26. drdr_zz • Set visibility type to all functions. • Do not keep secret data as plaintext in smart contract. • Examples: • Rock Paper Scissors • Blind Auctions • Use blind commitments. Fact I – All your data is public Hash of Value Real Value
  • 27. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact II - Smart contract is a program
  • 28. drdr_zz Fact II – Smart contract is a program Integer Overflow • Ethereum Tokens – your own cryptocurrency on Ethereum. The attack: empty victim’s wallet.
  • 29. drdr_zz Fact II – Smart contract is a program Integer Overflow 1. Balances: • Victim -> (MAXUINT-9) tokens (e.g. founder of contract). • Attacker -> 10 tokens. 2. Attacker transfers 10 tokens to victim. 3. Both have zero tokens.
  • 30. drdr_zz Fact II – Smart contract is a program Insecure libraries
  • 31. drdr_zz Fact II – Smart contract is a program Insecure libraries • Delete library used by mln $ worth contracts.
  • 32. drdr_zz Fact II – Smart contract is a program Insecure libraries • Delete library used by mln $ worth contracts. https://www.trustnodes.com/2017/11/07/ether eums-parity-hacked-half-million-eth-frozen
  • 33. drdr_zz • Use open source libraries that handle typical errors (e.g. SafeMath for overflows). • Write tests for boundary conditions. • Verify the correctness and test libraries that you plan to use. Fact II - Smart contract is a program
  • 34. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact III - Smart contracts have limitations
  • 35. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  • 36. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  • 37. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  • 38. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  • 39. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded. The attack: DoS the contract. The idea: to prevent infinite loops.
  • 40. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 0 ETH 1 ETH BIDBID 100
  • 41. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 2 ETH BID 2 ETH BIDBID 100
  • 42. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 3 ETH 3 ETH BIDBIDBID 100
  • 43. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 3 ETH 4 ETH BIDBIDBID 100 Further bids are blocked.
  • 44. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract Auction 3 ETH Further bids are blocked. WINNER!
  • 45. drdr_zz • Learn the limitations of Ethereum (gas, randomness, etc.). • Learn the way of handling these limitations. • Write tests for handling limitations. Fact III - Smart contracts have limitations
  • 46. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact IV - Smart contracts have specific vulns
  • 47. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance
  • 48. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance send Ether
  • 49. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance send Ether
  • 50. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance withdrawBalance withdrawBalance send Ether
  • 51. drdr_zz Online • Remix • Securify • SmartCheck How to test smart contracts? Offline • Solhint • Oyente • Myhtril Best practices • ConsenSys • DASP
  • 52. drdr_zz EPISODE II – SMART CONTRACTS INTEGRATION
  • 53. drdr_zz • Online wallets • Crypto exchanges • Games • ICOs Popular webapps integrated with smart contracts Attack webapp and generate malicious transaction. Let’s steal some tokens from the exchange.
  • 54. drdr_zz Typical withdrawal transaction 50 GTN Receiver address Function Address Parameter Value Parameter
  • 55. drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueValue
  • 56. drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueModified address Value
  • 57. drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueModified address Value
  • 58. drdr_zz Not a bug, it’s a feature Let’s use to short address. 000 Function Address Value Function Short address ValueModified address Value
  • 59. drdr_zz A little misunderstanding What user tried to do: Send 2399.99 GNT to the 0x79735 address. What Ethereum understood: Send approx. 2 * 1045 GNT to the 0x079735000000000000000000000000 0000000000 address. 0000000000000000000000000000000000 Func Short address Value Func Padded address Shifted (padded) value
  • 60. drdr_zz • Deposit 1 Ethereum Token. • Generate Ethereum address with zero-byte suffix (a matter of seconds). • Withdraw 1 Ethereum Token and send address without last byte. • Receive 256 Ethereum Tokens. How to attack exchange?
  • 61. drdr_zz How I have stolen tokens from exchange? Func Short address Value Func Padded address Shifted (padded) value 00 • Deposited 0.47 GTN • Withdrew approx. 120 GTN (256 times more)
  • 62. drdr_zz • But to whom? • No information about the owner on exchange website! • Be like Sherlock and find him. • Time is running! Let’s report the vulnerability
  • 63. drdr_zz • How to responsibly disclosure the vulnerability in smart contract? • How to inform the owner of smart contract? • Would you steal crypto and the look for the owner? That is general problem Send him an encrypted message kept on Ethereum.
  • 64. drdr_zz Responsible Disclosure Ethereum Messenger My idea Online: https://securing.github.io/eth-rd-messenger/ GitHub: https://github.com/securing/eth-rd-messenger This tool is used to: • send a secret message to the owner of a personal or contract Ethereum address, encypted with its owner ECC public key, • decrypt the message sent to the personal address or contract's owner.
  • 66. drdr_zz Vulnerabilities Similar to classic programs • Overflows and underflows • Unauthorized access to functions • Insecure libraries • Business logic vulns Specific for smart contracts • Related to Ethereum limitations (gas limit, randomness, etc.) • Re-entrancy • and more
  • 67. drdr_zz Top10 recommendations 1. Remember that all data is public in blockchain. 2. Do not keep secret data as plaintext in smart contract. 3. Use blind commitments. 4. Set visibility type to all functions. 5. Learn the limitations of Ethereum and how to handle them. 6. Write tests for handling limitations and for boundary conditions. 7. Verify the libraries than you plan to use. 8. Use the best security practices. 9. Consider threats from apps integrating with blockchain. 10. Test your contracts and blockchain applications.
  • 68. Thank you! Damian Rusinek (@drdr_zz) damian.rusinek@securing.pl https://www.securing.biz/en/developing-secure- blockchain-applications/index.html How to Develop Secure Blockchain Applications