After web 1.0 and web 2.0, web3 has arrived! After a brief introduction, where we will look at the evolution of the web and what has changed as far as security is concerned, we will dive into blockchain to understand how to attack Smart Contracts on Ethereum, how these intersect with more classic vulnerabilities, and what are the main vulnerabilities we can find in contracts written in Solidity.

1. Attacking and Exploiting
Ethereum Smart Contracts
Auditing 101
Simone Onofri
https://linkedin.com/in/simoneonofri
mailto:simone@onofri.org
CC BY-ND-NC

2. Introduction

3. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities

4. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities

5. Are simply programs that runs on the Ethereum blockchain. It’s a
collection of code (its functions) and data (its state) that resides at a
specific address on the Ethereum blockchain.
https://ethereum.org/en/developers/docs/smart-contracts/

6. How are they written?

7. Turing-complete programming language that can be used to
create “contracts” that can be used to encode arbitrary state
transition functions [...]. The code in Ethereum contracts is
written in a low-level, stack-based bytecode language,
referred to as “Ethereum virtual machine code” or “EVM
code”. The code consists of a series of bytes, where each byte
represents an operation
https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_Whitepaper_-_Buterin_2014.pdf

8. systems which automatically move digital assets according to
arbitrary pre-specified rules. For example, one might have a
treasury contract of the form "A can withdraw up to X
currency units per day, B can withdraw up to Y per day, A and
B together can withdraw anything, and A can shut off B's
ability to withdraw".
[…]
https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_Whitepaper_-_Buterin_2014.pdf

11. […]
The logical extension of this is decentralized autonomous
organizations (DAOs) - long-term smart contracts that
contain the assets and encode the bylaws of an entire
organization
https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_White
paper_-_Buterin_2014.pdf

13. Screenshot dell’attaccco

16. DAO
splitDAO
Attacker
fallback
DAO
withdrawRewardFor
DAO
recipient.call.value
Race to Empty
1. The attacker used the attacking
contract to call the splitDAO
function.
2. The splitDAO function called the
withdrawRewardFor function.
3. The withdrawRewardFor function
called the payOut function.
4. he payOut function called the
recipient.call.value function.
5. recipient.call.value passed the flow
to the fallback function of the
attacking contract.
6. The fallback function of the attacking
contract, after moving the funds,
called the splitDAO function
recursively

18. Immutable
Transactions are irreversible, meaning they can’t
be undone once an action has been taken.

19. Public
Both contracts and transactions are publicly
accessible through the blockchain.

20. Deterministic
The execution of a smart contract must yield the
same result on any node.

21. Limited
Smart contracts cannot call upon external
resources unless they use Oracles.

22. Permissionless
Everyone can publish and interact with contracts.

24. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities

25. Often Centralized
“They are the gates of the kingdom.”
Ethereum Nodes
That communicates via API
Better in a Decentralized Storage
Client
and his/her Signer
Front-End
JavaScript, HTML, CSS
API Endpoints
JSON-RPC
External Smart Contracts
Bytecode (Backend)
EVM
Execution of Bytecode
Blocks
States & Transactions (Storage)
Blocks
States & Transactions (Storage)
Blocks
States & Transactions (Storage)
Proprietary Smart Contracts
Bytecode (Backend)
External Smart Contracts
Bytecode (Backend)
Layer 0
Layer 1
Layer 2
Layer 3
Layer 4
Layer 5
Layer 6

26. web3.js
API Endpoint to Ethereum
Blockchain
“Web 2.0” Application
Ethereum Blockchain
User Browser with a
Signer
(e.g., MetaMask)
UNISWAP

27. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities

28. A smart contract audit is a detailed analysis of
smart contract code to pre-emptively identify
security vulnerabilities and find solutions that
prevent exploits by malicious actors, as well as
remove inefficient coding practices.
https://chain.link/education-hub/how-to-audit-smart-contract

29. What are the two (three) testing
techniques?
(tip: book pages 11 and 12)

30. Static Analysis
We analyze the source code of the application.
The analysis is performed without executing the
code, which remains “static”.
It is necessary to know the language in which the
software is written, the peculiar vulnerabilities,
and how to recognize them by reading.

31. Dynamic Analysis
We analyze an application when code is
executed in its environment, manipulating the
input and observing the application reactions.
We call this practice fuzzing.

32. Hybrid Analysis
We have both the running environment and the
source code.
We can test what we read e.g., looking for some
good entry points from the source code.

33. 1. Pre-Engagement
Interactions
Initial Consultation, Scope Agreement,
Resource Allocation, Timeline
Establishment
3. Automated Analysis
Use automated Tools to scan the code
4. Manual Static
Analysis
In depth-review, code
quality, documentation
6. Initial Report
Initial Report delivered
and Discussions with
Developers
2. Threat
Modeling
Identify Threat Agents,
Asset Identification,
Vulnerability Mapping,
Risk Assessment
5. Manual Dynamic
Analysis
Interactive Testing, Proof of
Concepts and Edge Case
Exploitation
7. Final Report
Final verification after the fixes

34. Is the audit enough?

35. “Old” WAPT
if you have a
webapp…

36. OpenSea XSS via NFT

37. Bug Bounty
Program
more eyes are better
than less

38. Incident
Response Plan
and don't forget the
10% Smart Contracts
rule.

39. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities

40. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities
• Reentrancy
• Integer Overflow
• Logic Errors
• Insecure Randomness

42. Vulnerable Contract
0x6060604052361561008a576000357c0100000000000000000000000000000000000000000000000000000000900480
63095ea7b3146100b857806318160ddd146100ed57806323b872dd146101105780632e1a7d4d1461014e57806370a082
311461017a578063a9059cbb146101a6578063d0e30db0146101db578063dd62ed3e146101fe5761008a565b6100a25b
6000610098610887565b905061009f565b90565b6040518082815260200191505060405180910390f35b6100d7600480
803590602001909190803590602001909190505061061a565b6040518082815260200191505060405180910390f35b61
00fa6004805050610757565b6040518082815260200191505060405180910390f35b6101386004808035906020019091
9080359060200190919080359060200190919050506103df565b6040518082815260200191505060405180910390f35b
610164600480803590602001909190505061077b565b6040518082815260200191505060405180910390f35b61019060
04808035906020019091905050610233565b6040518082815260200191505060405180910390f35b6101c56004808035
906020019091908035906020019091905050610271565b6040518082815260200191505060405180910390f35b6101e8
6004805050610887565b6040518082815260200191505060405180910390f35b61021d60048080359060200190919080
359060200190919050506106ee565b6040518082815260200191505060405180910390f35b6000600060005060008373
ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002060005054905061026c565b9190
50565b600081600060005060003373ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160
00206000505410156102af57610002565b6102e8600060005060008573ffffffffffffffffffffffffffffffffffffff
ff168152602001908152602001600020600050548361091f565b15156102f357610002565b81600060005060003373ff
ffffffffffffffffffffffffffffffffffffff16815260200190815260200160002060008282825054039250508[…]
https://etherscan.io/address/0xd654bDD32FC99471455e86C2E7f7D7b6437e9179
Opcodes:
0x60: PUSH1 EVM opcode
0x60: The free memory pointer
0x60: PUSH1 EVM opcode
0x40: Memory position for the free memory pointer
MSTORE : EVM opcode is 0x52

44. Decompiled withdraw function
https://etherscan.io/address/0xd654bDD32FC99471455e86C2E7f7D7b6437e9179

45. Attacker Contract by Nikolai Mushegian
Decompiled
https://etherscan.io/address/0x4AfB544Eb87265cF7Fc8fdB843c81d34F7E2A369

46. Attack Proof of Concept

47. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities
• Reentrancy
• Integer Overflow
• Logic Errors
• Insecure Randomness

50. Vulnerable Contract Example

51. Integer Overflow and Underflow
An integer overflow occurs when an integer value is incremented to a
value that is too large to store in the associated representation.
When this occurs,
the value may wrap to become a very small or negative number.
https://cwe.mitre.org/data/definitions/190.html

52. Increment uint8 (2^8-1) in Solidity
0+1 = 1
1+1 = 2
2+1 = 3
[…]
253+1 = 254
254+1 = 255
255 + 1 = 0

53. Attack Contract and PoC

54. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities
• Reentrancy
• Integer Overflow
• Logic Errors
• Insecure Randomness

55. Abritrage CTF
Admin has gifted you 5e18
Btokens on your birthday.
Using A,B,C,D,E token pairs
on swap contracts, increase
your BTokens.
Interface to Uniswap v2
https://quillctf.super.site/challenges/quillctf-x-quickswap/arbitrage

56. Vulnerability Description
Arbitrage arises when price discrepancies exist across
different markets, trading pairs or Liquidity Pools for the
same asset.
However, trading fees, gas fees, and slippage must be
considered.
To evaluate arbitrage opportunities it is possible to
evaluate the indirect and circular trade “paths”, starting
from B and ending with B when the exchange rate is
calculated from the quantity of different tokens present
in each pool.
B -> A -> C -> B
B -> A -> D -> B
B -> A -> E -> B
B -> C -> A -> B
B -> C -> D -> B
B -> C -> E -> B
B -> D -> A -> B
B -> D -> C -> B
B -> D -> E -> B
B -> E -> A -> B
B -> E -> C -> B
B -> E -> D -> B
https://docs.uniswap.org/contracts/v2/concepts/core-concepts/pools

57. Attack Contract and PoC

58. Agenda
• What are Smart Contracts?
• What are dApps?
• What is an Audit?
• Common Vulnerabilities
• Reentrancy
• Integer Overflow
• Logic Errors
• Insecure Randomness

59. PredictableNFT CTF
You can spend 1 ether to
"mint" an NFT token with 3
possible ranks: Common(1),
Rare(2), and Superior(3).
Your goal is to mint the
Superior ones.
No open source!
https://academy.quillaudits.com/challenges/quillctf-challenges/predictable-nft
0x6080604052600436106100345760003560e01c80631249c58b1461
00395780634f64b2be14610053578063af640d0f14610080575b6000
80fd5b610041610096565b60405190815260200160405180910390f3
5b34801561005f57600080fd5b5061004161006e366004610195565b
60016020526000908152604090205481565b34801561008c57600080
fd5b5061004160005481565b600034670de0b6b3a7640000146100e7
5760405162461bcd60e51b8152602060048201526011602482015270
73686f77206d6520746865206d6f6e657960781b6044820152606401
60405180910390fd5b60016000808282546100f991906101ae565b90
91555060009050610109610123565b60008054815260016020526040
8120919091555492915050565b600080546040805160209290925233
81019082015243606082015281906064906080016040516020818303
038152906040528051906020012060001c61016991906101d5565b90
50605a81111561017c57600391505090565b605081111561018d5760
0291505090565b600191505090565b6000602082840312156101a757
600080fd5b5035919050565b808201808211156101cf57634e487b71
60e01b600052601160045260246000fd5b92915050565b6000826101
f257634e487b7160e01b600052601260045260246000fd5b50069056
fea2646970667358221220096531f348141ff48072e95527df0fbfd1
2e1c9a4cc0fdfc0c383efac289405164736f6c63430008130033

61. Vulnerability Description
Line 17: Check that the function
has received at least `10^18`, 1
ETH
Line 18: Checks the overflow of
the `id` (contained in the storage)
and then increments it by 1
Line 21: Performs `sha3` of the
`id`, calling address (`caller`) and
blocknumber (`block.number`)
and executes the `% 100` (to
return a number maximum to
100). Then if the result is > 90 it
generates an NFT of rank 3 and
returns the `id`.

62. Attack Contract

63. PoC

64. Conclusion
20% is the % of vulnerabilities that can be found
by automatic tools
It is crucial to understand the Threat Model as
most of the vulnerabilities are Business Logic!

65. QUESTIONS?
QUESTIONS?