This presentation dives deep into the security of Ethereum Smart Contracts written in Solidity, shedding light on common vulnerabilities. Inspired by the newly released OWASP Blockchain Top 10, the presentation will focus on famous vulnerabilities by examples.
After a brief introduction to Ethereum Blockchain and Solidity, the presentation will describe a systematic approach that includes source code analysis, dissecting real-world incidents, reverse-engineer the code of attacked contracts to reveal their inner workings, and use some vulnerable contracts to demonstrate these vulnerabilities interactively and engagingly, providing a practical understanding of issues such as Reentrancy, Arithmetic vulnerabilities, DoS attacks, and insecure randomness.
This talk aims to equip developers, security analysts, and blockchain enthusiasts with the knowledge to build more secure smart contracts. By understanding these security risks, participants will be better prepared to anticipate, identify, and mitigate potential threats, fostering a safer web3 environment.
With unmet market demand in mind, we have decided to create ALQO ("A Liquid Object"). ALQO is a communitydriven,
open source and fully autonomous cryptocurrency that places a strong emphasis on the very building blocks required to
create a complete payment system: it is secure, anonymous, trustless, scarce and fungible with a very low-cost transaction profile. It
is designed to embody all that Bitcoin as well as more advanced cryptocurrencies have grown to become as well as to capture the
economic value that is thus far inhibited by the systemic constraints outlined above.
During its first year of operation, the ALQO network will rely on a Proof of Work consensus algorithm. As mentioned previously,
Proof of Work is the process by which miners, individuals who dedicate their computational resources to solve difficult mathematical
challenges, prove that they have done the necessary work required by the network to validate blocks, which are data containers for a
large list of new transactions. It is referred to as a consensus algorithm because a majority of overall mining processing power is
needed in order to enforce any new protocol update proposal.
Mining is the process by which individuals dedicate computational resources to solving difficult
mathematical problems. Upon solving the aforementioned, a new block is found on the blockchain and with it newly pending
transactions are confirmed and cleared through. This process is known as Proof of Work (or PoW) as it forces the miner to prove that
they have done the necessary work to verify the block, and the first miner to find a new block is compensated for their efforts. This
introduces an element of economic competition between miners and prevents the network from being attacked as attacks become
too costly and thus, economically unviable. Consider this process as rolling a die in a casino and needing to roll below a certain
number, and the first roller who rolls below said number wins the prize, except that the die does not have 6 facets, but rather an
extremely large number of them.
This is the Vidulum "Lite Paper" - a condensed version of what will later become our full "White Paper." The purpose of these papers is to propose and share the Vidulum Project's purpose, vision, and future goals for the platform. Enjoy!
Investing In Blockchain Startups - A Guide For Angels & VCs Jamie Burke
A presentation by Jamie Burke at www.blockchainangels.eu meetup (11 02-16) for angel and VC investors wanting to understand opportunity & risk in the space.
Overview of the Bitcoin sector.
Includes
- Key sub-segments
- Most active investor list (& their portfolio companies)
- List of all the ~400 bitcoin companies
Blockchain. Everyone talks about it, but how does it really work?
This talk covers the fundamentals and discusses real world examples of how blockchain is being used to transform healthcare, real estate, humanitarian aid, governance and other domains.
See the original talk at: https://www.facebook.com/thekasbahhub/videos/1875008969491362/
With unmet market demand in mind, we have decided to create ALQO ("A Liquid Object"). ALQO is a communitydriven,
open source and fully autonomous cryptocurrency that places a strong emphasis on the very building blocks required to
create a complete payment system: it is secure, anonymous, trustless, scarce and fungible with a very low-cost transaction profile. It
is designed to embody all that Bitcoin as well as more advanced cryptocurrencies have grown to become as well as to capture the
economic value that is thus far inhibited by the systemic constraints outlined above.
During its first year of operation, the ALQO network will rely on a Proof of Work consensus algorithm. As mentioned previously,
Proof of Work is the process by which miners, individuals who dedicate their computational resources to solve difficult mathematical
challenges, prove that they have done the necessary work required by the network to validate blocks, which are data containers for a
large list of new transactions. It is referred to as a consensus algorithm because a majority of overall mining processing power is
needed in order to enforce any new protocol update proposal.
Mining is the process by which individuals dedicate computational resources to solving difficult
mathematical problems. Upon solving the aforementioned, a new block is found on the blockchain and with it newly pending
transactions are confirmed and cleared through. This process is known as Proof of Work (or PoW) as it forces the miner to prove that
they have done the necessary work to verify the block, and the first miner to find a new block is compensated for their efforts. This
introduces an element of economic competition between miners and prevents the network from being attacked as attacks become
too costly and thus, economically unviable. Consider this process as rolling a die in a casino and needing to roll below a certain
number, and the first roller who rolls below said number wins the prize, except that the die does not have 6 facets, but rather an
extremely large number of them.
This is the Vidulum "Lite Paper" - a condensed version of what will later become our full "White Paper." The purpose of these papers is to propose and share the Vidulum Project's purpose, vision, and future goals for the platform. Enjoy!
Investing In Blockchain Startups - A Guide For Angels & VCs Jamie Burke
A presentation by Jamie Burke at www.blockchainangels.eu meetup (11 02-16) for angel and VC investors wanting to understand opportunity & risk in the space.
Overview of the Bitcoin sector.
Includes
- Key sub-segments
- Most active investor list (& their portfolio companies)
- List of all the ~400 bitcoin companies
Blockchain. Everyone talks about it, but how does it really work?
This talk covers the fundamentals and discusses real world examples of how blockchain is being used to transform healthcare, real estate, humanitarian aid, governance and other domains.
See the original talk at: https://www.facebook.com/thekasbahhub/videos/1875008969491362/
This year, the focus goes beyond technology to mining business insights around how cloud enables strategic industry trends such as Open and Virtual Banking and Insurance, Security and Compliance, Data Analytics and AI/ ML, FinTech and RegTech, Surveillance and more through sharing of best practices and use cases. In sessions led by customers, partners, industry leaders and AWS subject matter experts, you’ll learn how AWS helps financial institutions to focus on the innovation and outcomes that truly drive business forward. Business stakeholders, market makers, and technology owners will all learn something new, valuable and actionable.
BlockChain basics for the non-technical banker covering what's happening, what the opportunities are, and the problems we all face. Covers BitCoin and Ethereum with brief mentions made of Ripple and the HyperLedger project.
Pugilist Ventures marries a fundamentals evaluation commensurate with Venture Capital, coupled with analyses of technology, crypto-nomics, community engagement vis a vis privacy coin competitors. Furthermore, we leverage our Quantitative Research to offer basic a price forecast and probability of viability statistic for ZEC.
OpenCryptoTrust (www.openCT.io) Blockchain for Modern Telecommunications has gone beyond the obvious initial applications of blockchain - decentralized immutable storage, identity management, peer-to-peer payments. We have modified the blockchain protocol itself to support ultra-secure data transport – and superior management overlay.
OpenCryptoTrust has developed both the underlying platform (a hybrid blockchain called OpenCT) and two “Killer Applications” that solve immediate problems and offer significant cost savings for Telco Carrier customers.
BaaT (Blockchain-as-a-Transport) revolutionizes the use the public Internet for inexpensive, secure, enterprise-grade, data communications at significant cost reduction from private circuits.
BD-WAN (Blockchain Defined Wide Area Networking) revolutionizes existing pricing strategies for bandwidth – supporting “bandwidth on demand” for private optical based circuits - the ability to charge customers for the bandwidth they use. Additionally, this product is superior to existing SD-WAN solutions – in terms of security, MPLS and/or Cloud routing and interoperability.
A Regulatory Understanding of Virtual Assets (Cryptocurrency) Types and their...Alessa
WATCH WEBINAR: https://www.caseware.com/alessa/webinars/regulatory-understanding-virtual-assets-types/
In early 2019, FATF released their guidance for a risk-based approach to Virtual Assets and Virtual Asset Service Providers. While the guidance, provided general information on how to understand and mitigate money laundering and trade financing risks, it did not provide specific information about how to address specific risks associated with the various types of virtual assets.
This presentation details each type of virtual asset in the market, their relative traffic volume, and regulatory issues related to each one. It also reviews key features of different virtual asset types and understand how to properly risk profile each virtual asset type for their institution.
About Alessa, a CaseWare RCM product:
Alessa is a financial crime detection, prevention and management solution offered by CaseWare RCM Inc. With deployments in more than 20 countries in banking, insurance, FinTech, gaming, manufacturing, retail and more, Alessa is the only platform organizations need to identify high-risk activities and stay ahead of compliance. To learn more about how Alessa can help your organization ensure compliance, detect complex fraud schemes, and prevent waste, abuse and misuse, visit us at caseware.com/alessa.
Connect with us online:
Visit the Alessa WEBSITE: https://www.caseware.com/alessa/
Follow Alessa on LINKEDIN: https://www.linkedin.com/caseware-alessa
Follow Alessa on TWITTER: https://twitter.com/casewarealessa
SUBSCRIBE to Alessa on YouTube: http://tiny.cc/Alessa
Era Swap is a decentralized utility token which will be used across multiple platforms of Era Swap Ecosystem - like Time Swappers, Era Swap Wallet, ComputeEx, TimeAlly, Blocklogy, BuzCafe, Swappers Wall, BetdeEx, Date Swappers, etc.
Top 10 Ways To Make Money In Cryptocurrency.pdfDigital Coin
There are several ways to monetize the current crypto environment. While millions of people know the golden rule of trading, "buy small, hold and sell big", there is much more to crypto investing than information found online. In addition to HODLing (keep life dear), you can also earn rewards through play-to-win games, airdrops, interest counting and staking. In this guide, we will show you ten (10) proven ways to earn in crypto in 2022.
Sanger has a vision of performing world class bio-informatics research for the benefit of human health. As research continues to generate new spinout companies, they require a flexible and cost effective way of bringing services to life as required and with the SLA's and performance that they need for a cost that they can afford. This presentation walks through how Sanegr IT have created such a platform.
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Simone Onofri
After web 1.0 and web 2.0, web3 has arrived! After a brief introduction, where we will look at the evolution of the web and what has changed as far as security is concerned, we will dive into blockchain to understand how to attack Smart Contracts on Ethereum, how these intersect with more classic vulnerabilities, and what are the main vulnerabilities we can find in contracts written in Solidity.
This year, the focus goes beyond technology to mining business insights around how cloud enables strategic industry trends such as Open and Virtual Banking and Insurance, Security and Compliance, Data Analytics and AI/ ML, FinTech and RegTech, Surveillance and more through sharing of best practices and use cases. In sessions led by customers, partners, industry leaders and AWS subject matter experts, you’ll learn how AWS helps financial institutions to focus on the innovation and outcomes that truly drive business forward. Business stakeholders, market makers, and technology owners will all learn something new, valuable and actionable.
BlockChain basics for the non-technical banker covering what's happening, what the opportunities are, and the problems we all face. Covers BitCoin and Ethereum with brief mentions made of Ripple and the HyperLedger project.
Pugilist Ventures marries a fundamentals evaluation commensurate with Venture Capital, coupled with analyses of technology, crypto-nomics, community engagement vis a vis privacy coin competitors. Furthermore, we leverage our Quantitative Research to offer basic a price forecast and probability of viability statistic for ZEC.
OpenCryptoTrust (www.openCT.io) Blockchain for Modern Telecommunications has gone beyond the obvious initial applications of blockchain - decentralized immutable storage, identity management, peer-to-peer payments. We have modified the blockchain protocol itself to support ultra-secure data transport – and superior management overlay.
OpenCryptoTrust has developed both the underlying platform (a hybrid blockchain called OpenCT) and two “Killer Applications” that solve immediate problems and offer significant cost savings for Telco Carrier customers.
BaaT (Blockchain-as-a-Transport) revolutionizes the use the public Internet for inexpensive, secure, enterprise-grade, data communications at significant cost reduction from private circuits.
BD-WAN (Blockchain Defined Wide Area Networking) revolutionizes existing pricing strategies for bandwidth – supporting “bandwidth on demand” for private optical based circuits - the ability to charge customers for the bandwidth they use. Additionally, this product is superior to existing SD-WAN solutions – in terms of security, MPLS and/or Cloud routing and interoperability.
A Regulatory Understanding of Virtual Assets (Cryptocurrency) Types and their...Alessa
WATCH WEBINAR: https://www.caseware.com/alessa/webinars/regulatory-understanding-virtual-assets-types/
In early 2019, FATF released their guidance for a risk-based approach to Virtual Assets and Virtual Asset Service Providers. While the guidance, provided general information on how to understand and mitigate money laundering and trade financing risks, it did not provide specific information about how to address specific risks associated with the various types of virtual assets.
This presentation details each type of virtual asset in the market, their relative traffic volume, and regulatory issues related to each one. It also reviews key features of different virtual asset types and understand how to properly risk profile each virtual asset type for their institution.
About Alessa, a CaseWare RCM product:
Alessa is a financial crime detection, prevention and management solution offered by CaseWare RCM Inc. With deployments in more than 20 countries in banking, insurance, FinTech, gaming, manufacturing, retail and more, Alessa is the only platform organizations need to identify high-risk activities and stay ahead of compliance. To learn more about how Alessa can help your organization ensure compliance, detect complex fraud schemes, and prevent waste, abuse and misuse, visit us at caseware.com/alessa.
Connect with us online:
Visit the Alessa WEBSITE: https://www.caseware.com/alessa/
Follow Alessa on LINKEDIN: https://www.linkedin.com/caseware-alessa
Follow Alessa on TWITTER: https://twitter.com/casewarealessa
SUBSCRIBE to Alessa on YouTube: http://tiny.cc/Alessa
Era Swap is a decentralized utility token which will be used across multiple platforms of Era Swap Ecosystem - like Time Swappers, Era Swap Wallet, ComputeEx, TimeAlly, Blocklogy, BuzCafe, Swappers Wall, BetdeEx, Date Swappers, etc.
Top 10 Ways To Make Money In Cryptocurrency.pdfDigital Coin
There are several ways to monetize the current crypto environment. While millions of people know the golden rule of trading, "buy small, hold and sell big", there is much more to crypto investing than information found online. In addition to HODLing (keep life dear), you can also earn rewards through play-to-win games, airdrops, interest counting and staking. In this guide, we will show you ten (10) proven ways to earn in crypto in 2022.
Sanger has a vision of performing world class bio-informatics research for the benefit of human health. As research continues to generate new spinout companies, they require a flexible and cost effective way of bringing services to life as required and with the SLA's and performance that they need for a cost that they can afford. This presentation walks through how Sanegr IT have created such a platform.
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Simone Onofri
After web 1.0 and web 2.0, web3 has arrived! After a brief introduction, where we will look at the evolution of the web and what has changed as far as security is concerned, we will dive into blockchain to understand how to attack Smart Contracts on Ethereum, how these intersect with more classic vulnerabilities, and what are the main vulnerabilities we can find in contracts written in Solidity.
Agile Business Consortium - LEGO SERIOUS PLAY e i Principi di Agile Project M...Simone Onofri
Agile è una filosofia e un modo di lavorare particolarmente adatto al mondo attuale dove i cambiamenti sono all'ordine del giorno. E' possibile capire a fondo i principi di Agile Project Management giocando, attraverso LEGO SERIOUS PLAY.
Workshop su Agile Project Framework e Agile PM per il PMI®-NIC Branch Lombardia. Cosa è Agile, l'Agile Project Framework e Agile Project Management e le tecniche MoScoW e il Timeboxing. Come si struttura un Team Agile.
Agile nei servizi di cyber security (Security Summit Edition)Simone Onofri
Nello scenario attuale Agile è una delle carte vincenti per offrire ai propri Clienti servizi di Cyber Security che generano il loro valore in poco tempo. Durante lo speech, dopo una breve introduzione, sarà descritta - tramite esempi e casi reali - la metodologia utilizzata in un contesto internazionale per i progetti di Security Testing ed Ethical Hacking.
Mamma, da grande voglio essere un Penetration Tester HackInBo 2016 WinterSimone Onofri
L'interesse per la Sicurezza delle Informazioni e della Sicurezza IT è in continua crescita. In un mondo dove l'informazione è una risorsa chiave della nostra vita lavorativa e non, la protezione delle informazioni e delle varie tecnologie che la gestiscono sono aspetti fondamentali. Dai tempi di "How to became a Hacker" e dell"Hacker's Manifesto", molti hacker diventano un consulenti che aiutano le organizzazione private e/o pubbliche Un mondo con diverse sfumature di grigio, questioni etiche e morali. Grazie anche all'influeza di film come Wargames o Matrix e telefilm come Mr. Robot, in molti sono interessati ad essere Security Consultant, Penetration Tester, Security Researcher (che non sono esattamente la stessa cosa). Il talk è una riflessione per destreggiarsi e ragionare su domande tipiche come: quali certificazioni? Quali corsi? Quali sono le competenze? L'approccio da usare? La strada da percorrere?
Penetration Testing con Python - Network SnifferSimone Onofri
Una nota massima dice che "se ascolto dimentico, se vedo ricordo, se faccio capisco", il "fare", come lo scrivere codice e non usare strumenti già pronti è la chiave per essere un buon Penetration Tester. Non è un caso che Chris Miller dice che "la differenza stra uno script kiddies e i professionisti è la mera differenza tra chi usa strumenti di altri o i propri" Ovviamente questo presuppone una profonda conoscenza di quello che si sta facendo - una tecnica di attacco particolare, i protocolli utilizzati, dei sistemi, delle aplicazioni e così via. Quindi scrivere i propri strumenti è un modo di imparare realmente quello che accade sotto al "motore" di altri strumenti e come funzionano gli attacchi. Durante il talk vedremo in particolare i raw socket su linux e come scrivere uno sniffer.
Nuove minacce nella Cyber Security, come proteggersiSimone Onofri
La Cyber Security è una problematica sempre più attuale. Il problema non è tanto capire SE ci sarà un attacco ma COME sarà eseguito e quindi COSA fare per difenderci. Che siamo singole persone, piccoli imprenditori, grandi aziende o Pubbliche Amministrazioni siamo sempre dei bersagli. Anche un attacco da un costo esiguo può portare ingenti perdite e impatti disastrosi. Come prevenire questi attacchi e, se accadono, come possiamo reagire per limitare il danno?
Dopo una breve descrizione delle ultime tendenze in fatto di Cyber Crime saranno analizzati diversi casi reali come quello di Sony - dove sono stati rubati 100 Terabyte di dati tra cui 5 film inediti e i dati dei dipendenti che hanno dovuto loro stessi reagire a questo attacco - e di Carbanak - dove è stato stimato un furto dai 500 milioni di euro a circa 1 miliardo - per comprendere come sarebbe stato possibile prevenire o limitare i danni. Una sezione sarà dedicata alla problematica del Phishing che diventa sempre più difficile da identificare e che spesso è il primo passo verso una compromissione persistente (Advanced Persistent Threat - APT).
Hackers vs Developers - Cross Site Scripting (XSS) Attacco e difesaSimone Onofri
E’ da poco stata pubblicata la nuova versione della OWASP Testing Guide che – nella versione 4 – aggiorna, amplia e completa la versione precedente. Comprende inoltre tre paragrafi specifici per i test dei Cross Site Scripting e altri che comprendono impatti simili. Non è un caso che nella TOP 10 2013 troviamo il Cross Site Scripting al terzo posto. Durante il talk ci focalizzeremo sul Cross Site Scripting e quali sono i vari metodi di attacco e difesa di questa vulneraiblità che – spesso sottovalutata – può portare anche al defacement di un sito web.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
3. Open: Everything at OWASP is radically
transparent from our finances to our
code.
Innovative: We encourage and support
innovation and experiments for
solutions to software security
challenges.
Global: Anyone around the world is
encouraged to participate in the OWASP
community.
Integrity: Our community is respectful,
supportive, truthful, and vendor neutral
OWASP FOUNDATION owasp.org
• What are Smart Contracts?
• What are the most common
vulnerabilities?
• Conclusions
Agenda
4. Open: Everything at OWASP is radically
transparent from our finances to our
code.
Innovative: We encourage and support
innovation and experiments for
solutions to software security
challenges.
Global: Anyone around the world is
encouraged to participate in the OWASP
community.
Integrity: Our community is respectful,
supportive, truthful, and vendor neutral
OWASP FOUNDATION owasp.org
• What are Smart Contracts?
• What are the most common
vulnerabilities?
• Conclusions
Agenda
5. OWASP FOUNDATION owasp.org
What are Smart Contracts?
Are simply programs that runs on the Ethereum blockchain. It’s a
collection of code (its functions) and data (its state) that resides
at a specific address on the Ethereum blockchain.
https://ethereum.org/en/developers/docs/smart-contracts/
6. OWASP FOUNDATION owasp.org
How are Smart Contracts written?
Turing-complete programming language that can be used to
create “contracts” that can be used to encode arbitrary state
transition functions [...]. The code in Ethereum contracts is
written in a low-level, stack-based bytecode language, referred
to as “Ethereum virtual machine code” or “EVM code”. The code
consists of a series of bytes, where each byte represents an
operation
https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_Whitepaper_-_Buterin_2014.pdf
7. OWASP FOUNDATION owasp.org
What can be done with Smart Contracts?
systems which automatically move digital assets according to
arbitrary pre-specified rules. For example, one might have a
treasury contract of the form "A can withdraw up to X currency
units per day, B can withdraw up to Y per day, A and B together can
withdraw anything, and A can shut off B's ability to withdraw".
[…]
https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_Whitepaper_-_Buterin_2014.pdf
10. OWASP FOUNDATION owasp.org
What can be done with Smart Contracts?
[…]
The logical extension of this is decentralized autonomous
organizations (DAOs) - long-term smart contracts that contain
the assets and encode the bylaws of an entire organization
https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_Whitepaper_-_Buterin_2014.pdf
15. OWASP FOUNDATION owasp.org
What are Blockchain characteristics and
how do they impact security?
● Immutable: Transactions are irreversible, meaning they can’t be undone
once an action has been taken.
● Public: Both contracts and transactions are publicly accessible through
the blockchain.
● Deterministic: The execution of a smart contract must yield the same
result on any node.
● Limited: Smart contracts cannot call upon external resources unless
they use Oracles.
● Permissionless: Everyone can publish and interact with contracts.
16. Open: Everything at OWASP is radically
transparent from our finances to our
code.
Innovative: We encourage and support
innovation and experiments for
solutions to software security
challenges.
Global: Anyone around the world is
encouraged to participate in the OWASP
community.
Integrity: Our community is respectful,
supportive, truthful, and vendor neutral
OWASP FOUNDATION owasp.org
• What are Smart Contracts?
• What are the most common
vulnerabilities?
• Conclusions
Agenda
17. OWASP FOUNDATION owasp.org
OWASP Smart Contract Top 10 (2023)
• Reentrancy Attacks
• Integer Overflow and Underflow
• Timestamp Dependence
• Access Control Vulnerabilities
• Front-running Attacks
• Denial of Service (DoS) Attacks
• Logic Errors
• Insecure Randomness
• Gas Limit Vulnerabilities
• Unchecked External Calls
18. OWASP FOUNDATION owasp.org
OWASP Smart Contract Top 10 (2023)
• Reentrancy Attacks
• Integer Overflow and Underflow
• Timestamp Dependence
• Access Control Vulnerabilities
• Front-running Attacks
• Denial of Service (DoS) Attacks
• Logic Errors
• Insecure Randomness
• Gas Limit Vulnerabilities
• Unchecked External Calls
23. OWASP FOUNDATION owasp.org
Attacker Contract by Nikolai Mushegian
Decompiled
https://etherscan.io/address/0x4AfB544Eb87265cF7Fc8fdB843c81d34F7E2A369
29. OWASP FOUNDATION owasp.org
Integer Overflow and Underflow
An integer overflow occurs when an integer value is
incremented to a value that is too large to store in
the associated representation. When this occurs,
the value may wrap to become a very small or
negative number.
https://cwe.mitre.org/data/definitions/190.html
32. OWASP FOUNDATION owasp.org
OWASP Smart Contract Top 10 (2023)
• Reentrancy Attacks
• Integer Overflow and Underflow
• Timestamp Dependence
• Access Control Vulnerabilities
• Front-running Attacks
• Denial of Service (DoS) Attacks
• Logic Errors
• Insecure Randomness
• Gas Limit Vulnerabilities
• Unchecked External Calls
33. OWASP FOUNDATION owasp.org
Abritrage CTF
Admin has gifted you 5e18
Btokens on your birthday.
Using A,B,C,D,E token
pairs on swap contracts,
increase your BTokens.
Interface to Uniswap v2
https://quillctf.super.site/challenges/quillctf-x-quickswap/arbitrage
34. OWASP FOUNDATION owasp.org
Vulnerability Description
Arbitrage arises when price discrepancies exist across
different markets, trading pairs or Liquidity Pools for the
same asset.
However, trading fees, gas fees, and slippage must be
considered.
To evaluate arbitrage opportunities it is possible to
evaluate the indirect and circular trade “paths”, starting
from B and ending with B when the exchange rate is
calculated from the quantity of different tokens present
in each pool.
B -> A -> C -> B
B -> A -> D -> B
B -> A -> E -> B
B -> C -> A -> B
B -> C -> D -> B
B -> C -> E -> B
B -> D -> A -> B
B -> D -> C -> B
B -> D -> E -> B
B -> E -> A -> B
B -> E -> C -> B
B -> E -> D -> B
https://docs.uniswap.org/contracts/v2/concepts/core-concepts/pools
36. Open: Everything at OWASP is radically
transparent from our finances to our
code.
Innovative: We encourage and support
innovation and experiments for
solutions to software security
challenges.
Global: Anyone around the world is
encouraged to participate in the OWASP
community.
Integrity: Our community is respectful,
supportive, truthful, and vendor neutral
OWASP FOUNDATION owasp.org
• What are Smart Contracts?
• What are the most common
vulnerabilities?
• Conclusions
Agenda
37. OWASP FOUNDATION owasp.org
Conclusions
Smart Contract security is a composite problem that can be
derived from:
• Programming issues (e.g., arithmetic vulnerabilities).
• Features of the blockchain (e.g., access control, weak sources
of randomness).
• Feature of the Platform (e.g., reentrancy, time dependence,
frontrunning).
But the main point is to understand the Business Logic of the
Smart Contract we’re auditing.