The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain. Their code, storage and execution calls are all publicly available and verifiable. The execution and verification processes are held by miners what makes the decentralized ecosystem slow, but secure. Smart contracts have many applications from ICOs, through digital identity management, non-digital asset (diamond, real estate, IoT device, etc.) ownership management and tracing to almost anything you can think of. An example of second generation blockchain platform that support smart contracts is Ethereum. The miners, who execute contracts and secure the platform, are paid with Ether, which is the Ethereum cryptocurrency (worth about $1k) and an incentive for hackers. Ethereum’s smart contracts are written in the Solidity language, which is similar to well-known high-level languages, and compiled to Ethereum Virtual Machine bytecode stored in blockchain. It is a complex software implementing new and often difficult to follow in every detail technology. Thus it makes an explosive mix with high potential for human mistake by developer. The problem is that even a very small coding mistake can lead to losses of millions of dollars. The goal of this presentation is to shed the light on the security of smart contracts, its potential vulnerabilities and popular design and implementation security flaws.

1. Outsmarting Smart
Contracts
Damian Rusinek
CONFidence, 5th of June 2018
damian.rusinek@securing.pl
@drdr_zz

2. drdr_zz
Blockchain and smart contracts are secure…
Ethereum.org
https://www.coindesk.com/blockchains-personal-data-protection-regulations-explained/

3. drdr_zz
…or is it?

4. Damian Rusinek
@drdr_zz
damianrusinek @ github
Security Researcher & Pentester
Assistant Professor
How come blockchains and smart contracts have such
serious security flaws when they are so highly secured?

5. drdr_zz
How I could steal tokens
(worth thousands of $) from
crypto exchange.

6. drdr_zz
BLOCKCHAIN 101

7. drdr_zz
Blockchain 101
D
U
D
E
Distributed
Unmodifiable
Database
Engine

8. drdr_zz
Do I need blockchain?
Do I need blockchain?
No
Single point of failure?
NO
Single point of authority?
NO
But really?
Modifiable data?
NO

9. drdr_zz
The analogy
Tor
Private
Communication
Blockchain
Unmodifiable
Storage

10. drdr_zz
The analogy
Tor
Private
Communication
Blockchain
Unmodifiable
Storage

11. drdr_zz
EPISODE I – SMART CONTRACTS

12. drdr_zz
Executable Smart contract

13. drdr_zz
Ethereum
„Ethereum is literally a computer that spans
the entire world.”
Ethereum White Paper

14. drdr_zz
What program could we
run as smart contract?
• eVoting
• Assets Management
(transfering ownership)
Why smart contracts?
• No single authority
• Trustless
• Allows public
verification

15. drdr_zz
How to verify the contract?
https://etherscan.io

16. drdr_zz
How to execute smart contract?
0x2b30ea3a000000000000000000000000000
0000000000000000000000000000000000000

17. drdr_zz
How to verify the execution?

18. drdr_zz
-
EPISODE II – SMART CONTRACTS
SECURITY
Fact I - All your data is public

19. drdr_zz
Fact I – All your data is public
Variables

20. drdr_zz
Fact I – All your data is public
Variables

21. drdr_zz
Fact I – All your data is public
Preview votes
in transactions.

22. drdr_zz
Fact I – All your data is public
Functions
• Public functions can be executed by anyone.
• Can anyone execute maliciousFunction2() ?

23. drdr_zz
Fact I – All your data is public
Functions
• Public functions can be executed by anyone.
• Can anyone execute maliciousFunction2() ?
Functions are public by default!

24. drdr_zz
• Public function which changes the owner.
Parity Hack worth 30 mln $
https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/

25. drdr_zz
• Public function which changes the owner.
Parity Hack worth 30 mln $
https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
The race!
30 mln $ 80 mln $
worth today
90 mln $ 240 mln $

26. drdr_zz
• Set visibility type to all functions.
• Do not keep secret data as plaintext in smart contract.
• Examples:
• Rock Paper Scissors
• Blind Auctions
• Use blind commitments.
Fact I – All your data is public
Hash of Value
Real Value

27. drdr_zz
-
EPISODE II – SMART CONTRACTS
SECURITY
Fact II - Smart contract is
a program

28. drdr_zz
Fact II – Smart contract is a program
Integer Overflow
• Ethereum Tokens – your own
cryptocurrency on Ethereum.
The attack: empty victim’s wallet.

29. drdr_zz
Fact II – Smart contract is a program
Integer Overflow
1. Balances:
• Victim -> (MAXUINT-9) tokens (e.g. founder of contract).
• Attacker -> 10 tokens.
2. Attacker transfers 10 tokens to victim.
3. Both have zero tokens.

30. drdr_zz
Fact II – Smart contract is a program
Insecure libraries

31. drdr_zz
Fact II – Smart contract is a program
Insecure libraries
• Delete library used by mln $ worth contracts.

32. drdr_zz
Fact II – Smart contract is a program
Insecure libraries
• Delete library used by mln $ worth contracts.
https://www.trustnodes.com/2017/11/07/ether
eums-parity-hacked-half-million-eth-frozen

33. drdr_zz
• Use open source libraries that handle typical errors (e.g.
SafeMath for overflows).
• Write tests for boundary conditions.
• Verify the correctness and test libraries that you plan to
use.
Fact II - Smart contract is a program

34. drdr_zz
-
EPISODE II – SMART CONTRACTS
SECURITY
Fact III - Smart contracts have
limitations

35. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.

36. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.

37. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.

38. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.

39. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit
• All transactions are given some gas.
• All operations cost some gas.
• Transaction is rejected if gas limit is exceded.
The attack: DoS the contract.
The idea: to prevent infinite loops.

40. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
0 ETH
1 ETH
BIDBID
100

41. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
2 ETH
BID
2 ETH
BIDBID
100

42. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
3 ETH
3 ETH
BIDBIDBID
100

43. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
BID
Auction
3 ETH
4 ETH
BIDBIDBID
100
Further bids are blocked.

44. drdr_zz
Fact III – Smart contracts have limitations
Gas Limit – DoS on auction contract
Auction
3 ETH
Further bids are blocked.
WINNER!

45. drdr_zz
• Learn the limitations of Ethereum (gas, randomness,
etc.).
• Learn the way of handling these limitations.
• Write tests for handling limitations.
Fact III - Smart contracts have limitations

46. drdr_zz
-
EPISODE II – SMART CONTRACTS
SECURITY
Fact IV - Smart contracts have specific
vulns

47. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance

48. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
send Ether

49. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
send Ether

50. drdr_zz
Fact IV – Smart contracts have specific vulns
Re-entrancy
• Unintended recurrence in smart contracts.
withdrawBalance
withdrawBalance
withdrawBalance
send Ether

51. drdr_zz
Online
• Remix
• Securify
• SmartCheck
How to test smart contracts?
Offline
• Solhint
• Oyente
• Myhtril
Best practices
• ConsenSys

52. drdr_zz
EPISODE II – SMART CONTRACTS
INTEGRATION

53. drdr_zz
• Online wallets
• Crypto exchanges
• Games
• ICOs
Popular webapps integrated with smart contracts
Attack webapp and generate
malicious transaction.
Let’s steal some tokens from the exchange.

54. drdr_zz
Typical withdrawal transaction
50 GTN
Receiver address
Function Address Parameter Value Parameter

55. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
Function Address Value
Function Short address ValueValue

56. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
Function Address Value
Function Short address ValueModified address Value

57. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
Function Address Value
Function Short address ValueModified address Value

58. drdr_zz
Not a bug, it’s a feature
Let’s use to short address.
000
Function Address Value
Function Short address ValueModified address Value

59. drdr_zz
A little misunderstanding
What user tried to do:
Send 2399.99 GNT to
the 0x79735 address.
What Ethereum understood:
Send approx. 2 * 1045 GNT to the
0x079735000000000000000000000000
0000000000 address.
0000000000000000000000000000000000
Func Short address Value
Func Padded address Shifted (padded) value

60. drdr_zz
• Deposit 1 Ethereum Token.
• Generate Ethereum address with zero-byte suffix (a
matter of seconds).
• Withdraw 1 Ethereum Token and
send address without last byte.
• Receive 256 Ethereum Tokens.
How to attack exchange?

61. drdr_zz
How I have stolen tokens from exchange?
Func Short address Value
Func Padded address Shifted (padded) value
00
• Deposited 0.47 GTN
• Withdrew approx. 120 GTN (256 times more)

62. drdr_zz
• But to whom?
• No information about the owner on exchange
website!
• Be like Sherlock and find him.
• Time is running!
Let’s report the vulnerability

63. drdr_zz
• How to responsibly disclosure the vulnerability in
smart contract?
• How to inform the owner of smart contract?
• Would you steal crypto and the look for the owner?
That is general problem
Send him an encrypted
message kept on Ethereum.

64. drdr_zz
Responsible Disclosure Ethereum Messenger
My idea
Online: https://securing.github.io/eth-rd-messenger/
GitHub: https://github.com/securing/eth-rd-messenger
This tool is used to:
• send a secret message to the owner of a personal or contract
Ethereum address, encypted with its owner ECC public key,
• decrypt the message sent to the personal address or
contract's owner.

65. drdr_zz
DEMO
https://www.youtube.com/watch?v=
8AmpXCJRwzQ&feature=youtu.be

66. drdr_zz
Vulnerabilities
Similar to classic programs
• Overflows and underflows
• Unauthorized access to
functions
• Insecure libraries
• Business logic vulns
Specific for smart contracts
• Related to Ethereum limitations
(gas limit, randomness, etc.)
• Re-entrancy
• and more

67. drdr_zz
Top10 recommendations
1. Remember that all data is public in blockchain.
2. Do not keep secret data as plaintext in smart contract.
3. Use blind commitments.
4. Set visibility type to all functions.
5. Learn the limitations of Ethereum and how to handle them.
6. Write tests for handling limitations and for boundary conditions.
7. Verify the libraries than you plan to use.
8. Use the best security practices.
9. Consider threats from apps integrating with blockchain.
10. Test your contracts and blockchain applications.

68. drdr_zz
Keep Calm
And
Hack Smart Contracts!
SecuRing Smart Contracts Contest!
Follow us on Twitter:
@SecuRingPL
@drdr_zz

69. Thank you!
Damian Rusinek (@drdr_zz)
damian.rusinek@securing.pl
Questions?