Slides for a talk at the CLUSIL Blockchain series #4 event (https://www.clusil.lu/#events)
Luxembourg, 7 September 2017
Video: https://youtu.be/xdb2Le8vqq0
In-Depth Performance Testing Guide for IT Professionals
Security challenges in Ethereum smart contract programming
1. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
1/32
Security challenges in Ethereum
smart contract programming
Sergei Tikhomirov
CLUSIL Blockchain series – Installment #4
Luxembourg, 7 September 2017
2. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
2/32
Outline
Introduction
Five security challenges in Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure contracts: practical advice
Conclusion
3. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
3/32
Who am I: Sergei Tikhomirov
PhD researcher (SnT / CryptoLUX)
Main topic: Ethereum security
Previously in code analysis / bug detection
4. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
4/32
Blockchain is a hype
Total market cap 8X YTD
ICO boom, innovative financial apps
5. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
5/32
Security issues
New execution paradigm: trustless
network of nodes
6. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
5/32
Security issues
New execution paradigm: trustless
network of nodes
A whole software stack developed from
scratch (consensus layer, compilers, VM)
7. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
5/32
Security issues
New execution paradigm: trustless
network of nodes
A whole software stack developed from
scratch (consensus layer, compilers, VM)
Financially motivated anonymous
attackers
8. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
6/32
Massive security breaches
The DAO hack (2016)
Parity wallet bug (2017)
9. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
7/32
Ethereum in one slide
Account: controlled by key (like in
Bitcoin) or by code (smart contract)
10. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
7/32
Ethereum in one slide
Account: controlled by key (like in
Bitcoin) or by code (smart contract)
Nodes store state (balances, code, data),
execute code, extend blockchain (PoW)
11. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
7/32
Ethereum in one slide
Account: controlled by key (like in
Bitcoin) or by code (smart contract)
Nodes store state (balances, code, data),
execute code, extend blockchain (PoW)
Developers write contracts in Solidity,
compile to bytecode, deploy to blockchain
12. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
7/32
Ethereum in one slide
Account: controlled by key (like in
Bitcoin) or by code (smart contract)
Nodes store state (balances, code, data),
execute code, extend blockchain (PoW)
Developers write contracts in Solidity,
compile to bytecode, deploy to blockchain
Users interact with contracts via
transactions (e.g., send ether,
perform computation)
13. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
8/32
Three types of blockchain devs
Core protocol developers create basic
infrastructure (virtual machine, compilers,
consensus)
14. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
8/32
Three types of blockchain devs
Core protocol developers create basic
infrastructure (virtual machine, compilers,
consensus)
Contract developers create contracts
on top of basic infrastructure
(assuming it works as specified)
15. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
8/32
Three types of blockchain devs
Core protocol developers create basic
infrastructure (virtual machine, compilers,
consensus)
Contract developers create contracts
on top of basic infrastructure
(assuming it works as specified)
Dapp developers create
blockchain-interfacing apps
16. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
9/32
Five security challenges
in Solidity
17. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
10/32
Challenge 1: External calls
Ethereum contracts can call other
contracts
Those can be malicious!
18. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
11/32
Re-entrancy attack: problem
1 mapping (address => uint) private balances;
2 // msg.sender is a user withdrawing their
funds
3 function withdraw () public {
4 uint amount = balances[msg.sender ];
5 if (!( msg.sender.call.value(amount)())) {
6 revert;
7 }
8 balances[msg.sender] = 0;
9 }
19. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
11/32
Re-entrancy attack: problem
1 mapping (address => uint) private balances;
2 // msg.sender is a user withdrawing their
funds
3 function withdraw () public {
4 uint amount = balances[msg.sender ];
5 if (!( msg.sender.call.value(amount)())) {
6 revert;
7 }
8 balances[msg.sender] = 0;
9 }
External contract at msg.sender calls
withdraw again (line 4), while
balance[msg.sender] is still non zero.
20. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
12/32
Re-entrancy attack: solution
1 mapping (address => uint) private balance;
2 function withdraw () public {
3 uint amount = balance[msg.sender ];
4 balance[msg.sender] = 0;
5 if (!( msg.sender.call.value(amount)())) {
6 revert;
7 }
8 }
First update balance[msg.sender]
(line 4), then do actual withdraw (line 5)
Checks – effects – interactions
25. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
15/32
Insecure randomness: solution
Implement a commit-reveal scheme
Use secure randomness sources
RANDAO
Bitcoin blocks via BTCRelay
trusted oracles
26. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
16/32
Challenge 3: Immutability
Q: Isn’t immutability a good thing?
27. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
16/32
Challenge 3: Immutability
Q: Isn’t immutability a good thing?
A: Yes, but there is a caveat...
28. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
16/32
Challenge 3: Immutability
Q: Isn’t immutability a good thing?
A: Yes, but there is a caveat...
A deployed contract can’t be patched
29. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
17/32
Example: Black hole contract
1 contract BlackHole {
2 function () payable { }
3 function getBalance ()
4 constant
5 returns (uint) {
6 return this.balance;
7 }
8 }
The contract can receive ether (line 2), but
there is no way to withdraw it (though you can
check the balance).
30. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
18/32
Deal with immutability
Test contracts fully before deployment
Revert payments you don’t expect
Avoid unrecoverable states
31. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
19/32
Challenge 4: Privacy
All transactions are broadcast in plaintext
Anyone can download and analyze history
Blockchain analysis tools only get better
The private modifier does not hide the
variable, it only prevents external
contracts from changing it
32. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
20/32
Challenge 5: Execution cost
Users pay gas for every execution step
Centralized clouds are much cheaper
33. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
20/32
Challenge 5: Execution cost
Users pay gas for every execution step
Centralized clouds are much cheaper
Ethereum is not a ”world computer”...
...and definitely not a cloud storage
34. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
21/32
Gas costs defined in Yellow paper
35. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
22/32
Example: using storage inside loop
1 uint [255] res;
2 function costlyFunction () {
3 for (uint8 i = 0; i < 255; i++) {
4 res[i] = (255 - i) * i;
5 }
6 }
Running this costlyFunction is $601
1
5m gas @ 35 gwei, $330 / ETH
36. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
22/32
Example: using storage inside loop
1 uint [255] res;
2 function costlyFunction () {
3 for (uint8 i = 0; i < 255; i++) {
4 res[i] = (255 - i) * i;
5 }
6 }
Running this costlyFunction is $601
More importantly, tx’s calling
costlyFunction will likely never be
confirmed (block limit is around 6.7m gas)
1
5m gas @ 35 gwei, $330 / ETH
37. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
23/32
Optimizing contracts for gas costs
Avoid iterating over large arrays
Avoid using permanent storage
Measure and optimize gas consumption
Move all except security critical
computations off-chain
38. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
24/32
Five issues: takeaway
External = dangerous
Miners influence execution
Contracts are immutable
Blockchain is not private
On-chain computation is expensive
40. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
26/32
Step 1. Write specification
Describe what you want before
implementing it: you can’t fix incorrect
code without defining correct
Is public blockchain the right tool?
Can you use a database? Permissioned
blockchain? Private instance of Ethereum?
42. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
28/32
Step 2. Check source code
Adhere to best practices
Update software (compiler, framework)
Run analysis tools (Oyente, Securify,
Solgraph)
43. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
29/32
Step 3. Check bytecode
Compiler may have bugs
Bytecode is what is actually executed
Run analysis tools (Dr Y’s analyzer)
Run verification tools (not yet available)
44. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
30/32
Step 4. Check dApp as a whole
Create tests at early development stages
Truffle framework: truffle test
Make sure to cover all cases
(solidity-coverage)
45. Ethereum security
challenges
Sergei Tikhomirov
Introduction
Five security
challenges in
Solidity
External calls
Miners’ influence
Immutability
Privacy
Execution cost
Writing secure
contracts:
practical advice
Conclusion
31/32
Conclusion
Smart contracts are still a new technology
Potential is enormous, but security issues
are inevitable
Tread carefully!