This document provides an overview of advanced NEO smart contracts. It begins with an agenda for the workshop and questions about transaction experience. It then discusses how NEO verifies transactions using witness scripts and unspent outputs. Details are given on transaction structure, types, and attributes. Best practices are outlined around constraining invocation scripts, guarding dynamic invokes, prefixing storage keys, validating inputs, and protecting users. The presentation encourages following Switcheo for an upcoming API development competition.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Bitcoin protocol for developerBitcoin Protocol for DevelopersParadigma Digital
Introducción de Alberto Gómez al protocolo de Bitcoin y al lenguaje Bitcoin Scripting, el cual permite desarrollar características y comportamiento sobre el dinero y las transferencias de valor.
Aula sobre vulnerabilidades básicas ministrada na UFPR em 2018.
Introduction to Security class about classical vulnerabilities: TOCTOU, buffer overflow. Attack examples: dirtycow, return2libc, ROP.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Bitcoin protocol for developerBitcoin Protocol for DevelopersParadigma Digital
Introducción de Alberto Gómez al protocolo de Bitcoin y al lenguaje Bitcoin Scripting, el cual permite desarrollar características y comportamiento sobre el dinero y las transferencias de valor.
Aula sobre vulnerabilidades básicas ministrada na UFPR em 2018.
Introduction to Security class about classical vulnerabilities: TOCTOU, buffer overflow. Attack examples: dirtycow, return2libc, ROP.
jsrsasign is a opensource free pure JavaScript cryptographic library. This slide shows its features such like RSA/ECDSA signing, PKCS#1/8 private/public key, ASN.1, certificate, JWT/JWS/JWK for introduction.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
Работа с реляционными базами данных в C++corehard_by
Поговорим в первую очередь о библиотеках, которые унифицируют работу с различными БД: Oracle, MSSQL, Postgres, MySQL и др. Я поделюсь своим опытом работы с некоторыми из них. А также посмотрим, что может нас ожидать в будущем в плане работы с SQL базами данных.
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
https://coscup.org/2021/zh-TW/session/YBFMNB
1. Motivation
CppNameLint and Clang-Tidy
2. Beginning of a trip
Phabricator, Arcanist, Build, Test, and their flows
3. Tips in a trip
Get out of trouble
4. Trip moments
Happened during the code review
5. The last
[CB20] DeClang: Anti-hacking compiler by Mengyuan WanCODE BLUE
There are various approaches in client protection technology, including packing, obfuscation, anti-decompilation and tamper detection. In this presentation, we examine the advantages and disadvantages of these approaches, and introduce our compiler-type client protection tool DeClang.
In previous research so far, there are many open source obfuscation projects based on LLVM. However, these projects are mostly in the experimental stage, with various drawbacks such as lurking bugs, lack of ARM support, and inapplicability to mobile apps' build flow. DeClang overcomes these problems and will be partly open sourced as a working-level obfuscation compiler.
In this presentation, we will analyze the Unity build flow and explain how to incorporate DeClang into the Unity build flow.I will also show you how to find and fix a long-standing bug in the obfuscator-llvm project to make it a working-level obfuscator.
Through this presentation, we would like to make it possible for anyone to easily protect mobile apps.
Недавно работы комитета по стандартизации WG21 были завершены, и документ-черновик C++17 был отправлен на рассмотрение в Международную организацию по стандартизации (ISO). С этого момента технически можно считать, что стандарт C++17 у нас есть. Если вы ещё ознакомились с принятыми изменениями, то сейчас для этого самое время. В докладе будет сделан обзор нововведений. Рассмотрено текущее состояние дел у популярных компиляторов с поддержкой С++17
Practical non blocking microservices in java 8Michal Balinski
How to write application in Java 8 that do not waste resources and which can maximize effective utilization of CPU/RAM. Comparison of blocking and non-blocking approach for I/O and application services. Based on microservices implementing simple business logic in security/cryptography/payments domain. Demonstration of following aspects:
* NIO at all edges of application
* popular libraries that support NIO
* single instance scalability
* performance metrics (incl. throughput and latency)
* resources utilization
* code readability with CompletableFuture
* application maintenance and debugging
All above based on our experiences gathered during development of software platforms at Oberthur Technologies R&D Poland.
Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.
How segregated witness aims to fix transaction malleability problem: a talk by Julian Konchunas from Pandora Boxchain Berlin meetup https://www.meetup.com/pandoraboxchain-berlin-meetup/events/253033999/
This demand for implementing the most common Transactions,Pay to PubKey Hash,Pay to PubKey,Pay to Script Hash,Multi-Signature and Null Data stemed from the need to have a closer look of how Bitcoin Transactions work in the context of my thesis as an undergraduate student of Department of Applied Informatics at the University of Macedonia,Greece.
jsrsasign is a opensource free pure JavaScript cryptographic library. This slide shows its features such like RSA/ECDSA signing, PKCS#1/8 private/public key, ASN.1, certificate, JWT/JWS/JWK for introduction.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
Работа с реляционными базами данных в C++corehard_by
Поговорим в первую очередь о библиотеках, которые унифицируют работу с различными БД: Oracle, MSSQL, Postgres, MySQL и др. Я поделюсь своим опытом работы с некоторыми из них. А также посмотрим, что может нас ожидать в будущем в плане работы с SQL базами данных.
[COSCUP 2021] A trip about how I contribute to LLVMDouglas Chen
https://coscup.org/2021/zh-TW/session/YBFMNB
1. Motivation
CppNameLint and Clang-Tidy
2. Beginning of a trip
Phabricator, Arcanist, Build, Test, and their flows
3. Tips in a trip
Get out of trouble
4. Trip moments
Happened during the code review
5. The last
[CB20] DeClang: Anti-hacking compiler by Mengyuan WanCODE BLUE
There are various approaches in client protection technology, including packing, obfuscation, anti-decompilation and tamper detection. In this presentation, we examine the advantages and disadvantages of these approaches, and introduce our compiler-type client protection tool DeClang.
In previous research so far, there are many open source obfuscation projects based on LLVM. However, these projects are mostly in the experimental stage, with various drawbacks such as lurking bugs, lack of ARM support, and inapplicability to mobile apps' build flow. DeClang overcomes these problems and will be partly open sourced as a working-level obfuscation compiler.
In this presentation, we will analyze the Unity build flow and explain how to incorporate DeClang into the Unity build flow.I will also show you how to find and fix a long-standing bug in the obfuscator-llvm project to make it a working-level obfuscator.
Through this presentation, we would like to make it possible for anyone to easily protect mobile apps.
Недавно работы комитета по стандартизации WG21 были завершены, и документ-черновик C++17 был отправлен на рассмотрение в Международную организацию по стандартизации (ISO). С этого момента технически можно считать, что стандарт C++17 у нас есть. Если вы ещё ознакомились с принятыми изменениями, то сейчас для этого самое время. В докладе будет сделан обзор нововведений. Рассмотрено текущее состояние дел у популярных компиляторов с поддержкой С++17
Practical non blocking microservices in java 8Michal Balinski
How to write application in Java 8 that do not waste resources and which can maximize effective utilization of CPU/RAM. Comparison of blocking and non-blocking approach for I/O and application services. Based on microservices implementing simple business logic in security/cryptography/payments domain. Demonstration of following aspects:
* NIO at all edges of application
* popular libraries that support NIO
* single instance scalability
* performance metrics (incl. throughput and latency)
* resources utilization
* code readability with CompletableFuture
* application maintenance and debugging
All above based on our experiences gathered during development of software platforms at Oberthur Technologies R&D Poland.
Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.
How segregated witness aims to fix transaction malleability problem: a talk by Julian Konchunas from Pandora Boxchain Berlin meetup https://www.meetup.com/pandoraboxchain-berlin-meetup/events/253033999/
This demand for implementing the most common Transactions,Pay to PubKey Hash,Pay to PubKey,Pay to Script Hash,Multi-Signature and Null Data stemed from the need to have a closer look of how Bitcoin Transactions work in the context of my thesis as an undergraduate student of Department of Applied Informatics at the University of Macedonia,Greece.
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...Dace Barone
He will give an introduction talk about Blockchain technology technical aspects like cryptography, protocols, APIs and scripting with focus on explaining how Bitcoin and other blockchain works and what they consist of.
Yurijs is a Chief Technical Officer at Paybis, blogger at coinside.ru , blockchain enthusiast since 2011.
We are happy to invite you all to participate in the lecture, which our blockchain specialists are going to present on at SoftUni.
On that lecture we’ll explain fundamentals of blockchain technology, real live examples and upcoming challenges for the future applications of that new and beneficial technology.
Our team will present also the Open Source University project, how it will reshape the future of education, enhancing the connection between businesses and learning content providers. (www.os.university)
Securing Your Containerized Applications with NGINXDocker, Inc.
Kevin Jones, NGNIX -
NGINX is one of the most popular images on Docker Hub and has been at the forefront of the web since the early 2000's. In this talk we will discuss how and why NGINX's lightweight and powerful architecture makes it a very popular choice for securing containerized applications as a sidecar reverse proxy within containers. We will highlight important aspects of application security that NGINX can help with, such as TLS, HTTP, AuthN, AuthZ and traffic control.
Une plongée dans le monde merveilleux des certificats et des autorités de certification. Comment fonctionne une autorité de certification ? Puis-je avoir confiance et pourquoi ? Comment créer la mienne ?
Explains what the Blockchain is and how it works. Features slides about the Cryptography, P2P Networking, Blockchain Data Structure, Bitcoin Transactions, Proof of Work Algorithm (Mining) and Scripts.
Best practices to build secure smart contractsGautam Anand
- Quick update in blockchain tech space
- Comparision between tech
- Security in Blockchain (Focusing on ETH Solidity attack vectors)
- Design patterns
- 2 Popular hacks (Case study)
Similar to Switcheo Network - Advanced NEO Smart Contracts (20)
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
4. #SwitchtoSwitcheo
Workshop Agenda
1. How Does NEO Verify Transactions?
2. How To Make Withdrawals From A Smart Contract?
3. NEO Smart Contracts Best Practices
4. Questions and Answers (Q&A)
5. Demo (If there is time)
6. #SwitchtoSwitcheo
How Does NEO Verify Transactions?
CheckWitness(t_from)
What is “witness”? And are we actually “checking” for here?
https://github.com/kentarohorie/simple-neo-token-sample/blob/1a38e50/yourcoin/nep5.py#L58
To find out, we need to understand:
• NEO’s transaction structure, and
• “unspent outputs” or “UTXOs” (this type of model is inherited from Bitcoin)
Recall this code from the lecture in the Transfer operation:
8. #SwitchtoSwitcheo
NEO Transaction Types
You can find the full list of transaction “types”:
https://github.com/neo-project/neo/blob/master/neo/Core/TransactionType.cs
ContractTransaction
Normal NEO & GAS transfers
InvocationTransaction
Invokes some operations
in the NEO VM using the
given script
2 Most Common Types:
9. #SwitchtoSwitcheo
NEO Transaction Attributes
Full list of transaction attribute types or “usages” here:
https://github.com/neo-project/docs/blob/master/en-us/sc/reference/fw/dotnet/neo/TransactionAttribute/Usage.md
General Usages Specific Usages
• Doesn’t change transaction
execution
• For general uses like logging
transaction purpose as a
record, or adding data for
deployed smart contracts to
read from
• e.g.: Data “Hash”, or “Remarks”
• Causes transaction to be
verified or executed differently
• e.g: “Additional Witness” or
“Script” (0x20), etc.
• Will look at one, read docs for
info on the others
10. #SwitchtoSwitcheo
NEO Inputs & Outputs
{
inputs: [{
txid: “0xa…”,
index: 0,
address: A,
amount: 5,
}, {
txid: “0xb…”,
index: 0,
address: B,
amount: 7,
}],
outputs: [{
address: C,
amount: 12
}],
attributes: [{
usage: 0x20, // Script
data: <addr D>],
}
Transaction
must be
witnessed by
A+B+D
Address A
+5
Address B
+7
Address C
12
https://bitcoin.org/en/developer-guide#block-chain
12. #SwitchtoSwitcheo
NEO Script
• This is only for transactions of Invocation type.
• The script is directly executed by the VM
• So it is actually just a series of opcodes and data
{
…,
“script”:“020bf1920…”,
…
}
13. #SwitchtoSwitcheo
OpCode Hex Explanation
PUSH20 0x20 Pushes the next 20 bytes onto the stack
<from> 0x11fg876d..
Push the “from” address for an NEP-5 transfer
operation
PUSH3 0x53 Pushes the number ‘3' onto the stack
0x11fg876d..
0x225ab73..
0x3356765..
3
… … … … … … … … … … … …
PACK 0xC1
Pops N from stack and combines the next N items into an
array
PUSHBYTES8 0x08 Pushes the next 8 bytes onto the stack
“transfer” 0x7472616e73666572
the operation string as bytes in this case it is the
“transfer” operation for NEP-5
APPCALL 0x67
Reads the next 20 bytes and invokes the corresponding
deployed contract with Application Trigger.
<scriptHash> 0xa12cde… The hash of the deployed smart contract to invoke
So transaction will have: { …, “script”:“020bf1920…” }
0x11 0x22 0x3
0x7472616..
Stack
https://github.com/neo-project/neo-vm/blob/master/src/neo-vm/OpCode.cs
Script example for a standard entrypoint: Main(string operation, params object[] args)
NEO Script
14. #SwitchtoSwitcheo
Verification of Smart Contracts
Verify([mempool]) VerifyScripts(IVerifiable) GetScriptHashesForVerifying()
https://github.com/neo-project/neo/blob/
23bbe9b/neo/Core/Transaction.cs#L330
https://github.com/neo-project/neo/blob/
23bbe9b/neo/Core/Helper.cs#L46
https://github.com/neo-project/neo/blob/
23bbe9b/neo/Core/Transaction.cs#L227
Check Double Spend,
etc..
Get hashes that must match
Verification Scripts
(found in “scripts”)
Get hashes of inputs
Add data (hash) in
transaction attribute
0x20 (usage “Script”
a.k.a. “Additional
Witness”)
This is useful if you
want to ensure
Verification runs on a
deployed contract, but
are not using inputs
from a smart contract
Hashes each VerificationScript
and compares hashes in order.
Fails if any missing or does
not match.
Executes Invocation Script
+ Verification Script.
Fails if hash mismatch, or
does not return true
Pass!
15. #SwitchtoSwitcheo
Verification of Smart Contracts
https://github.com/neo-project/neo/blob/23bbe9b/neo/Core/Helper.cs#L61
How to run custom verification on deployed contracts?
Write custom verification logic in Trigger
User can leave VerificationScript empty if deployed
contract needs to be a witness
16. #SwitchtoSwitcheo
Dangers of Sending from Custom Smart Contracts
Jack’s Available Balance:
5 NEO
Jack’s
Transaction
A
5 NEO
To Jack
*State cannot be changed
during verification
5 NEO
To Jack
Jack’s
Transaction
B
5 NEO
To Jack
Jack’s
Transaction
C
5 NEO
To Jack
Jack’s
Transaction
D
> Change
Jack’s Balance
0 - 5 = ???
> Change
Jack’s Balance
5 - 5 = 0 NEO
VERIFICATION
APPLICATION
17. #SwitchtoSwitcheo
VERIFICATION
APPLICATION
*State cannot be changed
during verification
5 NEO
Jack’s
Transaction
A
5 NEO
Jack’s
Transaction
B
5 NEO
Jack’s
Transaction
C
5 NEO
Jack’s
Transaction
D
Jack’s Available Balance:
5 NEO
> Not enough balance,
do nothing
> Check & Change
Jack’s Balance
0 NEO < 5 NEO
> Reserve Output
to Jack
> Check & Change
Jack’s Balance
5 - 5 = 0 NEO
Dangers of Sending from Custom Smart Contracts
19. #SwitchtoSwitcheo
Examples for Sending from Custom Smart Contracts
Some example implementations and references:
Switcheo Exchange (live): https://github.com/ConjurTech/switcheo/blob/v2/switcheo/BrokerContract.cs
NeoResearch (prototype): https://github.com/NeoResearch/nep-distributed-payments/blob/master/workingPrototype.cs
Neon Exchange (whitepaper): https://neonexchange.org/pdfs/whitepaper_v1.pdf
20. #SwitchtoSwitcheo
Dangers Of Using Verification Trigger
Witness can be used in other contracts!
Withdrawing NEO!
Runtime.CheckWitness(MyContractScriptHash)
will be true.
So “transfer” from “My Contract” to ANYONE
will also pass!
My Contract
RPX Token
*My Contract has 1000 RPX tokens
*Transaction’s script is an
“AppCall" to “RPX Token"
instead of “My Contract”!
Withdrawal checks pass
so contract returns true
VERIFICATION
APPLICATION
21. #SwitchtoSwitcheo
Best Practices - Constrain Invocation Script
*My Contract has 1000 RPX tokensVERIFICATION
https://github.com/ConjurTech/switcheo/blob/v2/switcheo/BrokerContract.cs#L198
22. Best Practices - Guard When Doing Dynamic Invoke
My Contract ATK Token RPX Token
1000 RPX
100 ATK
transfer transfer
fr: SC
to: A
amt: 100 ATK
fr: SC
to: A
amt: 1000 RPX
Attacker
withdraw
fr: SC
to: A
amt: 100 ATK
https://github.com/neo-project/proposals/pull/44/files#diff-e5a1452ea0de8fa24b9c328151e94affR90
NEP-5
23. #SwitchtoSwitcheo
Best Practices - Prefix All Storage Keys
https://github.com/kentarohorie/simple-neo-token-sample/blob/1a38e50/yourcoin/nep5.py#L151
-> When t_spender is an empty byte array, approval_key is
the same format as balanceOf key!
https://github.com/kentarohorie/simple-neo-token-sample/blob/1a38e50/yourcoin/nep5.py#L29
->> Value of balance can be changed wrongly!
24. #SwitchtoSwitcheo
Best Practices - Prefix All Storage Keys
https://github.com/ConjurTech/switcheo/blob/v2/switcheo/BrokerContract.cs
Storage keys should be prefixed by unique, non-overlapping bytes
for different types of data
25. #SwitchtoSwitcheo
Best Practices - Validate All User Inputs
Validate ALL inputs from users, and constrain them to the minimum set of formats
• Length of both t_owner and t_spender should be constrained to 20 as
addresses are 20 bytes long
• Reduce flows and set of inputs to test or check against
• Acts as additional guard against accidental “key collision”
26. #SwitchtoSwitcheo
Best Practices - Protect Users Whenever Possible
Don’t assume honest clients will always send in valid inputs!
• Don’t let user lose assets or “burn” tokens accidentally through malformed script
or transaction
• Never ignore receiving of system assets if possible, in case of accidental sends
• Always handle received system assets by moving to an internal user balance and let
users withdraw it later
• When encountering invalid state or input during smart contract execution, revert
whole script by throwing Exceptions, see link
28. #SwitchtoSwitcheo
V2 Launch - API Development Competition
Switcheo is holding an API Development
Contest for our upcoming V2 launch!
Prizes include:
1,000,000 SWTH Tokens,
Customised Switcheo Ledger Nano S’s,
and various Switcheo Merch!
Follow us for more details!