Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Outsmarting Smart Contracts - an essential walkthrough a blockchain security minefields

1,016 views

Published on

The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain...

Published in: Software
  • Be the first to comment

Outsmarting Smart Contracts - an essential walkthrough a blockchain security minefields

  1. 1. Outsmarting Smart Contracts Damian Rusinek CONFidence, 5th of June 2018 damian.rusinek@securing.pl @drdr_zz
  2. 2. drdr_zz Blockchain and smart contracts are secure… Ethereum.org https://www.coindesk.com/blockchains-personal-data-protection-regulations-explained/
  3. 3. drdr_zz …or is it?
  4. 4. Damian Rusinek @drdr_zz damianrusinek @ github Security Researcher & Pentester Assistant Professor How come blockchains and smart contracts have such serious security flaws when they are so highly secured?
  5. 5. drdr_zz How I could steal tokens (worth thousands of $) from crypto exchange.
  6. 6. drdr_zz BLOCKCHAIN 101
  7. 7. drdr_zz Blockchain 101 D U D E Distributed Unmodifiable Database Engine
  8. 8. drdr_zz Do I need blockchain? Do I need blockchain? No Single point of failure? NO Single point of authority? NO But really? Modifiable data? NO
  9. 9. drdr_zz The analogy Tor Private Communication Blockchain Unmodifiable Storage
  10. 10. drdr_zz The analogy Tor Private Communication Blockchain Unmodifiable Storage
  11. 11. drdr_zz EPISODE I – SMART CONTRACTS
  12. 12. drdr_zz Executable Smart contract
  13. 13. drdr_zz Ethereum „Ethereum is literally a computer that spans the entire world.” Ethereum White Paper
  14. 14. drdr_zz What program could we run as smart contract? • eVoting • Assets Management (transfering ownership) Why smart contracts? • No single authority • Trustless • Allows public verification
  15. 15. drdr_zz How to verify the contract? https://etherscan.io
  16. 16. drdr_zz How to execute smart contract? 0x2b30ea3a000000000000000000000000000 0000000000000000000000000000000000000
  17. 17. drdr_zz How to verify the execution?
  18. 18. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact I - All your data is public
  19. 19. drdr_zz Fact I – All your data is public Variables
  20. 20. drdr_zz Fact I – All your data is public Variables
  21. 21. drdr_zz Fact I – All your data is public Preview votes in transactions.
  22. 22. drdr_zz Fact I – All your data is public Functions • Public functions can be executed by anyone. • Can anyone execute maliciousFunction2() ?
  23. 23. drdr_zz Fact I – All your data is public Functions • Public functions can be executed by anyone. • Can anyone execute maliciousFunction2() ? Functions are public by default!
  24. 24. drdr_zz • Public function which changes the owner. Parity Hack worth 30 mln $ https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/
  25. 25. drdr_zz • Public function which changes the owner. Parity Hack worth 30 mln $ https://www.coindesk.com/30-million-ether-reported-stolen-parity-wallet-breach/ The race! 30 mln $ 80 mln $ worth today 90 mln $ 240 mln $
  26. 26. drdr_zz • Set visibility type to all functions. • Do not keep secret data as plaintext in smart contract. • Examples: • Rock Paper Scissors • Blind Auctions • Use blind commitments. Fact I – All your data is public Hash of Value Real Value
  27. 27. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact II - Smart contract is a program
  28. 28. drdr_zz Fact II – Smart contract is a program Integer Overflow • Ethereum Tokens – your own cryptocurrency on Ethereum. The attack: empty victim’s wallet.
  29. 29. drdr_zz Fact II – Smart contract is a program Integer Overflow 1. Balances: • Victim -> (MAXUINT-9) tokens (e.g. founder of contract). • Attacker -> 10 tokens. 2. Attacker transfers 10 tokens to victim. 3. Both have zero tokens.
  30. 30. drdr_zz Fact II – Smart contract is a program Insecure libraries
  31. 31. drdr_zz Fact II – Smart contract is a program Insecure libraries • Delete library used by mln $ worth contracts.
  32. 32. drdr_zz Fact II – Smart contract is a program Insecure libraries • Delete library used by mln $ worth contracts. https://www.trustnodes.com/2017/11/07/ether eums-parity-hacked-half-million-eth-frozen
  33. 33. drdr_zz • Use open source libraries that handle typical errors (e.g. SafeMath for overflows). • Write tests for boundary conditions. • Verify the correctness and test libraries that you plan to use. Fact II - Smart contract is a program
  34. 34. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact III - Smart contracts have limitations
  35. 35. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  36. 36. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  37. 37. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  38. 38. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded.
  39. 39. drdr_zz Fact III – Smart contracts have limitations Gas Limit • All transactions are given some gas. • All operations cost some gas. • Transaction is rejected if gas limit is exceded. The attack: DoS the contract. The idea: to prevent infinite loops.
  40. 40. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 0 ETH 1 ETH BIDBID 100
  41. 41. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 2 ETH BID 2 ETH BIDBID 100
  42. 42. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 3 ETH 3 ETH BIDBIDBID 100
  43. 43. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract BID Auction 3 ETH 4 ETH BIDBIDBID 100 Further bids are blocked.
  44. 44. drdr_zz Fact III – Smart contracts have limitations Gas Limit – DoS on auction contract Auction 3 ETH Further bids are blocked. WINNER!
  45. 45. drdr_zz • Learn the limitations of Ethereum (gas, randomness, etc.). • Learn the way of handling these limitations. • Write tests for handling limitations. Fact III - Smart contracts have limitations
  46. 46. drdr_zz - EPISODE II – SMART CONTRACTS SECURITY Fact IV - Smart contracts have specific vulns
  47. 47. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance
  48. 48. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance send Ether
  49. 49. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance send Ether
  50. 50. drdr_zz Fact IV – Smart contracts have specific vulns Re-entrancy • Unintended recurrence in smart contracts. withdrawBalance withdrawBalance withdrawBalance send Ether
  51. 51. drdr_zz Online • Remix • Securify • SmartCheck How to test smart contracts? Offline • Solhint • Oyente • Myhtril Best practices • ConsenSys • DASP
  52. 52. drdr_zz EPISODE II – SMART CONTRACTS INTEGRATION
  53. 53. drdr_zz • Online wallets • Crypto exchanges • Games • ICOs Popular webapps integrated with smart contracts Attack webapp and generate malicious transaction. Let’s steal some tokens from the exchange.
  54. 54. drdr_zz Typical withdrawal transaction 50 GTN Receiver address Function Address Parameter Value Parameter
  55. 55. drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueValue
  56. 56. drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueModified address Value
  57. 57. drdr_zz Not a bug, it’s a feature Let’s use to short address. Function Address Value Function Short address ValueModified address Value
  58. 58. drdr_zz Not a bug, it’s a feature Let’s use to short address. 000 Function Address Value Function Short address ValueModified address Value
  59. 59. drdr_zz A little misunderstanding What user tried to do: Send 2399.99 GNT to the 0x79735 address. What Ethereum understood: Send approx. 2 * 1045 GNT to the 0x079735000000000000000000000000 0000000000 address. 0000000000000000000000000000000000 Func Short address Value Func Padded address Shifted (padded) value
  60. 60. drdr_zz • Deposit 1 Ethereum Token. • Generate Ethereum address with zero-byte suffix (a matter of seconds). • Withdraw 1 Ethereum Token and send address without last byte. • Receive 256 Ethereum Tokens. How to attack exchange?
  61. 61. drdr_zz How I have stolen tokens from exchange? Func Short address Value Func Padded address Shifted (padded) value 00 • Deposited 0.47 GTN • Withdrew approx. 120 GTN (256 times more)
  62. 62. drdr_zz • But to whom? • No information about the owner on exchange website! • Be like Sherlock and find him. • Time is running! Let’s report the vulnerability
  63. 63. drdr_zz • How to responsibly disclosure the vulnerability in smart contract? • How to inform the owner of smart contract? • Would you steal crypto and the look for the owner? That is general problem Send him an encrypted message kept on Ethereum.
  64. 64. drdr_zz Responsible Disclosure Ethereum Messenger My idea Online: https://securing.github.io/eth-rd-messenger/ GitHub: https://github.com/securing/eth-rd-messenger This tool is used to: • send a secret message to the owner of a personal or contract Ethereum address, encypted with its owner ECC public key, • decrypt the message sent to the personal address or contract's owner.
  65. 65. drdr_zz DEMO https://www.youtube.com/watch?v= 8AmpXCJRwzQ&feature=youtu.be
  66. 66. drdr_zz Vulnerabilities Similar to classic programs • Overflows and underflows • Unauthorized access to functions • Insecure libraries • Business logic vulns Specific for smart contracts • Related to Ethereum limitations (gas limit, randomness, etc.) • Re-entrancy • and more
  67. 67. drdr_zz Top10 recommendations 1. Remember that all data is public in blockchain. 2. Do not keep secret data as plaintext in smart contract. 3. Use blind commitments. 4. Set visibility type to all functions. 5. Learn the limitations of Ethereum and how to handle them. 6. Write tests for handling limitations and for boundary conditions. 7. Verify the libraries than you plan to use. 8. Use the best security practices. 9. Consider threats from apps integrating with blockchain. 10. Test your contracts and blockchain applications.
  68. 68. Thank you! Damian Rusinek (@drdr_zz) damian.rusinek@securing.pl https://www.securing.biz/en/developing-secure- blockchain-applications/index.html How to Develop Secure Blockchain Applications

×