SlideShare a Scribd company logo

Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp

Paresh Yadav
Paresh Yadav

This document outlines the agenda for a presentation on secure smart contract development. The presentation will cover attack surfaces of dApps, writing secure Solidity code, secure cross-chain bridge contracts, an analysis of the Nomad Bridge hack, secure flash loan contracts, secure multisig wallets, and how to participate in bug bounty programs. Code examples will be provided for cross-chain bridges, flash loans, and multisig wallets. The Nomad Bridge hack will be analyzed in detail to explain how it occurred. Working with bug bounty programs rather than hacking will also be discussed.

Technology
1 of 30
Download to read offline
TBBUG The MIT License Paresh Yadav Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp Toronto Blockchain Builders and Users Group (TBBUG) Paresh Yadav http://www.linkedin.com/in/pareshyadav @yparesh
TBBUG The MIT License Paresh Yadav What we are going to cover ● Tech and only tech and application of tech ● At times we will simplify with analogies to get the concept across, the analogies are never perfect ● Not going to cover “business” and Legal side ○ Tokenomics ○ The legal standing of tokens as “security” or not! ○ Investment advice (Else I would have been SBF :))
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav Attack surface area
TBBUG The MIT License Paresh Yadav Attack surface area
TBBUG The MIT License Paresh Yadav Points of Vulnerability in Smart Contract App stack ● “Stolen” (from) Wallets ○ Phishing attacks (don’t check uninvited Google doc shares by strangers) ○ Discord - Phishing Links ○ Profanity Vanity address hack ■ “Normal” address - 0x782B7FA74921E152820151D32ca019f4b33f022F ■ Vanity address - 0x0000000000000000000000000000000000028Ae8 ■ https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c ● Your client software (website, crosschain bridge, mobile app, wallets etc.) ● The external RPC servers ● Mem pool sniffing attacks (possible due to gas boosting) ○ MEV attacks ○ Raising Price of item on sale by the saler ● Bugs in smart contracts ○ Known buggy patterns in smart contracts ○ Unknown, unknown!
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav Some tips for writing secure Solidity code ● Use the latest Solidity version ● Keep contracts simple (but NOT simplistic) ● Use secure coding practices: ○ validating input data ○ checking return values ○ handling errors appropriately ● Avoid integer overflows and underflows: Use the SafeMath library ● Avoid sending Ether to unknown addresses
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav What is a Crosschain Bridge?
TBBUG The MIT License Paresh Yadav Crosschain Bridge: ● Why we need them ● What is a wrapped coin eg. WETH, WBTC etc. ● They are made of: ○ Smart Contract “A” on 1st Blockchain (Say Ethereum) ○ Smart Contract “B” on 2nd Blockchain (Say Polygon) ○ The middle layer (agents) that sends messages between the two Smart Contracts/Blockchains ● How do they work (next slide)
TBBUG The MIT License Paresh Yadav How do Crosschain Bridges work: ● Let us say Contract “A” on Ethereum has 10 ETH at the beginning ● Let us say Contract “B” on Polygon has no WETH at the beginning ● Say the user wants to send 1 ETH from Ethereum to Polygon ● She sends request to the bridge frontend to swap 1 ETH on with 1 WETH ● “A” locks 1 ETH and now has 9 ETH float ● “A” generates a “message” and stores in a Merkel tree and also gives the “message” to Bridge “agent” ● Agents calls proveAndProcess(“message”) method on “B” ● “B”.proveAndProcess(“message”) ○ checks if the message exists in the Merkel tree ○ and if so calls Process(message) method which mints 1 WETH and gives it to the user ● Of course the bridge charges fees (“commission”) to facilitate the transfer which the user sends when sending the request
TBBUG The MIT License Paresh Yadav ● Ronin Bridge hack in March 2022 (Stolen amount 540M) ● Wormhole Bridge hack in February of 2022 (Stolen amount 250M) ● Nomad Bridge in August 2022 (Stolen amount 186M) Some of the largest hacks involved Bridges
TBBUG The MIT License Paresh Yadav Link to code for - Crosschain Bridge Example
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav ● When? - On August 1, 2022 ● How much? - More than $186M stolen in just a few hours ● How? (next slide) Nomad Bridge hack analysis
TBBUG The MIT License Paresh Yadav How of Nomad Bridge hack Below is “Contract B” of Nomad Bridge (Replica.Sol)
TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav Link to code for - Flash Loan Example
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav Link to code for - Multisig Wallet Example
TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
TBBUG The MIT License Paresh Yadav Bug bounty! ● Why it is better to work with Bug bounty and not hack/steal? ● Usually paid in their token so make sure the token/protocol is doing well ● How to find opportunities that pays to find bugs in smart contracts ○ Example - https://medium.com/the-liquidapps-blog/dapp-networks-bridge-to-ethereum-bug-bounty-afcaf7 7d6296 ○ https://immunefi.com/explore/ ● How to work with ("hack") bug bounty programs! ○ 1M + 1M = 2 M! ( https://medium.com/immunefi/aurora-withdrawal-logic-error-bugfix-review-c5b4e30a9160 )
TBBUG The MIT License Paresh Yadav References and Resources for further reading ● https://drive.google.com/file/d/1-wzuY4U4OKFQ2Mc4ctmwKh2g3fAl4_85/view ● https://www.coinbase.com/blog/nomad-bridge-incident-analysis ● https://github.com/nomad-xyz/nomad-monorepo/blob/main/solidity/nomad-core/contract s/Replica.sol
TBBUG The MIT License Paresh Yadav Q & A Thank you!

Recommended

Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)
Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)
Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)Paresh Yadav
 
Dumb Smart Contracts (TBBUG).pdf
Dumb Smart Contracts (TBBUG).pdfDumb Smart Contracts (TBBUG).pdf
Dumb Smart Contracts (TBBUG).pdfParesh Yadav
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMTal Be'ery
 
Introduction to Ethereum Smart Contracts
Introduction to Ethereum Smart Contracts Introduction to Ethereum Smart Contracts
Introduction to Ethereum Smart Contracts ArcBlock
 
How to Create Blockchain Products by Fr8 Network Lead Engineer
How to Create Blockchain Products by Fr8 Network Lead EngineerHow to Create Blockchain Products by Fr8 Network Lead Engineer
How to Create Blockchain Products by Fr8 Network Lead EngineerProduct School
 
Blockchain Programming
Blockchain ProgrammingBlockchain Programming
Blockchain ProgrammingRhea Myers
 
Best practices to build secure smart contracts
Best practices to build secure smart contractsBest practices to build secure smart contracts
Best practices to build secure smart contractsGautam Anand
 
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitWeb3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
 

Recommended

Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)
Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)
Anatomy of a 100+ million dollar complex Smart Contract hack (Nomad Bridge Hack)Paresh Yadav
 
Dumb Smart Contracts (TBBUG).pdf
Dumb Smart Contracts (TBBUG).pdfDumb Smart Contracts (TBBUG).pdf
Dumb Smart Contracts (TBBUG).pdfParesh Yadav
 
Web3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMWeb3 Security: The Blockchain is Your SIEM
Web3 Security: The Blockchain is Your SIEMTal Be'ery
 
Introduction to Ethereum Smart Contracts
Introduction to Ethereum Smart Contracts Introduction to Ethereum Smart Contracts
Introduction to Ethereum Smart Contracts ArcBlock
 
How to Create Blockchain Products by Fr8 Network Lead Engineer
How to Create Blockchain Products by Fr8 Network Lead EngineerHow to Create Blockchain Products by Fr8 Network Lead Engineer
How to Create Blockchain Products by Fr8 Network Lead EngineerProduct School
 
Blockchain Programming
Blockchain ProgrammingBlockchain Programming
Blockchain ProgrammingRhea Myers
 
Best practices to build secure smart contracts
Best practices to build secure smart contractsBest practices to build secure smart contracts
Best practices to build secure smart contractsGautam Anand
 
Web3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitWeb3’s red pill: Smashing Web3 transaction simulations for fun and profit
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
 
How to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOHow to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOProduct School
 
Web3-Guide.pdf
Web3-Guide.pdfWeb3-Guide.pdf
Web3-Guide.pdfMohankumar975815
 
Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...maeste
 
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...WithTheBest
 
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi ZeroBuilding a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi ZeroNic Raboy
 
How to run your own blockchain pilot
How to run your own blockchain pilotHow to run your own blockchain pilot
How to run your own blockchain pilotSimon Wilson
 
Seun - Breaking into Protocol Engineering (1).pptx
Seun - Breaking into Protocol Engineering (1).pptxSeun - Breaking into Protocol Engineering (1).pptx
Seun - Breaking into Protocol Engineering (1).pptxSeunLanLege1
 
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Simone Onofri
 
Blockchain course-content-at-nbits (1)
Blockchain course-content-at-nbits (1)Blockchain course-content-at-nbits (1)
Blockchain course-content-at-nbits (1)sureshbits
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfRussFustino
 
Blockchain architected
Blockchain architectedBlockchain architected
Blockchain architectedIBM Sverige
 
Blockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdfBlockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdfBlockchainLand
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroTal Shmueli
 
10 Best Programming Languages for Blockchain in 2023.pdf
10 Best Programming Languages for Blockchain in 2023.pdf10 Best Programming Languages for Blockchain in 2023.pdf
10 Best Programming Languages for Blockchain in 2023.pdfWDP Technologies
 
Intro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfIntro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfTinaBregovi
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Rhea Myers
 
Banking on a Blockchain
Banking on a BlockchainBanking on a Blockchain
Banking on a BlockchainAltoros
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

More Related Content

Similar to Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp

How to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOHow to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOProduct School
 
Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...maeste
 
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...WithTheBest
 
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi ZeroBuilding a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi ZeroNic Raboy
 
How to run your own blockchain pilot
How to run your own blockchain pilotHow to run your own blockchain pilot
How to run your own blockchain pilotSimon Wilson
 
Seun - Breaking into Protocol Engineering (1).pptx
Seun - Breaking into Protocol Engineering (1).pptxSeun - Breaking into Protocol Engineering (1).pptx
Seun - Breaking into Protocol Engineering (1).pptxSeunLanLege1
 
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Simone Onofri
 
Blockchain course-content-at-nbits (1)
Blockchain course-content-at-nbits (1)Blockchain course-content-at-nbits (1)
Blockchain course-content-at-nbits (1)sureshbits
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfRussFustino
 
Blockchain architected
Blockchain architectedBlockchain architected
Blockchain architectedIBM Sverige
 
Blockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdfBlockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdfBlockchainLand
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroTal Shmueli
 
10 Best Programming Languages for Blockchain in 2023.pdf
10 Best Programming Languages for Blockchain in 2023.pdf10 Best Programming Languages for Blockchain in 2023.pdf
10 Best Programming Languages for Blockchain in 2023.pdfWDP Technologies
 
Intro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfIntro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfTinaBregovi
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Rhea Myers
 
Banking on a Blockchain
Banking on a BlockchainBanking on a Blockchain
Banking on a BlockchainAltoros
 

Similar to Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp (20)

How to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTOHow to Create Blockchain Products by Slice.Market CTO
How to Create Blockchain Products by Slice.Market CTO
 
Web3-Guide.pdf
Web3-Guide.pdfWeb3-Guide.pdf
Web3-Guide.pdf
 
Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...Blockchain and smart contracts, what they are and why you should really care ...
Blockchain and smart contracts, what they are and why you should really care ...
 
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
Consensu, Security, and the Blockchain Gateway Interface - Ethan Buchman, Ten...
 
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi ZeroBuilding a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
Building a Bitcoin Hardware Wallet with Golang and a Raspberry Pi Zero
 
How to run your own blockchain pilot
How to run your own blockchain pilotHow to run your own blockchain pilot
How to run your own blockchain pilot
 
Seun - Breaking into Protocol Engineering (1).pptx
Seun - Breaking into Protocol Engineering (1).pptxSeun - Breaking into Protocol Engineering (1).pptx
Seun - Breaking into Protocol Engineering (1).pptx
 
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
 
Blockchain course-content-at-nbits (1)
Blockchain course-content-at-nbits (1)Blockchain course-content-at-nbits (1)
Blockchain course-content-at-nbits (1)
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
 
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdfBuild Blockchain dApps using JavaScript, Python and C - ATO.pdf
Build Blockchain dApps using JavaScript, Python and C - ATO.pdf
 
Blockchain architected
Blockchain architectedBlockchain architected
Blockchain architected
 
Blockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdfBlockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdf
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies Intro
 
10 Best Programming Languages for Blockchain in 2023.pdf
10 Best Programming Languages for Blockchain in 2023.pdf10 Best Programming Languages for Blockchain in 2023.pdf
10 Best Programming Languages for Blockchain in 2023.pdf
 
Intro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdfIntro to Web3 and Polygon.pdf
Intro to Web3 and Polygon.pdf
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 
Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015Ethereum Contracts - Coinfest 2015
Ethereum Contracts - Coinfest 2015
 
Banking on a Blockchain
Banking on a BlockchainBanking on a Blockchain
Banking on a Blockchain
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp

  • 1. TBBUG The MIT License Paresh Yadav Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp Toronto Blockchain Builders and Users Group (TBBUG) Paresh Yadav http://www.linkedin.com/in/pareshyadav @yparesh
  • 2. TBBUG The MIT License Paresh Yadav What we are going to cover ● Tech and only tech and application of tech ● At times we will simplify with analogies to get the concept across, the analogies are never perfect ● Not going to cover “business” and Legal side ○ Tokenomics ○ The legal standing of tokens as “security” or not! ○ Investment advice (Else I would have been SBF :))
  • 3. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 4. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 5. TBBUG The MIT License Paresh Yadav Attack surface area
  • 6. TBBUG The MIT License Paresh Yadav Attack surface area
  • 7. TBBUG The MIT License Paresh Yadav Points of Vulnerability in Smart Contract App stack ● “Stolen” (from) Wallets ○ Phishing attacks (don’t check uninvited Google doc shares by strangers) ○ Discord - Phishing Links ○ Profanity Vanity address hack ■ “Normal” address - 0x782B7FA74921E152820151D32ca019f4b33f022F ■ Vanity address - 0x0000000000000000000000000000000000028Ae8 ■ https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c ● Your client software (website, crosschain bridge, mobile app, wallets etc.) ● The external RPC servers ● Mem pool sniffing attacks (possible due to gas boosting) ○ MEV attacks ○ Raising Price of item on sale by the saler ● Bugs in smart contracts ○ Known buggy patterns in smart contracts ○ Unknown, unknown!
  • 8. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 9. TBBUG The MIT License Paresh Yadav Some tips for writing secure Solidity code ● Use the latest Solidity version ● Keep contracts simple (but NOT simplistic) ● Use secure coding practices: ○ validating input data ○ checking return values ○ handling errors appropriately ● Avoid integer overflows and underflows: Use the SafeMath library ● Avoid sending Ether to unknown addresses
  • 10. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 11. TBBUG The MIT License Paresh Yadav What is a Crosschain Bridge?
  • 12. TBBUG The MIT License Paresh Yadav Crosschain Bridge: ● Why we need them ● What is a wrapped coin eg. WETH, WBTC etc. ● They are made of: ○ Smart Contract “A” on 1st Blockchain (Say Ethereum) ○ Smart Contract “B” on 2nd Blockchain (Say Polygon) ○ The middle layer (agents) that sends messages between the two Smart Contracts/Blockchains ● How do they work (next slide)
  • 13. TBBUG The MIT License Paresh Yadav How do Crosschain Bridges work: ● Let us say Contract “A” on Ethereum has 10 ETH at the beginning ● Let us say Contract “B” on Polygon has no WETH at the beginning ● Say the user wants to send 1 ETH from Ethereum to Polygon ● She sends request to the bridge frontend to swap 1 ETH on with 1 WETH ● “A” locks 1 ETH and now has 9 ETH float ● “A” generates a “message” and stores in a Merkel tree and also gives the “message” to Bridge “agent” ● Agents calls proveAndProcess(“message”) method on “B” ● “B”.proveAndProcess(“message”) ○ checks if the message exists in the Merkel tree ○ and if so calls Process(message) method which mints 1 WETH and gives it to the user ● Of course the bridge charges fees (“commission”) to facilitate the transfer which the user sends when sending the request
  • 14. TBBUG The MIT License Paresh Yadav ● Ronin Bridge hack in March 2022 (Stolen amount 540M) ● Wormhole Bridge hack in February of 2022 (Stolen amount 250M) ● Nomad Bridge in August 2022 (Stolen amount 186M) Some of the largest hacks involved Bridges
  • 15. TBBUG The MIT License Paresh Yadav Link to code for - Crosschain Bridge Example
  • 16. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 17. TBBUG The MIT License Paresh Yadav ● When? - On August 1, 2022 ● How much? - More than $186M stolen in just a few hours ● How? (next slide) Nomad Bridge hack analysis
  • 18. TBBUG The MIT License Paresh Yadav How of Nomad Bridge hack Below is “Contract B” of Nomad Bridge (Replica.Sol)
  • 19. TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
  • 20. TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
  • 21. TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
  • 22. TBBUG The MIT License Paresh Yadav … Contd - How of Nomad Bridge hack
  • 23. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 24. TBBUG The MIT License Paresh Yadav Link to code for - Flash Loan Example
  • 25. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 26. TBBUG The MIT License Paresh Yadav Link to code for - Multisig Wallet Example
  • 27. TBBUG The MIT License Paresh Yadav Agenda: ● Attack surface area/s of dApps ● Writing secure Solidity code ● Secure Cross-chain Bridge contract ● Use case - Nomad Bridge hack analysis ● Secure Flash loan contract ● Secure wallets (Multisig wallets) ● How to work with, "hack" bug bounty programs! ● Q & A
  • 28. TBBUG The MIT License Paresh Yadav Bug bounty! ● Why it is better to work with Bug bounty and not hack/steal? ● Usually paid in their token so make sure the token/protocol is doing well ● How to find opportunities that pays to find bugs in smart contracts ○ Example - https://medium.com/the-liquidapps-blog/dapp-networks-bridge-to-ethereum-bug-bounty-afcaf7 7d6296 ○ https://immunefi.com/explore/ ● How to work with ("hack") bug bounty programs! ○ 1M + 1M = 2 M! ( https://medium.com/immunefi/aurora-withdrawal-logic-error-bugfix-review-c5b4e30a9160 )
  • 29. TBBUG The MIT License Paresh Yadav References and Resources for further reading ● https://drive.google.com/file/d/1-wzuY4U4OKFQ2Mc4ctmwKh2g3fAl4_85/view ● https://www.coinbase.com/blog/nomad-bridge-incident-analysis ● https://github.com/nomad-xyz/nomad-monorepo/blob/main/solidity/nomad-core/contract s/Replica.sol
  • 30. TBBUG The MIT License Paresh Yadav Q & A Thank you!