This document outlines the agenda for a presentation on secure smart contract development. The presentation will cover attack surfaces of dApps, writing secure Solidity code, secure cross-chain bridge contracts, an analysis of the Nomad Bridge hack, secure flash loan contracts, secure multisig wallets, and how to participate in bug bounty programs. Code examples will be provided for cross-chain bridges, flash loans, and multisig wallets. The Nomad Bridge hack will be analyzed in detail to explain how it occurred. Working with bug bounty programs rather than hacking will also be discussed.
Breaking the Kubernetes Kill Chain: Host Path Mount
Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp
1. TBBUG The MIT License Paresh Yadav
Secure Smart Contract - Writing, testing, and deploying a non-trivial dApp
Toronto Blockchain Builders and Users Group (TBBUG)
Paresh Yadav
http://www.linkedin.com/in/pareshyadav
@yparesh
2. TBBUG The MIT License Paresh Yadav
What we are going to cover
● Tech and only tech and application of tech
● At times we will simplify with analogies to get the concept across, the
analogies are never perfect
● Not going to cover “business” and Legal side
○ Tokenomics
○ The legal standing of tokens as “security” or not!
○ Investment advice (Else I would have been SBF :))
3. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
4. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
5. TBBUG The MIT License Paresh Yadav
Attack surface area
6. TBBUG The MIT License Paresh Yadav
Attack surface area
7. TBBUG The MIT License Paresh Yadav
Points of Vulnerability in Smart Contract App stack
● “Stolen” (from) Wallets
○ Phishing attacks (don’t check uninvited Google doc shares by strangers)
○ Discord - Phishing Links
○ Profanity Vanity address hack
■ “Normal” address - 0x782B7FA74921E152820151D32ca019f4b33f022F
■ Vanity address - 0x0000000000000000000000000000000000028Ae8
■ https://blog.1inch.io/a-vulnerability-disclosed-in-profanity-an-ethereum-vanity-address-tool-68ed7455fc8c
● Your client software (website, crosschain bridge, mobile app, wallets etc.)
● The external RPC servers
● Mem pool sniffing attacks (possible due to gas boosting)
○ MEV attacks
○ Raising Price of item on sale by the saler
● Bugs in smart contracts
○ Known buggy patterns in smart contracts
○ Unknown, unknown!
8. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
9. TBBUG The MIT License Paresh Yadav
Some tips for writing secure Solidity code
● Use the latest Solidity version
● Keep contracts simple (but NOT simplistic)
● Use secure coding practices:
○ validating input data
○ checking return values
○ handling errors appropriately
● Avoid integer overflows and underflows: Use the SafeMath library
● Avoid sending Ether to unknown addresses
10. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
11. TBBUG The MIT License Paresh Yadav
What is a Crosschain Bridge?
12. TBBUG The MIT License Paresh Yadav
Crosschain Bridge:
● Why we need them
● What is a wrapped coin eg. WETH, WBTC etc.
● They are made of:
○ Smart Contract “A” on 1st Blockchain (Say Ethereum)
○ Smart Contract “B” on 2nd Blockchain (Say Polygon)
○ The middle layer (agents) that sends messages between the two Smart Contracts/Blockchains
● How do they work (next slide)
13. TBBUG The MIT License Paresh Yadav
How do Crosschain Bridges work:
● Let us say Contract “A” on Ethereum has 10 ETH at the beginning
● Let us say Contract “B” on Polygon has no WETH at the beginning
● Say the user wants to send 1 ETH from Ethereum to Polygon
● She sends request to the bridge frontend to swap 1 ETH on with 1 WETH
● “A” locks 1 ETH and now has 9 ETH float
● “A” generates a “message” and stores in a Merkel tree and also gives the “message” to
Bridge “agent”
● Agents calls proveAndProcess(“message”) method on “B”
● “B”.proveAndProcess(“message”)
○ checks if the message exists in the Merkel tree
○ and if so calls Process(message) method which mints 1 WETH and gives it to the user
● Of course the bridge charges fees (“commission”) to facilitate the transfer which the user
sends when sending the request
14. TBBUG The MIT License Paresh Yadav
● Ronin Bridge hack in March 2022 (Stolen amount 540M)
● Wormhole Bridge hack in February of 2022 (Stolen amount 250M)
● Nomad Bridge in August 2022 (Stolen amount 186M)
Some of the largest hacks involved Bridges
15. TBBUG The MIT License Paresh Yadav
Link to code for - Crosschain Bridge Example
16. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
17. TBBUG The MIT License Paresh Yadav
● When? - On August 1, 2022
● How much? - More than $186M stolen in just a few hours
● How? (next slide)
Nomad Bridge hack analysis
18. TBBUG The MIT License Paresh Yadav
How of Nomad Bridge hack
Below is “Contract B” of Nomad Bridge (Replica.Sol)
19. TBBUG The MIT License Paresh Yadav
… Contd - How of Nomad Bridge hack
20. TBBUG The MIT License Paresh Yadav
… Contd - How of Nomad Bridge hack
21. TBBUG The MIT License Paresh Yadav
… Contd - How of Nomad Bridge hack
22. TBBUG The MIT License Paresh Yadav
… Contd - How of Nomad Bridge hack
23. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
24. TBBUG The MIT License Paresh Yadav
Link to code for - Flash Loan Example
25. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
26. TBBUG The MIT License Paresh Yadav
Link to code for - Multisig Wallet Example
27. TBBUG The MIT License Paresh Yadav
Agenda:
● Attack surface area/s of dApps
● Writing secure Solidity code
● Secure Cross-chain Bridge contract
● Use case - Nomad Bridge hack analysis
● Secure Flash loan contract
● Secure wallets (Multisig wallets)
● How to work with, "hack" bug bounty programs!
● Q & A
28. TBBUG The MIT License Paresh Yadav
Bug bounty!
● Why it is better to work with Bug bounty and not hack/steal?
● Usually paid in their token so make sure the token/protocol is doing well
● How to find opportunities that pays to find bugs in smart contracts
○ Example -
https://medium.com/the-liquidapps-blog/dapp-networks-bridge-to-ethereum-bug-bounty-afcaf7
7d6296
○ https://immunefi.com/explore/
● How to work with ("hack") bug bounty programs!
○ 1M + 1M = 2 M! (
https://medium.com/immunefi/aurora-withdrawal-logic-error-bugfix-review-c5b4e30a9160 )
29. TBBUG The MIT License Paresh Yadav
References and Resources for further reading
● https://drive.google.com/file/d/1-wzuY4U4OKFQ2Mc4ctmwKh2g3fAl4_85/view
● https://www.coinbase.com/blog/nomad-bridge-incident-analysis
● https://github.com/nomad-xyz/nomad-monorepo/blob/main/solidity/nomad-core/contract
s/Replica.sol