Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bugs in the Blockchain and “Contractual” Vulnerability

Published byあけなお たにしき Modified over 6 years ago

Similar presentations

Presentation on theme: "Bugs in the Blockchain and “Contractual” Vulnerability"— Presentation transcript:

1 Bugs in the Blockchain and “Contractual” Vulnerability
Stark Riedesel

2 Image source: https://davidgerard. co

3 Overview Define Blockchain Define Smart Contract Apply AppSec

4 What’s a Blockchain? A (write-once) database with state changes
Coin moves from owner A to owner B Balance of wallet A changes from X to Y Coin XYZ was created and debited to owner A Coin XYZ was destroyed by owner A Data stored at Z location has been changed to X Event A has been triggered with data X, Y, and Z Similar to git, users maintain a full history History is independently verifiable P2P Message passing (RPC) Image source:

5 Source: https://github.com/ethereum/wiki/wiki/White-Paper

6 Why is it “Secure”? Immutability Proof of Work (PoW) aka. Mining
SHA/Scrypt/Ethash/Equihash/etc… Hash of previous block + Timestamp Proof of Work (PoW) aka. Mining Computationally intensive Ensures history cannot change Adjustable “Difficulty” Hard to compute <-> Easy to check Decentralization All nodes have same data - “Public Ledger” Each (full) node verifies complete history Uses established public-key algorithms (ex. ECDSA) Image source:

7 What does the blockchain Look Like?

8 Types of Blockchains Public Chains Private Chains Quorum
Bitcoin (currency BTC) The “original” and largest ($250b mkt cap) Ethereum (currency ETH) The “original” smart contracting ledger Monero (currency XMR) Private transactions on a public chain Ripple (currency XRP) Bank-to-Bank settlements platform Cardano (currency ADA) Proof-of-Stake (not yet deployed) Quorum JPMC fork of Ethereum for permissioned chains Proof-of-Authority (PoA) Chain code uses EVM (Ethereum virtual machine) Hyper Ledger Fabric Permissioned chain for generic state changes Chain code (usually) written in Go State database usually CouchBase (JSON support)

9 Attacks on the Chain Double Spend - Sybil attack (51% attack)
Longest chain is the most trusted chain Attacker creates longer chain by mining faster than the rest of the network Attacker slows/prevents block relaying Protected by block rewards incentivizing mining Mining “pools” exacerbate issue Small chains especially vulnerable

10 Extending the Blockchain
Embed “code” within a transaction Application state  Blockchain state Database contains: Contracts (addresses mapped to chain code) Contract storage (sparse hash map of memory address to value) Balance sheet (addresses mapped to value) Code is immutable Code defines how state can change Transactions “call” contract functions Fully decentralized web applications (web3.0) Ethereum contracts provide application logic Geth/Parity node runs on client Web3.js communicates with Geth to query state and send transactions

11 Smart Contract Use Cases
Tokens (ICO fundraising) Prediction Markets Online gaming Trade settlements (financial services) Legal contracting (ex. insurance) Licensing (ex. copywrites, patents, software licenses) Decentralized Autonomous Organizations (DAO)

12 What Does a Contract Look like?
Solidity

13 What Does a Contract Look like?
EVM Bytecode

14 Smart Contract Weaknesses
Secrecy is hard Everything is public by design Contract code & storage Transaction contents Private modifier does nothing for secrecy

15 Smart Contract Weaknesses
AuthZ is hard Public blockchains means anyone can call your functions Each function must explicitly check for auth Internal functions must be marked “internal”

16 Smart Contract Weaknesses
Integers are hard 0 – 1 = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF Very common vuln Can lead to buffer overruns (array length underflow) Use SafeMath

17 Smart Contract Weaknesses
Concurrency is hard Order of operations matter Revert only undoes your own state Sending transactions can have side-effects Sending ETH can invoke a receiving function (reentrancy bugs)

18 Smart Contract Weaknesses
Randomness is hard All nodes in the chain must agree on computation Poor sources of entropy in chain

19 Tools for the Smart Contracting
Truffle: development build framework Ganache: CLI/GUI fake blockchain for testing/development (instant mining, now PoW) Geth: Official Ethereum client written in Go (most common) Parity: Ethereum client written in Rust (second most common) Solc: Solidity compiler Mist: Official Ethereum web browser (built-in Ethereum client and web3 engine) Metamask: Chrome/Firefox extension for connecting to Ethereum networks Porosity: Ethereum decompiler/disassembler Solhint: Solidity linter and static code analysis Mythril: Ethereum contract search tool and static analysis engine DappHub: Collection of useful utilities for developing, testing, and hacking on Ethereum

20 Image Source: https://congacomic.tumblr.com/
Questions?

Download ppt "Bugs in the Blockchain and “Contractual” Vulnerability"

Similar presentations

Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.

Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.
Beyond Bitoin: The Bitcoin 2.0 movement

Beyond Bitoin: The Bitcoin 2.0 movement
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
1 Bitcoin A Digital Currency. Functions of Money.

1 Bitcoin A Digital Currency. Functions of Money.
Blockchain The Ethereum World Computer – Individual Empowerment or the first step to even more information control?

Blockchain The Ethereum World Computer – Individual Empowerment or the first step to even more information control?
Intro to Block Chain Bitcoin. Blocks ●Ethereum - block chain ●Dogecoin - block chain ●Ripple - not a block chain ●Stellar - not a block chain ●Bitcoin.

Intro to Block Chain Bitcoin. Blocks ●Ethereum - block chain ●Dogecoin - block chain ●Ripple - not a block chain ●Stellar - not a block chain ●Bitcoin.
© 2016 consensys.net Intro to The Blockchain. © 2016 consensys.net.

© 2016 consensys.net Intro to The Blockchain. © 2016 consensys.net.
Block Chain 101 May 2017.

Block Chain 101 May 2017.
Motivation ✓ ✘ ? Bitcoin/Ideal Credit Card Works on Internet

Motivation ✓ ✘ ? Bitcoin/Ideal Credit Card Works on Internet
BlockChain Technology

BlockChain Technology
Blockchain Infrastructure for e-Science

Blockchain Infrastructure for e-Science
Cryptocurrencies by.

Cryptocurrencies by.
Blockchain Introduction

Blockchain Introduction
Bitcoin - a distributed virtual currency system

Bitcoin - a distributed virtual currency system
Where Money and Technology Meet

Where Money and Technology Meet
KrypC Technologies Accelerated Blockchain Adoption.

KrypC Technologies Accelerated Blockchain Adoption.
Distributed Systems for Information Systems Management

Distributed Systems for Information Systems Management
Cryptocurrencies By Rui Sakurai and Shane Spears

Cryptocurrencies By Rui Sakurai and Shane Spears
Introduction to Blockchain & Ethereum

Introduction to Blockchain & Ethereum
DAO for penetration testers

DAO for penetration testers

Similar presentations

Ads by Google