Ethereum account balance manipulation (Coinbase) + 1 ETH 4 ETH (Ethereum view) 1 ETH 1 ETH 1 ETH 1 ETH (Coinbase view) Then attacker can withdraw ether from Coinbase and repeat! 0 ETH (Ethereum and Coinbase* view) Coinbase Wallet 1 Wallet 2 Wallet 3 Broken Smart Contract Coinbase $10k bounty Attacker Smart Contract + 1 ETH + 1 ETH + 1 ETH
Client-side vulnerabilities and vectors Leaving blockchain aside, can I hack ICO without blockchain knowledge? • XSS • Phishing • Site defacement + clipboard manipulation • Social Engineering • etc… And other vectors: • Weak passwords for Social Network accounts (twitter, slack, FB, etc.) • Hacking related infrastructure and pivoting
Phishing Tree steps to phishing: • Register a domain name similar to a victim’s one: kickico.com -> kickico.co • Copy a victim’s website and replace ICO smart contact address • Spam spam spam! Mitigations: • Be offensive! Monitor similar domains and inform users (URLCrazy) • Metamask EtherAddressLookup blacklist • Register phishing site at local DNS and resolve them to alert page (for team only) kickico $50k Hack
Private Key Hijacking • The hackers gained access to the private key of the owner of the KickCoin smart contract kickico $7.7 million Hack Bancor $12.5 million Hack • A wallet used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract
Site defacement and Clipboard manipulation Or a more tricky one… Clipboard manipulation: Easy to understand: • Hack website -> full control information on it • Change ICO address to your own CoinDash.io $7 Million Hack
Pivoting Attack surface: • Interfaces (web) • Social network and email accounts • Third-party Lib/Apps/Chats/API • Oracles (shapeshift and similar) • Mail/VPN/WEB/Mobile/… server • Totally ALL host you control (laptops too) Numerous attack vectors!