Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Обзор типичных уязвимостей блокчейн-проектов

Обзор типичных уязвимостей блокчейн-проектов

Доклад Игоря Лырчикова (Digital Security) для демо-зоны PDUG на IT-фестивале TechTrain.

Positive Development User Group

September 02, 2018
Tweet

More Decks by Positive Development User Group

Other Decks in Programming

Transcript

  1. © Digital Security 2 The Pentester’s View on Blockchain Projects

    Agenda • How does it work? • Examples of vulnerable contracts • Client-side vulnerabilities • Common attack vectors at ICO address changing • Latest security incidents overview
  2. © Digital Security 3 The Pentester’s View on Blockchain Projects

    DApp and DAO address = “0xdeadbeef…” ABI = [{“name”: “crowdsale”…}] web3 object HTTP Requests • Geth • Parity • cpp-Ethereum Transaction Call results, events… Browser Transaction Gateway Ethereu m Smart Contact
  3. © Digital Security 4 The Pentester’s View on Blockchain Projects

    Smart Contract’s Vulns/Attacks/Features EVM specifics: • Integer overflow (no exceptions) • ABI encoding/decoding (no args checks) • Short Address Attack • Type confusion • Uninitialized storage pointer Blockchain specifics: • Front-running attack • Timestamp dependency • Generating randomness • Unpredictable state • Keeping secrets Logical (project specifics): • Name it yourself :) Solidity specifics: • Evolution of money sending: • Reentrancy • Gasless send • DOS (due to exception disorders) • Self-destruction • Inheritance
  4. © Digital Security 5 The Pentester’s View on Blockchain Projects

    Logical vulnerabilities • Forgotten access modifiers • Misspelled identifications (variables, functions) • Huge variety of race conditions • Subject area specifics • etc…
  5. © Digital Security 6 The Pentester’s View on Blockchain Projects

    Re-Entrancy • Also known as or related to race to empty, recursive call vulnerability, call to the unknown
  6. 7

  7. © Digital Security 8 The Pentester’s View on Blockchain Projects

    Re-Entrancy Тут будет видео демо
  8. © Digital Security 10 The Pentester’s View on Blockchain Projects

    Re-Entrancy • ~3.6 million ETH were stolen The DAO
  9. © Digital Security 11 The Pentester’s View on Blockchain Projects

    Ethereum account balance manipulation (Coinbase) + 1 ETH 4 ETH (Ethereum view) 1 ETH 1 ETH 1 ETH 1 ETH (Coinbase view) Then attacker can withdraw ether from Coinbase and repeat! 0 ETH (Ethereum and Coinbase* view) Coinbase Wallet 1 Wallet 2 Wallet 3 Broken Smart Contract Coinbase $10k bounty Attacker Smart Contract + 1 ETH + 1 ETH + 1 ETH
  10. © Digital Security 12 The Pentester’s View on Blockchain Projects

    Client-side vulnerabilities and vectors Leaving blockchain aside, can I hack ICO without blockchain knowledge? • XSS • Phishing • Site defacement + clipboard manipulation • Social Engineering • etc… And other vectors: • Weak passwords for Social Network accounts (twitter, slack, FB, etc.) • Hacking related infrastructure and pivoting
  11. © Digital Security 13 The Pentester’s View on Blockchain Projects

    Phishing Tree steps to phishing: • Register a domain name similar to a victim’s one: kickico.com -> kickico.co • Copy a victim’s website and replace ICO smart contact address • Spam spam spam! Mitigations: • Be offensive! Monitor similar domains and inform users (URLCrazy) • Metamask EtherAddressLookup blacklist • Register phishing site at local DNS and resolve them to alert page (for team only) kickico $50k Hack
  12. © Digital Security 14 The Pentester’s View on Blockchain Projects

    Private Key Hijacking • The hackers gained access to the private key of the owner of the KickCoin smart contract kickico $7.7 million Hack Bancor $12.5 million Hack • A wallet used to upgrade some smart contracts was compromised. This compromised wallet was then used to withdraw ETH from the BNT smart contract
  13. © Digital Security 15 The Pentester’s View on Blockchain Projects

    Site defacement and Clipboard manipulation Or a more tricky one… Clipboard manipulation: Easy to understand: • Hack website -> full control information on it • Change ICO address to your own CoinDash.io $7 Million Hack
  14. © Digital Security 16 The Pentester’s View on Blockchain Projects

    Weak passwords There is nothing new here, same old story. Protection? You already know: • 2FA • Password managers • OAuth • etc. $500k HACK
  15. © Digital Security 18 The Pentester’s View on Blockchain Projects

    Pivoting Attack surface: • Interfaces (web) • Social network and email accounts • Third-party Lib/Apps/Chats/API • Oracles (shapeshift and similar) • Mail/VPN/WEB/Mobile/… server • Totally ALL host you control (laptops too) Numerous attack vectors!
  16. © Digital Security 19 The Pentester’s View on Blockchain Projects

    Recommendations Smart Contract security: • Best practices • Code auditing • Bug Bounty (almost free for you!) Infrastructure: • Best practices • Auditing / Security assessment / Penetration testing • Close/hide all optional services