DAO for pentesters

Transcript

1. DAO for penetration testers A talk by Pertsev Alexey But

   mom calls me p4lex

2. #whoami • Security researcher (for live) • Penetration tester (by

   profession) • Smart Contract developer/auditor (for you)

3. Agenda • DAO? How does it work? • Solidity in

   depth • Tools • Client-side vulnerabilities • Usual attack vectors at ICO address changing • Most expensive attacks • Along all – Digital Security ICO writeup!

4. DApp and DAO address = “0xdeadbeef…” ABI = [{“name”: “crowdsale”…}]

   web3 object HTTP Requests • Geth • Parity • cpp-Ethereum Transaction Transaction Requests Call results, events…

5. Smart Contract’s Vulns/Attacks/Features Solidity features: • Reentrancy • Call of

   unknown • Gasless send • Exception disorders • DOS • Type confusion • Uninitialized array • Keeping secrets EVM features: • Short Address Attack • Blockhash dependency • Integer overflow Blockchain features: • Front-running attack • Timestamp dependency • Generating randomness • Unpredictable state Logical (contract features): • Do it yourself :)

6. Front-running attack How do miners order transactions at block before

   mining? Answer: gasPrice and then nonce What can we do? Front-running attack! Case: Dsec ICO lottery

7. Front-running attack How do miners order transactions at block before

   mining? Answer: gasPrice and then nonce What can we do? Front-running attack! Case: Dsec ICO lottery Pending Lottery robot TX: {gasPrice: N, input: X}

8. Front-running attack How do miners order transactions at block before

   mining? Answer: gasPrice and then nonce What can we do? Front-running attack! Case: Dsec ICO lottery Pending Lottery robot TX: {gasPrice: N, input: X} Player TX: {gasPrice: N+1, input: X}

9. Front-running attack How do miners order transactions at block before

   mining? Answer: gasPrice and then nonce What can we do? Front-running attack! Case: Dsec ICO lottery Lottery robot TX: {gasPrice: N, input: X} Player TX: {gasPrice: N+1, input: X} Block

10. Front-running attack How do miners order transactions at block before

    mining? Answer: gasPrice and then nonce What can we do? Front-running attack! Case: Dsec ICO lottery In while case: Bancor exchange Mitigations: tx.gasprice Lottery robot TX: {gasPrice: N, input: X} Player TX: {gasPrice: N+1, input: X} Block Be aware! Miners can order transactions as they wish! (infura?)

11. Timestamp dependency What is timestamp of block (for Solidity block.timestamp)?

    According to a yellow paper: Hs is timestamp of block H and must fulfil the relation: Hs > P(H)Hs Along with Geth source code “says”: Take into account: time to next block is about 12-17 sec… Miner can manipulate block.timestamp in several seconds at least! Don’t use it for: • entropy source • determining of “winner”

12. Short Address Attack function transfer(address _to, uint256 _value) { …

    } Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 TX.input: 0xa9059cbb0000…000c24c2841b87694e546a093ac0da6565c8fdd1800000…001 amount _value(32bytes) func signature (4 bytes) address _to (32 bytes)

13. Short Address Attack function transfer(address _to, uint256 _value) { …

    } Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 amount _value(32bytes) func signature (4 bytes) address _to (32 bytes) Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 TX.input: 0xa9059cbb0000…000c24c2841b87694e546a093ac0da6565c8fdd18000…00100 After attack: value *= 2(zero_bytes_count * 8)

14. Short Address Attack function transfer(address _to, uint256 _value) { …

    } Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 amount _value(32bytes) func signature (4 bytes) address _to (32 bytes) Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 TX.input: 0xa9059cbb0000…000c24c2841b87694e546a093ac0da6565c8fdd18000…00100 After attack: value *= 2(zero_bytes_count * 8) Protection? Check msg.data.length == 4 + 32 * args.count Swap args?

15. Short Address Attack function transfer(address _to, uint256 _value) { …

    } Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 amount _value(32bytes) func signature (4 bytes) address _to (32 bytes) Attacker address: 0xc24c2841b87694e546a093ac0da6565c8fdd1800; value: 1 TX.input: 0xa9059cbb0000…000c24c2841b87694e546a093ac0da6565c8fdd18000…00100 After attack: value *= 2(zero_bytes_count * 8) Protection? Check msg.data.length = 4 + 32 * args.count Swap args? The client side software is fully responsible for preventing this attack! just live with that :)

16. Blockhash dependency block.blockhash(uint blockNumber) returns (bytes32): hash of the given

    block

17. Blockhash dependency block.blockhash(uint blockNumber) returns (bytes32): hash of the given

    block - only works for 256 most recent blocks! Inspired by Smartbillions lottery

18. Blockhash dependency block.blockhash(uint blockNumber) returns (bytes32): hash of the given

    block - only works for 256 most recent blocks! Don’t use blockhash of current block also! Malicious miner can cheat here. martin.swende.se/blog Inspired by Smartbillions lottery

19. Reentrancy, Call of unknown, Gasless send, Exception disorders

20. Reentrancy, Call of unknown, Gasless send, Exception disorders Is there

    another way to transfer money? Send()

21. Reentrancy, Call of unknown, Gasless send, Exception disorders Is there

    another way to transfer money? Send() Transfer() Sure? – DOS possible

22. Type confusion bytes4(sha3(“obtainDamage(uint256)") != bytes4(sha3(“obtainDamage(uint8)") Don’t trust an ABI contract!

    Compile smartcontract and diff bytecode with bytecode at blockchain.

23. Uninitialized array Solidity memory types: • Storage – storage keyword

    • Memory – memory keyword • Calldata – … (args in external) // rewrited! // rewrited too! To fix: Use memory keyword and/or constant modifier (or modern view and pure)

24. And others tricks… // 10 and float yet not implemented

    // 0 // 2**256 - 1 // access control only! Use encryption for secrets keeping. // x*2 after call add() Not relevant anymore: • Stack overflow exception - EIP-150 • ERC20 double spending – Zeppelin fix

25. Logical • Forgotten access modifiers • Misspelled identifications (variables, functions)

    • Huge number of various race conditions • etc…

26. Logical – DSec ICO

27. Logical – Parity multySig

28. Logical – Parity multySig

29. Logical – Parity multySig Fix initWallet function:

30. Logical – Parity multiSig V2

31. Logical – Parity multiSig V2 $300М HACK

32. Tools Static analysis: • remix.ethereum.org (best IDE) • securify.ch (online!)

    • Solc compiler • Linters (Solint, Solcheck, etc) Symbolic (concolic) execution: • Oyente (has remix built-in version) • Manticore (EVM opcodes support) • Dry-analyzer (has online version) Testing: • Truffle develop framework • web3.(py|js|hs|j) + geth JSON RPC • Other smart contract as tester Debug: • remix.ethereum.org • Radare2 (@m0nt3kk1 in progress) Multitool: • Mythril • Porosity (Quorum DLC)

33. Client side vulnerabilities and Vectors Blockchain aside, can I hack

    DAO without smart contract knowledge? • XSS • Fishing • Site defacement + clipboard manipulation • etc… And other vectors: • Weak passwords for Social Network accounts (twitter, slack, FB, etc.) • Hack related infrastructure and do pivoting • Attack on an unlocked wallet (JSON RPC) – origin: *

34. Blockchain stored XSS

35. Blockchain stored XSS Protect: Don’t trust user data! Always cast,

    validate, sanitize and escape (order is vital!)  <svg/onload=alert(1)>

36. Fishing Three steps to fishing: • Register a domain name

    similar to that of a victim: icokoi.co -> icokoi.com • Copy a victim website and replace ICO smart contact address • Spam spam spam! Mitigations: • Be offensive! Monitor similar domains and inform users (URLCrazy) • Metamask EtherAddressLookup blacklist • Register fishing sites at local DNS and resolve them to alert page (for a team only). Hi @jrunjrun 

37. Site defacement and Clipboard manipulation Or more tricky… Clipboard manipulation:

    Easy to understand: • Hack website -> full control information on it • Change ICO address to your own

38. Weak passwords There is nothing new… But again and again.

    Protection? You already know: • 2FA • Password managers • Mnemonics • etc. $500k HACK

39. Attack to unlocked wallet Default behaive: • Try send TX

    to RCP -> “authentication needed: password or unlock” What developer do: • personal.account(eth.coinbase, 'notReallyStrongPass', 0) • --unlock “0” --password “path/pass” But not work for browser IDE yet: • --rpccorsdomain “*” Сonsequences: • Any website or program can silently send transaction as developer

40. Pivoting Attack surface: • Smart Contract • Interfaces (web) •

    Social network and email accounts • Third-party Lib/Apps/Chats/API • Oracles (Shapeshift and similar) • Mail/VPN/WEB/Mobile/… server • ALL hosts you control (including laptops) Numerous attack vectors!

41. Recommendations Smart Contract security: • Best practices • Code audit

    • Bug Bounty (it almost free for you!) Infrastructure: • Best practices • Audit / Security assessment / Penetration testing • Close/hide all unimportant

42. Let’s talk Pertsev Alexey @p4lex (telegram) @_p4lex (twitter) [email protected] DAO

    for penetration testers The source code and more examples here(solidity) and here(web3)