Slide 1

Slide 1 text

スマートコントラクト・セキュリティ最新事情 岡 洋平 Road to Devcon 4.0, 2019/09

Slide 2

Slide 2 text

A G E N D A 1. Smart Contractsについて 2. Quantstampについて 3. Smart Contract Vulnerabilities
 4. .transfer() vs .send() vs .call()

Slide 3

Slide 3 text

About Smart Contracts • 取引の代替⼿手段
 • Trustless and Decentralized
 • 過去2年年間で約2兆円以上が
 スマコンによって調達されている
 • スマコンの数は急増中
 


Slide 4

Slide 4 text

• まだ新しい技術、概念 • 多額のお⾦金金を管理理することができる • ⼈人為的なミスが多い • ⼀一度デプロイするとアップデートしにくい
 
 The Blockchain is Secure Smart Contracts are Not

Slide 5

Slide 5 text

Quantstampについて • Richard MaとSteven Stewart が2017に創業 • スマコンのセキュリティ・プロトコールを開発 • Y Combinator を卒業 (batch W2018) • コード監査によって1000億円以上を確保
 • 取引所のセキュリティアドバイザー


Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

function withdraw() public { # ユーザーの残⾼高を取得 amountToWithdraw = userBalances[msg.sender];   # 残⾼高の引き出し、fallbackを使⽤用して無限に引き出すことが可能 require(msg.sender.call.value(amountToWithdraw)()); # ユーザーの残⾼高を更更新 userBalances[msg.sender] = 0;    } Example: The DAO Hack

Slide 8

Slide 8 text

function withdraw() public { # ユーザーの残⾼高を取得 amountToWithdraw = userBalances[msg.sender];   # 残⾼高の引き出し、fallbackを使⽤用して無限に引き出すことが可能 require(msg.sender.call.value(amountToWithdraw)()); # ユーザーの残⾼高を更更新 userBalances[msg.sender] = 0;    } 当時のレートで約50億円が流失… Example: The DAO Hack smart contact #fallback function
 function () public { …. }

Slide 9

Slide 9 text

function withdraw() public { # ユーザーの残⾼高を取得 amountToWithdraw = userBalances[msg.sender];   # ユーザーの残⾼高を更更新 userBalances[msg.sender] = 0; # fallbackを使⽤用しても無限に引き出すことはできない require(msg.sender.call.value(amountToWithdraw)()); } Example: The DAO Hack smart contact #fallback function
 function () public { …. }

Slide 10

Slide 10 text

Proposed Alternate Solution (2017- early 2019) msg.address.transfer(amount) msg.address.send(amount) msg.address.call.value(amount)() avoid prefer

Slide 11

Slide 11 text

.transfer() vs .send() vs .call() address.call.value() address.send() address.transfer() adjustable gas yes no no gas limit all/setable 2300 2300 return value on error FALSE FALSE exception

Slide 12

Slide 12 text

Assumption

Slide 13

Slide 13 text

Assumption Gas costs are constant

Slide 14

Slide 14 text

Assumption Gas costs are constant

Slide 15

Slide 15 text

Constantinople Hard Fork Deployment

Slide 16

Slide 16 text

EIP 1283: Net gas metering for SSTORE without dirty maps Before Constantinople After Constantinople all SSTORE operations > 5000 gas SSTORE operation > 200 gas > 2300 gas limit > 2300 gas limit

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Istanbul Hard Fork

Slide 19

Slide 19 text

Istanbul Hard Fork

Slide 20

Slide 20 text

Assumption Gas costs are constant

Slide 21

Slide 21 text

Consensys Recommendation msg.address.transfer(amount) msg.address.send(amount) msg.address.call.value(amount)()

Slide 22

Slide 22 text

use checks-effects-interaction pattern Consensys Recommendation #1

Slide 23

Slide 23 text

function withdraw() public { # check amountToWithdraw = userBalances[msg.sender];   # effects userBalances[msg.sender] = 0; # interaction require(msg.sender.call.value(amountToWithdraw)()); } checks-effects- interaction pattern smart contact #fallback function
 function () public { …. }

Slide 24

Slide 24 text

Consensys Recommendation #2 use re-entrancy guards

Slide 25

Slide 25 text

re-entrancy guards

Slide 26

Slide 26 text

function withdraw() public nonReentrant { # check amountToWithdraw = userBalances[msg.sender];   # interaction require(msg.sender.call.value(amountToWithdraw)()); # effects userBalances[msg.sender] = 0; } re-entrancy guards smart contact #fallback function
 function () public { …. }

Slide 27

Slide 27 text

Questions?