Smart contract hacking always makes headlines. Typical incidents can cost millions or even hundreds of millions in losses. And the problem doesn’t seem to be going away. Recent independent scans show 34,200 vulnerable smart contracts lurking on the Ethereum blockchain. It’s time to help these developers secure their code and foster a new generation of hardened SDLC practices. Ethereum has fantastic Turing-complete functions awaiting our use, and Solidity smart contracts are a crucial way that the Enterprise Ethereum Alliance, Quorum, and other entities plan on moving to Web 3.0. Ethical hacking of all this new code is a necessary service and excellent way to cash in (ethically).
Join Konstantinos for a look at a Solidity hacking methodology that can be applied right away, including the latest open source tools.
*The current state of Ethereum in the world of financials and other industries
*Introduction to smart contracts and Solidity
*MAIAN tool audit showing 34,200 vulnerable contracts
*Development tools that can be applied to code review
*Manticore, Oyente, MAIAN and other hacking tools
*The basic methodology to follow
*The major flaws you’ll find:
– Re-entrancy — the recursive race flaw in the DAO
– Improper visibility declarations — Parity Wallet hacks 1 and … 2 (!)
– Unchecked send — failure of sending funds that registers incorrectly, such as in “King of the Ether Throne” lottery game
– Overflows and underflows — could lead to spending of tokens a user does not have
– Variable/function ambiguity — basic Solidity poor practice that led to FirePonzi
– Flaws related to gas limits — Arrays/loops and King of the Ether
– Failures to separate between public and private data — common Quorum concern, also flaw found in casinos and other games
– Business logic flaws — when the autonomous is incapable of acting in its stated interest
Konstantinos Karagiannis is the Chief Technology Officer for Security Consulting at BT Americas. In addition to guiding the technical direction of ethical hacking and security engagements, Konstantinos specializes in hacking financial applications, including smart contracts. He works with the research team to help bring emerging technologies in AI, blockchain, and quantum cryptography to InfoSec today. He has spoken at dozens of technical conferences around the world, including DEF CON, Black Hat, RSA, and ISF World Security Congress.