What is blockchain security? - Dylan Dubief

okay thank you so hello everyone and welcome to my blockchain security talk uh before we start just a quick introduction so I'm a French Wonder manager I'm doing uh hacking since uh why you know since I'm getting older every years like everyone most of my friends know me from my world project I'll just like doing a screen injection by voice recognition or implementing a Vertex coffee pod control protocol to make a remote if you still have to work to grab your coffee useless button I'm also doing some more science stuff mostly with Bishop Fox since two years this is a nice job with very cool people of course the best of them are here today so let's talk with us if you want special thanks to dadan for the conference and to the world beside the team and if you want to reach out after the torque here is my Twitter and Linkedin uh before we already start talking about blockchain uh just few disclaimers we are just talking about what we are not talking about so we are not talking about tokens value because it doesn't matter we are not talking about investment because I have no idea or to invest so if you want to be rich don't listen to me uh all the what are supposed to be digital art or these nft things with a dirty monkey we are not talking about that Nifty technology was not made for that at first and if we think about scam pamper and fishing it's only interesting when you are doing investigation so we're not talking about that what we will discuss is uh or the secure aspect of a blockchain and a blockchain application and the main purpose of this work is to bring the interest in the offensive consultant and every curious people uh to the blockchain side so maybe we will have more people to work with even if that means less on this so now let's transfer uh the main question because on the internet you can read a lot of things about blockchain but most of the people talking and writing a book blockchain just can't answer this question so let's install this question very quickly before we start talking about Security even if a blockchain is all about security sub blockchain is just a distributed database with a specific functionality it solves trust issues the issues solved by the blockchain exist since a while more than 40 years it was presented in in the 18th uh mostly known as a business Engineers problem to make it short the general business in this program is about a sending transmitting information when you know some of your assets some of your node or some of your general are compromise and not and can't be addressed in the business option and generous problem the story is if you have an army with General and you want to attack your target you need to use your general to to send the same order to your world Army so if you say to your general to attack your opponent and one of your general decide to call for retweet you will just lose the battle this is the first issues solved by blockchain and other consensus Bitcoin was one of the first implementation of the business infiltrations of the wizard engine Awards program called as a business inflictorians solution the first proposal of a solution a solution was mostly mathematical to reach our consensus that allow you to to keep your system working even with interested assets you you need 3n with one um trusted assets with m al the compromise asset with Bitcoin uh this is um not episodeinforterent implementation as it was present at this time it was reworked it was improved so we reach our constances of the 41 percent that mean you need one n plus one trusted asset process node to reach the consensus and be safe when you are transmitting information um it wasn't solving all the issues uh Bitcoin involved other issues like the accurate power the electricity etc etc so other people try to develop new consensus and here comes the proof of Stack etc etc the problem is the issues is proof of Stack at proof of work don't serve any issues so people continue to work and other consultant so today we are here this is not only resulting for torrent this is not only proof of work this is not only profile stack this is a bunch of consensus and algorithms that solve the trust issues in different situations for instance the proof of work a week right here a token to reward people providing their Ash right power but you can face a Byzantine problem without um having to provide a token or anything there is tokenless blockchain that don't involve token money or this thing you have professional activity proof of capacity and even a mix of a few of them so this is a more complex subject and this is not about what you can see on internet on non-technical paper this is about algorithm uh data transmission trust and cryptography so for this torque uh we are not talking about order consensus because we clearly don't have time to talk about all of them we are we will cover all the aspects of the production but this expression uh we answer one question if in your system you don't need to solve a Byzantine problem you just don't need a blockchain at all so even in your daily life you speak with people you want a blockchain in their product for a new observation you just have to ask them do you need to solve the first issues pictures as a business problem if not they don't need a blockchain at all and even less a cryptocurrency well no we have a solution a consensus to solve trust issues but that's not enough to provide [Music] real technology we need uh decentralized application so after a few years we started to see some new blockchain that become application host with the smart complex technology so before we start about vulnerabilities and other stuff we need to understand the what is a smart contract basically a production is just as I say a super cheap database stored in a multi node with the same state the blockchain is another name explained action of block with data if you can store data you can store source code or code or IC or any kind of code so if you are [Music] a code store on a blockchain powered by a node why not just call node randomly to execute code and let the console switch decide of and solve all the trust issues and this is all we got this first blockchain with smart contracts with decentralized application when the user only had to call some nodes randomly because the console switch solves the trust issues and we're able to execute code and do some do some stuff but at this point at this point we still have an issues that looks pretty obvious at this point we have no ethernet interface so the first blockchain it was just some developer with blockchain Smart Control knowledge and helping with the blockchain doing some stuff but it was pretty Limited so they find a kind of a solution and here is how we come to world world so web3 or when I prefer to call the web 2 plus one layer because this is absolutely not an improvement uh there is a schema of the reality you have the blockchain with your load your data your code and some dirty website in front to create your web 2.1 of course you have a legit website mostly made by developer who publish the smartphone right but you have also a lot of other not so legit website and here we come with a website problem first all the trust issues served by the blockchain is just destroyed by the website because the user will just connect to our website as centralized every website controlled by just one person or a team of developer but with the websites who will interact with the blockchain execute the smart contact that you have no ID of what is inside your your website so all the work made around the conferences and solving the byzantines program are just useless when you are using a single website to interact with your blockchain and this is not the only issues this is the biggest one because the blockchain just become absolutely useless with a website but will impact your users because if our website is compromised because of Any usual vulnerabilities users connecting to the website are likely to lost their private keys are likely to accept transaction they are no clue they have no information about so now you have the consensus vulnerabilities you have the smartphone request vulnerabilities uh all the issues solve ISO consultances are destroyed by the website but you also have the website issues affecting your environment and with all the people building R1 blockchain without worry knowing what is a blockchain you can find some web stuff like some private key unique privacy we will own by one person running a world project with a lot of money inside stored in clear text in some S3 packets VPS or other dirty server so what was a strange at first uh like the smart portal allow everyone to build our own because the decentralized application made by the smart contract allow people to answer every people to interact with the smart contract so everyone can build around become a threat because even if anyone can build it's clear that anyone shouldn't build around and most of security consultant and potassium no wire so let's see uh real use case of what uh our website vulnerability can look like last year I was looking around doing some research because I was tired of all these defy things or all this thing I would finance and money so I was looking for some new project more real use case so I was trying to find some interesting game using blockchain ym because in my port of view game blockchain cam makes it can make sense for a game if there is gamer here you will probably know why especially if you are into LPG or strategy game a decentralized application can be interesting when it's come about Community when you come about in-game markets when it come about competitive game or a lot of things and you guys you can use a blockchain to run [Music] um gaming ecosystem without involving a single cryptocurrency blockchain is not about money so you can use uh for instance any gaming company social Blizzard or anything or even online for for the people who know this game can have a private blockchain with public node with um we used by your just player to continue to build around the game and make the with the Game grow with the community that's why I'll start looking for a game uh I was quickly disappointed because I didn't find any interesting game but in our security point of view I found some the first game I did this was a Flappy Bird like it was on a web app a mobile app with just the usual Factory Bird game all world was a Nifty with some characteristics to deal with score with exchange competition Etc not very interesting so industrial point is the team start to make some context with real money involved in price Sports so if you know there is a game published with a daily contest with money involved what could could go wrong of course it will be attacked because every day you can earn money spoiler on the story The Smart contact was not the issues so what was this game as every competitive game mostly when it's it's involving a prize pool with money you will attract boots to cheat and go to competitive game and be ranked without doing anything if you want to know more about voting game you have the perfect work tomorrow for the game every day you had five thousand dollar in price pool every day eighty percent of this happened was distributed among the top five players so it was an easy way to make a decent uh daily amount of money and as a Target outside of a smart contract we had a JavaScript web app a mobile app for Android and iOS the fact the reality of this game is after only two days of launch a dedicated team from sankapur already finished to build about to attack the game the team will build this game was only focused on the Smart Control acts of the um was only focused on the smart controller the crypto currency Etc so when they publish the first version of the game the game didn't had any um antibod on teach IT solutions inside the source code so it was an easy Win Thursday they published the game I did some communication people start to play ways the second day it become popular the third day the full top five was owned by the Singapore team and ultimately get grabbed by support team so they try to click to quickly answer the problem and develop some antibod solution but developing antibod solution is a real world works you can improvise so the next coming days was mostly the team updating the project pushing some antibods called Direction production to stop the building and on the other side the Singapore team updating their bot to bypass the patch so the team got angry is start to ban all the birds on know your metrics so we're just like I am sure this guy is cheating so let's burn the birds we had like twenty thousand dollars of damage with all the users of goodbye for no reason it was a complete for people who was crying in company and Community it was kind of find from my point of view at this point I was just curious I started to infiltrate both the bot team and the project team I was at the point I had an accountant Discord on the both team getting access to some of the code of the Bots and the other side they got me a moderation permission from the team and the Discord to manage what the support for us so I was just in the middle of everything looking with uh I wasn't robbery that was just having fun for me so I spent few days getting information okay that's the code from the boat located at the solution proposed by the project team and I didn't find any solution so before leaving this story I am just ID to do something just for fun it was kick so both team from the top five find a way to be first and just uh beat the bot so as every pen tester I'm start I start looking at every piece of the project developing a boat was not Micron because first I'm too lazy to build a boat for this kind of game secondly it was JavaScript I can do JavaScript but I don't like it so I'm not gonna develop a bots in JavaScript so I start to look at the Smart contract didn't find any comment vulnerability both on any technique or all the contact undering the tokens the money it was pretty safe they had um what we call a code wallet this is a smart contact only order token and who are doing only one action so it was kind of a security by Simplicity oriented but I didn't find any way to get anything from the contracts in the same way I didn't find the private key say properly store it in a sexual way real financing so I start testing the Android Android app because I like Android IOS app at all because I don't even have an iPhone so after doing some tests I found the app has no root detection so you can root your app doing something like this uh they don't care no certificate pinning so you can intercept every request between the phone and the game uh but I don't find any interesting that I have stolen to the phone except your own wallet but anyway I don't want to put my wallet on my phone or do this kind of stuff uh so I started to look for another way and that's why I didn't spoke about the web app yet so I did what I'm doing almost every week I launch burp start to intercept all the requests between my browser and the game and I quickly found that there is not that much request I found one interesting request when you launched the game with some call to check your wallet check your build ID and stores the data inside Java JavaScript and after that even with the interception on you can play the game without being interrupted and when you complete the game when you lose you have a final request this request it was very simple you have no authentication at all the first request getting your build ID information from your wallet was provide on the router with the score no authentication no permission control nothing just calling what they call an API I'm not even sure we can call that an API this is just a post request sending your board ID and the score so if you want to be first what should I do just simply send a request every day one second before the end of the contest just getting the top payer score and adding adding one and sending the request and that's it you win so just with this request uh the both team was out of the top one I just so um yeah so I did the test once uh wasn't very interested by doing this every day and storing the money I was just curious entering to to beat the bad team so it was pretty successful um so at this point the result was or the security was on the smart contract side the game was just a client-side JavaScript with no authentication at all it was very game um the both team did lost a lot of time because I still I'm still trying to figure out why they did so much development to have about when they you just have to send a request to win the game and that's it there is a lot of work to do for having a Warrior game in my point of view this is not even a bit at game in beta test this is just a proof of concept or oh you can make a game with the blockchain using real money for this is is a is a shame wait yeah perfect um so the point of the story was just to show you uh that even if you don't know uh Auto Pro to develop smart contract you can still be involved in blockchain security because a lot of people are directly doing dirty thing around the blockchain so you can have fun you can find some interesting stuff if you have a junior open tester this is also a good way because you are going to find some vulnerabilities we didn't buy since 20 years so this is heaven this is like uh doing some training in some challenge website uh you have the people doing smartphones are then that build uh some up of this Smartphone right um this is also a good way to stop to learn smart contract because when you are going to analyze all these projects are working just you will start to understand uh all the technology bi the smart contracts used by this project Etc so it's a good way to start if you want to learn or to do some pen test or backbend tea but at the point you will you will you are going to want to to test the smart contracts you are going to do some augmentation and there is a platform for backbending for smart contracts and the Ubuntu are pretty juicy because with a critical Ubuntu you can earn like Alpha million for a single critical Bundy so can be presented interesting but before you you launch yourself on the smartphone these things you need to know few things smart portraits are public and at the moment you publish your code is it's at risk everyone can read the code if the code is not easily readable you still have the Hope code so there is always a way to understand what the Smart Control is doing everyone can interact with everything so it's like being attacked at every second and even if you shouldn't test in production most of the bug Bunty Target magnet the mail net is equivalent of production so this is a everything you are going to do we will have an effect and with blockchain and smartphone products all the thing you are going to do can be undone when you launch your attack when you try something since you launch our attack it's too late to go back and here we go to what I call the devops 199 technology methodology a few years ago a very big project with uh 300 millions of dollars inside [Music] issues on GitHub a user just come open an initial and GitHub and anyone can kill your contracts when you kill a conflict you don't destroy the data when your data is on the blockchain it's the instruction but if you kill the contract it will lock the contract everything will be terminated nobody will be able to interact with it everything will be locked so this guy devops 199 open issue heading to the this big project that anyone is able to kill the products while you're waiting foreign [Music] to the issue I accidentally hit the contract the contract so the guy was just doing some tests he looked he opened the issue because he was worried and while testing he accidentally triggered the function to ca