Smart Contract Security 101

welcome back people who are now here so I'm sure you are pumped up caffeinated and eager for our next speaker so he's a CEO and co-founder of web free security company creditshoes.com he is the executive analyst come treasure for hacker one while we are moving towards web 3 let's put our hands together and welcome Shashank to the to talk about this decentralized ecosystem and its need for security [Applause] hello everyone about me uh I'm Shashank I co-founded this company called red shields and it's a web 3 security company and we are building a product called soluti scan so uh you can you know it's like if if you know about web 2 security something then uh it's you can say it's like soluti is saying scan is something like you know akinetics or nessus for smart contracts so you just upload your smart contracts and you will find vulnerabilities in it so that's what me and my team are doing apart from that like uh previously I was uh before starting this company I was a security analyst for hacker one and previous to that I was a security you know analysis for uh tariff which is a Malaysian based uh you know trading platform and uh before that I was into bug Bounty so from I I was among the earliest bug bounty hunters like I started in 2012 and uh did bug Bounty for a very long time I was a part of cobalt team as well and hacker one pen test so this is my background and from past two years I am moved into you know it's like web 3 security doing all research and building this product so uh about this talk what I'm going to say is like you know since we have a very short time so I'm going to explain very simple things but they are like you know they have huge impact and they are very common bugs and uh so the problem with web3 is like if I directly jump into vulnerabilities you're not going to understand many things so uh for the first 15 minutes I would say is just focus what on and what I'm I'm saying because that's the basic building blocks you know how a smart contract works and then we'll talk about vulnerabilities and uh that is essential so you know that's why I'm stressing that you know it's like the initial 15 minutes bear with me uh it will be more about how solidity Works how smart contract Works how blockchain works and then we'll jump into vulnerabilities so what is blockchain so blockchain is a digitally distributed decentralized public ledger so let me explain you in like very simple terms how blockchain works so uh suppose you know there is person a person B and person C okay now person a has 100 rupees 100 INR and person no so what person a does is like you know he transfers 50 rupees to person B and person B transfers 20 Rupees to person C so if you do the calculation now person a has 50 rupees person B has 30 rupees and person C has 20 rupees now let's talk about the real world scenarios like how Banks work so you know it's like you you know it's like a goes to bank deposits rupees 100 and he has transferred rupees 30 to 52 B and then B has transferred rupees 20 to C so now bank is something where you you are trusting them with your money and the ledger so they maintain the lecture that you know now a has 50 rupees and B has 30 and C has 20. so the problem is you know it's like uh you know many people started you know not to trust the banks and that's where blockchain came in picture so you know it's like Banks might freeze your account or may I say that you know you don't have 50 rupees but you have like 60 rupees or 30 rupees and that's why this beautiful concept of decentralization came in so there is no ownership there is no centralization there is no middlemen and that's what blockchain is so I'll explain the same scenario what happens in blockchain so now consider another scenario where ABC both of all of them like all three of them have three ledgers okay so and in every Ledger everyone has mentioned that the first transaction was transacting money from A to B and then B to C and now the same copy is with all three of them and so how it works is like there is no Central Authority so even if a claims that you know it's like I have 60 rupees which he doesn't have B and C can verify so this is how you know it's like Bitcoin works so when you you know you know when you download uh uh you know it's like a node server when you host your own chain so how it works is like from day one when Bitcoin was started and till today right now what transactions are being happening you download the entire ledger to your system and that's how decentralization work like everyone has a copy of transaction one to transaction right now in their Ledger and that's how you know it's like verification happens like if someone try is to claim like if I have a node server and I try to claim that I have 10 btcs but I don't have it there are numerous people across the world who are running the same Ledger can you know say that my claim is false and that's how blockchain works now uh since we are talking about smart contracts the reason I talked about Bitcoin was because Bitcoin you know it's like the idea of ethereum was taken from Bitcoin so uh you know vitalik when he you know it's like when he created bitcoin he was like you know Bitcoin is only good for transactions uh why not make it a programmable blockchain so the codes are actually on the blockchain so you know it's like codes are there for everyone quotes are immutable and you know it's like nobody can change so it's like you know it's it's kind of decentralized you know environment where you can store your codes your Logics and that is completely transparent and available to the entire world so that's how you know it's like uh if you see the point to what it says like Bitcoin is a scripting language and it is just limited to true and false statements of a transaction like if a transaction happened or it didn't happen but blockchain adds additional you know uh additional programmable change like conditions where when the transaction should happen What should happen etc etc and that's how you know it's like uh that's why you know it's like ethereum is called as a programmable blockchain and the SE programs are called smart contracts so you know it's like we are clear with the concepts of smart contracts uh now you know it's like uh I'll explain the basics of solidity uh because these are very essential so I have a you know it's like a piece of code as well with me uh where I'll try to explain yeah so so solidity programming language is quite similar to any object-oriented programming language so if if you are studying computer science or if you have knowledge about any programming object-oriented programming language like CC plus plus uh you'll find solidity very similar to it with a little bit of changes so I'm gonna Focus especially on what things are different you know it's like which is related to the ethereum blockchain so the first one is the pragma so pragma basically you see if you see on the the first line so pragma defines that what compiler version we are going to use to compile a contract and this is very essential because you know it's like a solidity has lots of versions and you know the code has to be compiled uh on the on the compatible version so whenever you see that so how it is red is like pragma solidity which is between version 0.7.0 and less than 0.9.0 so uh this is the first concept and then you have contracts so whenever you are writing a contract the first thing you do is you know it's like you define a contract like you define a contract like this it's it's a very simple concept then uh then we have Constructors so what Constructor does is you know uh when it just runs once so it's very important to learn that Constructor just runs once so when you deploy a contract what it is doing is you know it's like it is creating a variable called owner and it is setting to as message or sender okay this is important so message the sender what it does is like it's a global variable so it automatically states that the person the the you know the the address which is interacting uh who initiated the transaction it will automatically set it to as an owner uh then we have functions I don't think I need to explain functions they are like General functions you know it's like you write any function like a function like update owner so it's it's a general thing uh now this is very important uh please you know it's like uh if you don't understand do question back because this is related to a vulnerability which I'm gonna explain later on so uh smart contracts have something called modifiers so how modifiers work is you know uh when you define a function so you can see there is a function called update owner which is taking an input as a new address owner so this function what it is doing is like it is updating the contract owner but it has a modifier called only owner so how this works is like whenever you know this execution happens uh the code will run till here and it will notice that it has a modifier called only owner so before exit executing this part what it will do is like it will first go to this the modifier and the modifier has a required statement like it has to validate if message or sender is the owner like someone who is interacting with the contract is an owner or not and we have seen here that you know it's like owner is defined uh when you know the contract was deployed the the address which deployed the contract uh is the owner so if this statement goes false then this function will never execute and if this this is true so what this does is this instructs the compiler to go ahead with all these you know later code Logics so this is very important so I'll show I can show you a simple example so how it works if we compile this okay uh okay let me tell you something so what I'm using right now is called remix so you know it's like if you are trying to you know pursue into web 3 security it's a very good tool where you can you know it's like it's an online ID where you can uh you know deploy your own smart contracts and what it does is like it gives you you know it's like a uh you know they're self-hosted uh blockchain notes where you can you know actually host the code and test out your code so uh uh so how it works is like if you see like if I deploy this code so you know I have to mention the compiler version so as per the code my compiler version needs to be somewhere between seven and nine so I mentioned 0.8.7 so it will compile and then you know it's like when we uh when we deploy this code what happens is like this address is the owner because this was the address which interacted with the contract so this logic confirms that so now if you see that if I try to you know if I select another account and try to you know update the owner what will happen is like it will throw an error I hope it is visible so uh you will see you know that the transaction was declined the just let me make it up so you'll see the transactions was reverted so why it happened was because there is an only owner modifier which is checking that you know it's like if the only the the deployer can make changes to the new contract and uh then you know it's like um I'm not discussing about fallback and receive because that's uh that's something I'm not going to talk about so import functions are very simple you know it's like uh in this sample code you can see uh you know it's like when you just like any other programming language when you import a module or external dependencies uh that's how you do in smart contracts as well and then you know it's like uh you have inheritance in smart contracts which is very similar you know it's like contract a is B and then B will uh you know a will inherit uh things from B then uh you have comments and then you know it's like variables and events so what events are in smart contract is that it's kind of a logger so it logs things on the smart contracts uh okay so now we'll talk about vulnerabilities uh in smart contracts so one of the most common vulnerabilities in smart contacts are Access Control related vulnerabilities and uh you know it's like the concept is kind of same but the Logics are very different in smart context like what you see in web 2 is you know uh account a can access the data of account B and it's something quite similar to similar in smart contracts where you know if there is an admin functionality which was not you know it was not supposed to be accessed by normal user then there is an access control vulnerability and uh this one is an example of an actual hack where there was a smart contract called hospital and uh they got hacked because I'll just show you in the browser uh okay um I want to you know it's like you know uh give you knowledge about few other things so every contract which is deployed on ethereum there is a website called etherscan where you know it's like if you enter the contract address and if you go to the contract uh option you'll be able to see their source code so the best thing about you know smart contracts are that you know uh most of the smart contracts code are public uh they uh you know just to bring in transparency what's what I was talking about they published the entire code like the actual code so people can check it that you know it's like if the if the code is doing things as it is supposed to and that's why you know it's like it's even easier for hackers to hack smart contracts because the code code is public but if you see on the other side you know smart contracts are you know it's like uh can be you know it's like audited as well like you know everything is transparent so this is the way you can you know it's like uh you pick up any smart contract and then you can go to etherscan and then check their code so uh if we see about uh line 130 134 right so if we go to 1348 yeah so if you see this uh if you notice this is a burnt function so what a burn function does in smart contact is it is used to burn tokens suppose I create a token called you know Shashank token and I made like one lakh tokens and uh then you know it's like uh you can mint tokens and you can burn tokens that's a very common terminology in smart contracts so minting means like I'm increasing the amount of tokens and burning is I'm reducing the amount of tokens so if you see here uh what's wrong with that can anyone guess like what's wrong with this yeah exactly so yes you're correct so the thing is if you see uh so uh in general programming like you will see you know it's like there is something called functional visibility so if you see the function visibility is public so what public means is you know it's like anyone can actually interact with it and since there is no modifier so there is no check so anyone any individual can actually call that function and burn the tokens so uh this was you know uh this was the hospital hack where you know a hacker could burn all their tokens and I have a very similar example uh which we you know it's like uh which we found uh during our assessment so what happened was like uh what happened was like I was contacted on telegram that one of our clients friend uh who had this uh smart contract called shadow fight and they got hacked and they wanted to notice like how they got hacked and I'll just you know share my experience like how we figured out the hack happened and this is good for you know it's like you know understanding how vulnerabilities happen in smart contracts so uh so the only thing I got was you know the hackers transactions so let's you know let's look at the hackers transaction so these are the list of hackers transactions so the most interesting thing was uh the fourth one so if you see um a huge amount of shadow fight token was actually burned so how did we guess it was burnt so the the common Logic for burning a token is that you know you send it to a null address so what a null address is that a null address is a zero address so every chain has a null address which is a zero address and that is not controlled by anyone so nobody has the private keys of zero address and uh so you know since like you cannot simply just uh Delete the uh you know it's like delete the tokens in smart contracts so what they do is like when they burn they send it to the zero address so if you ever like you know when I'll share my slides what you can do is like you can actually click to that zero address and then you'll see it has like billions of tokens and nobody has the authority to it so that's why it is used for you know burning the tokens so the first thing what we noticed was a huge amount of token was sent to unknown address it means the token was burned so something has to be done with the like the hacker did something with uh with you know it's like the burn function so let's see so if we check the code at line 962 too yeah so yeah it's quite the same you know it's like the burn function was public but the question is like uh how did he manage to steal all the funds like how did he manage to make the money so let's go back to all the transactions so now we know that the hacker what he did was he burned a huge amount of tokens because the burn function was public now let's Deep dive into you know it's like uh the logic so if you see the first two transactions first transaction he deposited a wrapped pnb so BNB is you know since this is benign's chain so he deposits some amount of binance token and the next what he did was like he bought almost like 9.5 SDF tokens so now unders let's understand this thing like every token which is there so mostly how the work is suppose there are you know 100 000 tokens so and if the price is one dollar per token and suddenly if the number of tokens are thousand the in the rate of e like the the price of each token will increase because there is scarcity so that's what the hacker abused so what he did was he initially deposited uh you know it's like uh BNB coin and then he bought a minute amount of uh you know it's like he spent like ten dollars or something and uh he bought like 10 shadow fight tokens now what he did was he burned majority of the tokens creating you know it's like scarcity of the token so now his 10 shadow fight tokens were worth three hundred thousand US dollars so what he did was first he deposited the money bought a little bit of token burned rest of the tokens and then he you know because you know again he is exploiting the shadow fight token so definitely it's not very useful for him and since it is available for a very higher price what she's gonna do is he just you know it's like he just buys uh you know just he sells all the 10 tokens which he had like 8.4 plus 0.5 so he sold almost nine shadow fight tokens for a price of three hundred thousand dollars because of the scarcity and and he ran away with the balance token so this is one of the classic examples you know how people can exploit uh excess control to you know to actually uh completely you know it's like train the entire smart contract uh but again you know it's like uh every excess control doesn't lead to you know like stealing of funds so when you are like actually looking for vulnerabilities in smart contracts you can you know it's like it's not necessary that every time you will end up with you know you know it's like finding a bug which uh which cause Financial damages sometimes you know it can give an edge to you at you know it's like certain functions or something so uh this was one of our client and uh so what they did was you know it's like they had a contract and where they was you know buying a they were selling their their auctioning their tokens and uh the auction was only available for certain you know whitelisted users so uh not everyone could just you know go and you know it's like uh you know it's like buy so uh for especially for you know it's like you know malicious addresses they added a blacklist that certain person cannot uh perfo