BG - Attacking Ethereum dApps - Brandon Arvanaghi

okay hi everyone this is a talk on attacking aetherium DAPs but first quick show of hands who here is interacted with a death before okay good so this talk kind of assumes you don't have any background at all with aetherium deaths or theorem in general but the point is that daps and aetherium and the world of blockchain is really taking a big role in people's lives today so it's super important for the traditional security world to understand kind of the mechanisms behind blockchain security and ways you can penetration tests adapt for example rather than just a regular web application so that's going to be intent of this talk I work at Gemini the next generation digital

asset exchange very exciting company it's kind of at the forefront of cryptocurrencies and a very cool place to be on the ground floor and we are hiring so if anyone here is interested feel free to come up after after the talk and give me your name and resume and all that but even more important than that we're having a party tomorrow at the presidential suite at the Bellagio from 7:00 to 11:00 now I can't I was told by the recruiting people that I can't just announce it publicly like this so what has to happen is you have to give me your name and then I have to put you on the guest list so you can

either come up to me or just tweet at me or something send me a private message and I'll get you added just mention at the door that you came from this talk from seeing this talk I hope to see most of you there so again I'm a security engineer at Gemini I do a lot of blockchain and smart contract development work and before that before being a Gemini I was at mandiant where I was doing penetration testing digital forensics and Incident Response so what is a dap dap stands for decentralized application now this decentralized bar is important because it gives us a few more attack vectors than the traditional application you're used to pen testing and hopefully by the

end of this talk you'll see that it's very easy to migrate over into the penetration testing world for dabs and smart contrast so let's talk about what a standard web application is first you have your client over here you have your server most of the time is just a simple get request or a post request that goes to the web web application a lot of times web applications are just a front-end for a database a way to manage the data that's being returned from that database so when you make that get or post to the web app that web app might interact with another server or a series of them but ultimately it just sends you data back

right get post data back with some level of indirection there so again you're just really interacting with the web app logic and that's kind of the point of a web app assessment is you're going in set logic you're looking for places where access controls aren't implemented properly vertical privilege escalation horizontal things like that so that's a standard web app but when you introduce the DAP the decentralized part you have a third component to it a little kitty there really is a smart contract or a series of smart contracts in aetherium so not only do you have the interaction with the web application but you also have this thing called a smart contract this is like web 3 apps that we're

talking about essentially so the workflow of one might look like this you'll do the Gator post like you normally would to the web application but then there's a read or write to a smart contract in the blockchain so it's not just going straight to a database and then back to you there might be this level of indirection where the web app talks to the smart contract and this is kind of where new attack vectors come in after the reader right then the data would come back to you at the end of that so it makes sense to everyone oh cool so the point of being able to use adapt or being able to interact with aetherium

smart contracts through a web application is that you need to have a private key involved somewhere right you need to own your private key and be able to use it through this web application that ultimately talks to a smart contract so block chains are based on public key crypto so how do you how do you get a private key involved right so traditionally if you weren't going through a web application you could publish a transaction onto the ethereum blockchain by signing the raw bytes offline and sending it to a third party node like in Fuhrer for example or you can run a node yourself sign a transaction broadcasted it yourself but through a web application how do you

introduce public key cryptography with a private key you own and that goes altom Utley to wear a sign message ultimately goes to the etherion blockchain so one way to do that is through meta mask so meta mask is a very popular in browser extension I think it's something like 1.5 million total downloads so so far between Chrome and Firefox and it's a wallet in your browser so you can interact with these steps by having your own wallet as a Chrome extension or as a Firefox extension sign things have them go through the dab like that so this is kind of what it would look like this would be the extension it would pop out like this when you click on it you have

a password to seal your your wallet and this is adapt the crypto Kitty staff that everyone's familiar with at least on some level so if you wanted to buy this Kitty for example you would authenticate to your wallet you'd unlock the wallet and you click OK buy this Kitty and when you do you get the arguments needed to buy the Kitty so meta mattes will then populate the arguments you need the amount of eath to pay for that kitty the destination which is the crypto Kitty smart contract and all that and you can click Submit or reject but clicking that basically prompts you in your Chrome extension the meta mask extension so this is how you

can have your own identity your own private key in your browser interacting with a DEP so this is what the smart contract on the back end would look like this is for the crypto kiddies smart contract you see this array of kiddie objects there's a kiddie index - owner mapping so ultimately when you sign the transaction when you send the eath and you send it to the appropriate function like we just showed a second ago these data structures get updated on the smart contract so that's kind of the workflow goes from the web application you saw it gives you an interface a nice clean interface to interact with the smart contract you send the transaction

through metamath and then this ultimately gets updated on the blockchain these these arguments the these data structures rather so this is just a gif of going through the workflow and actually you're gonna see me buy a kitty and I actually had to buy the kitty for this demo so now I have this kitty so I don't even know what it's called a good sire so okay buy this kitty you see the prompt come up I click Submit and now I am the proud owner of good sire and good sires for sale so if anyone wants good sire please talk to me after the talk yeah give you a good deal on good sire now it's also a good time to tell you

I'm giving away eath so send me point 5/8 and I will send you back much I'm not giving away okay but let's talk about how you can set up a DAP in a local environment so you can do this test in yourself now so who's heard of truffle here okay so truffle is a smart contract development and testing framework it's made by consensus which has really been a trailblazer in this industry making great tools for developing smart contracts developing gaps but if you want to test created app locally that you can test with burp suite for example look up truffle and there's a petshop tutorial so that tutorial tells you step by step how to

make a DAP how to make the web application front-end and the smart contract behind it and you just ultimately run this command below but you should look into that so when you have that local environment set up this is Pete's pet shop you'll see meta mask you'll need meta Massa interact with it still you'll see is installed in my browser on the top right and what happens when meta mask is communicating with so meta mattes you can give it the blockchain to which or the provider rather the node provider that you you want to interact with ultimately so this is a local environment so I'm running the etherium blockchain on just localhost seven five four five it can communicate with that

every ten seconds or so meta mask queries out it does if get blocked by number right that's madam at some way of saying okay this is the blockchain I'm supposed to be interacting with I need to know the latest block I need to know the most recent information about the accounts and this wallet and everything else so every ten seconds you'll see a request if you were intercepting a requests to wherever that provider is and trying to see what the most recent block is to get the most recent information that's how that's how a madam asked works on any blocks when you provided essentially any aetherium plug chain so again this is the this is what

the petshop looks like and this is the JavaScript that handles the adoption function so I told you again there was like a web application portion and in the smart contract portion right so if you were to click for example adopt Frieda this first dog right here what you'd be calling is handle duct and what handle adopt does you can see below does app contracts adoption deploy then basically call the adopt function on that contract artifact so it recognized the contract because it was developed in truffle it's got a really nice interface and it just calls the smart contract function adopts ultimately so this is kind of a bridge between the JavaScript to smart contract and this is actually

the contract behind it so this is the smart contract so when Handel adopt is called we saw it called the adopt function that's the function that's actually being called this is a smart contract it's set it accepts a pet ID Frieda was pet zero so it would check that the pet ID is in within range there's only 16 pets and then it would update the data structure to reflect that the adopter of Frieda is the person sending this message so that would be us when we send that transaction so that's the entire workflow so before I actually adopt Freda this is the adopters array right here you'll see that every adopter is just the zero

address because no one's actually adopted anything yet but as soon as I click adopt I submit the transaction I noticed I don't need to pay any for this because it was free the contract didn't say require the value being sent to be above this certain amount it's free you just click it and you adopt frita you click Submit and then you'll see if you checked that data structure again that array the first index now corresponds to the address from which we sent that transaction so that data structure was updated to reflect that we are the owner of frida so what does that transaction actually look like if you if you took it if you looked at it in birth so I just

showed you Mehta mask coming up and you click and submit if you intercepted that transaction you would see the from address right there right the to address is the smart contract address the value and data and I'll get into this more but it's very simple there's only four or five fields that you need to worry about so you can see from two value data gas gas price so from is my aetherium address the one that's being populated in that a in the in the array two is a smart contract address the adoption contract that has the pet the pet array value is zero again because it we didn't charge that this contract didn't charge anything for the pets and data was his

number hex hex value at 85 etc right so let's break that down a little bit why was this the data we sent to that smart contract it's because we call the function adopt right the first four bytes of data in a in the data field or the function identifier so it's the hash of the function name and the kind of arguments it accepts and you can take the first four bytes of that hash that is how you tell the smart contract of what function you want to interact with so that's what's taking place the first four bytes of the data parameter that we provided is the function identifier of the adopt function so once a smart contract gets

that it says okay these are the four bytes yep I know that one that's the adopt function I'm gonna send this over to the adopt function and then it takes the rest of that data field and it populates and it does whatever else it needs to the argument it accepted again was was a pet ID and we adopted Frieda which was the zero with pet so you'll notice that after the function identifier it's just zeros right that means we're calling adopt because we have these first four bytes here we stripped that away and the rest is just zero okay that means you're adopting zero you're adopting Frieda does that make sense cool so this is a really bad slide in

hindsight because you can't see my mouse but things like cross-site scripting become a lot more dangerous with apps because what you can do is you can manipulate meta masks ultimately to send a transaction to somewhere you wouldn't expect and it's not immediately obvious where you're sending the transaction to with meta masks implemented the way it is currently so what's happening here is I'm actually hovering my mouse over that adopt button there but I'm not actually clicking anything and when I hover my mouse it prompts meta mash to pop up and say oh please send some ether here right so if a malicious person gets JavaScript on to adapt what it'll happen is that they can get your meta mask to pop up

with a transaction and you might think while I was expecting that I'm asked to come up because I wanted to make a transaction on the site but in reality the destination addresses to one attacker Ellen's so it's a little bit trickier because you're trusting this extension and the extension can seem legitimate because it's kind of outside the realm of the site but in reality it's malicious the script that's that's making it come up there was actually an instance of this in the wild that John showed me John do wanna stand up say hi this is John basically ether Delta decentralized exchange had cross-site scripting vulnerability where III also allows you to trade tokens between two different

tokens essentially and these tokens when they're listed on the site their fields populate on the site so things like their name their symbol etc so there was an attacker who took who made a smart contract published it and in their name field their ERC 20 token they made it some malicious JavaScript so when ether Delta pulled the basically the ERC 20 basically every part of the ERC 20 protocol from from the contract they loaded in this malicious javascript from a smart contract onto their page and what that javascript did ultimately was it sense whoever's private key they uploaded to the site it sense all their ether to another wallet so again it was in the

name field there was some JavaScript there and it was loaded into the site and that was an example of how cross-site scripting is really dangerous when you're dealing with private keys and meta masks for example so again there's the web application logic and then there's also this third part the smart contract and the important part about the parts mark contract is that it's public so it's publicly accessible there's no rule that says you have to interact with the smart with the smart contract through the web application you can go directly to smart contract which introduces a whole set of other vulnerabilities the web application might have a really well defined way in which you can interact that smart

contract but there might be a glaring vulnerability in that smart contract that you'd only notice if you went to the byte code directly so there's kind of another attack vector we're gonna discuss so smart contracts kind of serve as another data store they're publicly accessible and it's like everyone wrote their own version of that software to store that data because no to smart contracts are really the same right you have a bunch of people making smart contracts storing ether in there storing valuable customer data and they can make it really they're making it themselves so it's not like there's one single instance of software people are using to store this data that's been tried and true every single smart

contract is a little different so there's a lot of vulnerabilities with that as you as you've seen so you kind of have this two-pronged approach you can attack the dab through the web application but you can also attack it directly by going to the smart contracts as well so beyond that there's kind of a third prong and I'm gonna talk about that in a second it's going through the web application to get to the smart contract in a different way there's this concept of modifiers and smart contracts where only certain etherium addresses can issue the transaction you're denied if you're not able if you don't have that appropriate key right so only owner is an example of this only an owner can

only the owner of the contract can update this field in the smart contract for example a lot of these DAB's rely on a special key in the web application to issue privileged rights to the smart contract based on the clients data so I make a getter post request and the web application will say okay I'm gonna use my privileged key to write this to the privileged spot in a smart contract so it's not just what you can do directly to the smart contract but can you also get the web application to make a privileged write on your behalf can you trick him into thinking you are the owner bye-bye buzzing the.you know the access controls of that web app so it's kind of

a three pronged approach what can you get the web the web app to return to you just regular web application penetration test what boner ability can you find by accident the smart accessing the smart contract directly and then can you get the web app to interact with a smart contract in a way it didn't expect so as an owner as a privileged key essentially so this is an example of kind of how you would use how you would sign something in crypto kitties this is how you would prove your ownership of a certain address right you would sign the message they give you a message to sign and you'd sign it and they see okay this

signature matches the etherium direct address that we're seeing from you so in a pen test you'd want to verify that that signature validation is actually being done correctly if you could just pop out the etherium address that you're providing it and replace it with another one basically say hey I'm not this with your name address I'm this one and you provide a signature that doesn't actually match up to that if your name address you want to make sure that the web application is validating that that they're saying okay that doesn't actually match up we're not gonna allow you to sign in I've actually done this before where I've been able to impersonate someone else or create a

denial of service for that person if they ever wanted to sign up because I said I intercepted the request which I'll show you in a second and I replace my aetherium address with theirs so this is an example so if you sign if you were to sign up for example you would provide an aetherium address that you're saying I want to sign up as and you'd provide a signature of a phrase that that you would both know like crypto kitties in this case what the DAP should be doing is validating that that address matches with that signature so if you recite was a different address would the DAP reject you ultimately I found AB swear that is

the case well that's not the case too so cryptic ladies is that properly so that was good to see but when you're already authenticated so that's how you sign in right you can use a private key when you're already authenticated you can do things like go to settings here and you can change some variables about who you are right and this is kind of that duality of web applications not everything you change about your account or your profile requires a signature so at some point it becomes a regular web application right if you have a cookie you can change things about yourself sometimes without requiring a password for a DAP it's like if you have a cookie

or if it doesn't require a signature then you can do things without requiring a signature again so stealing someone's cookie might allow you to do things in that DAP without actually having the private key again so if I were to change my email or my nickname for example like here you'll see it doesn't require a signature anywhere so this is nothing I mean changing my nickname to Miao is not going to cause big problems for me if an attacker did that but it's an example of where this duality exists not everything in adapt relies on public key cryptography some of it is just a web regular web application so there's that duality there so I'll

give an example of another one that's another DAP that's designed with security in mind and I'll talk about why these best practices are kind of implemented there so you can understand the attack vectors that they're defending against so Blum is a really big app it's a big big DAP and it's a good example of this if you guys want to check it out it's at bloom Koh so this is kind of a sign-up process you would enter your name your phone number and email address and then it will tell you what you did what you what you're doing right so you're signing your email or you're signing the message rather to prove ownership of the the key kind of

like we saw with kind of like we saw with group that Katie's a second ago so nothing new there so the validation takes place against the signature and the etherium address you provide but when you sign in you're providing not only the signature but what you're signing includes the date and your email address right so does anyone know why you would be signing the date and your email address when you want to sign in to the DAP what does the date have to do with a signature right exactly yep so this prevents replay attacks I'm gonna get into that in a second so this is what if you were to intercept that request you'd see the email address the signature and

the date they would validate that the date is within a certain range first of all it's signed properly the date is the same one of the server has and that date is within a certain amount of time so if an attacker intercepted the signature of the sign in then they couldn't actually just replay at another time they couldn't reply it in a year or a week or something like that because it wouldn't be May 2018 anymore so email address checks the wallet address tied to that email addresses in their servers right it checks that you're signing you're saying I'm signing in as this person wait a second let's make sure that key matches that person

and a day to provide prevent replay attacks so any DAP should have a signature of the email of the date in their signup and their sign in rather similarly inviting people gift might be broken alright anyway but similar a similar concept when you invite someone to bloom you have to sign that person's email address you can validate okay I actually want to sign this person invite this person and not this other person now let's talk about that other prong that I talked about attacking the smart contracts directly smart contracts have a whole host of popular vulnerabilities associated with them there's a really good site called - no it's like a wasp but for etherium and it talks about kind

of the top ten for aetherium I'm not sure how those were chosen exactly with their very good examples re-entrance he attacks overflow and underflow denial of service these are all good examples you'll find there I'll give an example of an overflow this was a recent I think three months ago four months ago it's called batch overflow a vulnerability basically these people implemented a token and they wanted to make transferring tokens cost less gas by batching the transaction into one transaction rather than having individual transfers individual transactions for every single transaction right for transfer rather so what they did was they implemented this batch transfer function so you call it once you have an array of all the people

you want to receive a token and you provide the value unfortunately they didn't check for an overflow so there's an overflow vulnerability here in which the attacker was able to basically Forge the fact that they don't have they got to pretend that they had millions of dollars of tokens essentially and that DASCO site goes into this kind of step by step there's another one so permissions we talked about that earlier this an it wallet function this is in charity one of the parity issues this didn't have any modifiers associated with it right this sets kind of the owner of the wallet and it sets who the owners are so it wasn't in a constructor so it's not like it was only called once

it was in a library so anyone could call this at any point and because anyone could call this at any point you definitely need a modifier associated with it so you could restrict who is able to call it so if you're gonna update the ownership of the contract you need to make sure the initial owner was the one sending that transaction in the first place they didn't do that so someone set themself as the owner and blew the entire thing up these are real-world world problems I mean these are the kind of owner abilities we're dealing with right now very simple very straightforward so it'll be good to have all your eyes on it after after this

talk hopefully symbolic execution is kind of a really powerful tool to use towards auditing smart contracts I'm gonna go over a brief example of what it is and some tools out there that employ it so instead of concrete execution where variables are given concrete values like four or five or six mmm symbolic execution allows you to parse through a program and provide a symbolic value so it's not tied to one value but basically a range of values that are possible so when you're going through the program you fork it every conditional the the symbolic execution engine will essentially fork and traverse every path and at the end of that path when it gets to the end state

it'll tell you the conditions necessary to get to that end state so ultimately you can find out a way in which a smart contract could overflow by following the logic of what conditions are necessary to get there so here's an example this is from Mark Mossberg at trail of bits they're really really great people at auditing contracts and they've done a lot of great development work if you had a concrete value here like var was 45 right you'd skip the first part of the conditional and you jump to the else but in a symbolic if it was a sign of symbolic value rather when you get to the if bar equals 42 the symbolic engine would go through

that but it would also fork and it would go down the else as well and it would just keep in mind the values or the conditions rather that it needed to to meet to get down that path so when it gets to the end it would say okay I had to meet this condition this condition this condition let's see if these three conditions are ever possible and if values exists that meet all those conditions then you can get to that end state ultimately it's another slide from mark from Trello bits this is an example of how that end state calculation gets done so when these are all assigned when you have a B and C assigned symbolic

values you can go down every path here in this tree and you'll get the end States and the conditions necessary to get to that end State so what we're checking here is to see if that assertion ever fails right assert X plus y plus not Z or Z does not equal 3 there's a path in which that assertion takes fails and it's when not a and B is less than 5 and sorry not those are Greek letters but when that takes place when those conditions are met so that's how the symbolic execution engine works it'll tell you okay I got to this a search assert failing if and only if these criteria are met and then what's

called the constraint engine a constraint solver will then tell you if those constraints are solvable essentially if that's a valid situation if that can happen and the thing about symbolic execution it's powerful against smart contracts in particular less so for things like sandbox for sandboxes so in sandbox is for example it would be really valuable to be able to traverse every single path of a binary but the issue is when you're dealing with really large binaries that are importing VLS with thousands of lines of code it's difficult we'd run out of computing resources it's impossible a lot of these malware samples send you on a wild goose chase so smart contracts are limited in size because of gas considerations it

costs money real money to publish a smart contract it part cost a lot of money to issue transactions to that smart contract so it's more powerful against smart contracts so Manticore is a good example I mentioned that it's by the people at a trail of bits symbolic execution tool and it will traverse these paths like I mentioned and let me see if I can get this to play

okay so here's an example of it so you have this burnable token right here and that's the source code for it right there's intentionally some bugs in it and they run Manticore against that contract and it's going through all these n states and it's finding the conditions necessary for that so soon it's gonna find an underflow vulnerability and it'll essentially see here it is enters or underflow at self instruction it'll remember that end State and it'll tell you the arguments needed that satisfied that condition an example those arguments that satisfied that position

another thing for another approach rather than doing symbolic execution is just going through the binary yourself right so you can actually use ethers play for example an other tool by trail bits to get the bytecode of a smart contract at an address and disassemble it and go through it and it's very easy to do there aren't that many instructions in the EVM so I recommend doing it I actually wrote a blog post about this too which is pretty easy to follow along and another really popular symbolic execution engine if you are interested is mithril by consensus so similar concept to Manticore both have really good documentation and I mentioned that reversing post so I'll just I'll put it here for anyone who

wants to check it out that's it thank you very much if you're interested in coming to the party like I mentioned just feel free to reach out to me and if you have a resume or anything like that come up afterwards so I'll take any questions thank you [Applause]