Investigating Blockchain

oh hello everyone and thanks for coming so we are going to talk about uh investigating BL chains but before I start just uh I'm going to introduce myself very quickly um so I can reconize most of the people from beside Pisa so I'm going to do it very quickly uh so I'm a French wonderer doing someware stuff um most of my um uh hack was uh quite useless but very fun I'm the kind of guy who can block Alexis or just sometime TR to clonics but I can explode or doing some dangerous stuff uh I my work I'm a senior security consultant at Bishop Fox um this is a very cool job uh I'm working with some

of you here uh there is only cool people and uh I'm going to stop talking about my job because I'm on vacation uh and if you want to reach out you can find my Twitter or LinkedIn account and this is my dog because she's beautiful so before we start just a few reminders about what is a blockchain and why we are going to investigate the blockchain so for the reminder a blockchain is mostly a public uh database uh all data are access accessible and readable by everyone and you can alterate you can modify or you can you can't delete anything or as uh at the moment of uh where the data are put into a block and sent to the

blockchain all the data are inmutable so basically everything inside the blockchain is logs so there is only data information and the investigation is pretty easy with all the information we have but why do we want to do uh investigation on blockchain most of us know that blockchain is a very dir space uh nobody uh and to put some number just for 2022 uh the blockchain landscape uh the blockchain space lost around 4 billions uh from a 40 billions of money was uh money laundering in irit activity and more less 1 million lost from fishing ESC come so basically just in 2022 uh the crypto space lost the price of Twitter in one year overall it's

$335,000 uh of loss by user by year and I personally did $10 of benefit in 2022 so please don't listen to me to make money but uh cyber security is a better um subject for me so with all this money uh lost in just one year um and with all the money I didn't get uh I start asking myself where is all this money if we lost 45 billions of dollar in one year so 45 billions dollar don't disappear so I start investigating as I say in my um at the beginning of the talk uh we are talking we are going to talk about uh the blue side and the red side of investigating blokchain because we can investigate

Bain for forensic and accident respon purpose but we can also use the information inside the blockchain uh to perform offensive security just like B so let's start with the blue side basically inside a transaction you will find some uh useful first of all you have the associ associated block with integers this is the number of the block uh the time stamp uh we all need the time stom for logs we can't do a without the time stom where we can also find the one addresses uh who did the transaction and to what address the position of the transaction inside the Block it's you probably don't very understand why it's important but in the in some in some next slide you will

understand why a position of the transaction is very important inside the BL and um just a f called input data inside this inut data you will find all the technical and useful information you need to investigate and you can also find a bunch of technical information in details but it's not necessarily always useful for investigation so if you're wondering what a blockchain looks like in a data point of view this is basically this I know it can look scary but uh it's not that much complicated what uh what we have inside a block is the ID of the block uh the ash as I said some technical information like the version of the software like e

solidity version X and the list of transaction inside the block you have some website to analyze the block uh with a better view uh the most known is the scan uh website so basically you can find the data of your transaction um with this format with the transtion as as the status if the got rejected or accepted and some ual information as I as I must before and also a sponsored field because when you lost 45 billions of dollar you need some ads to get back some [Music] money oops duplicate sorry just like alha my B this um the Thea we are looking for is the input data you have uh different way to analyze the input data the classic one

with the X uh the X form it's very difficult to read but by chains uh after a few years we have tools to translate the bite code to some event instruction and more readable uh information uh with the t s you can find the list of event and this is a type of event we are testing for to understand what happened so basically in the list of event you can find um all the approval request you can find what function were were called uh you can find the money transfer from an address to another address and if you have other function um I don't know just to do some Loop or to do mathematic analysis for

calculating a price you will find all the step in it and inside the input data you can find something something unexpected messages basically you can just send a transtion a wonder transtion and write a message inside so you can use a blockchain just like a social media little bit expensive if you're using a blockchains that require $100 to send that transtion but for small blockchain uh you can basically use it as a soci social media it can be interesting just by curiosity but uh as you will see it can be also a weapon but before we continue um we have to address some um tricky issues the first two key issues is the fact that in the ethereum blockchain you

have around 1 millionth of transaction by day so if you need to investigate um a period of I don't know 10 days it's a bunch of information so you're going to need to sort to filter the information to extract just the transaction you need and the information you need for your investigation it's uh pretty easy with the library we have you can use a web threee javasript or web three python or any kind of Library made for web three and uh that's it basically you just have to connect to a blockchain um put the list of uh other addresses you want to see put some filter like I want to see all the requests that come from this

address with this Amon or this type of value so you can very quickly sort of the information with python or JavaScript but you can also subscribe to the events so basically uh the coming transaction will be catch by your code and you will uh just see the information the uh the at the exact moment of the transaction validation um so if you don't want to do a big investigation but just look what happened in around a wallet or addresses uh just few line of python will be enough but if you are going if you need to investigate a more difficult case you have a bunch of existing t tools the most uh useful uh information

is the audit reports uh for blockchain smart contract defy Etc most of the audit reports are public basically because uh Blain are public so the security and the report should be as well so you can just scroll the report look into the information to find the um to to to investigate your your case if you need to investigate some smart but you have also some very very nice tool like met slot or Falcon by BC that will provide you a more readable view of what happened because if you are if you need to investigate um an address that deal with I don't know 10,000 other addresses you need to to visualize or you you will be

lost so at this point we have the classic forensic or booty investigation uh information and it's interesting but it can be long and sometime a little bit boring but there is some more fun stuff to do in the blue side here is some tricks you can use something called dust so basically you you just need to send a very small amount of to of token on multiple addresses and just um subscribe um keep tracks of all the movement from the token you sent so basically just um sending some trackers every year and uh you just have to follow all the move of your token so it will help you to know where your token are going and you can

find some very interaction it's also used to um to break some anonymity tool like Tado cach or other mixers that try to hide information by sending too much request by using dust uh you will be able to keep the tracks of all the move but you will also need more data analysis you can socialize we we saw that you can send message to transac inside your transaction a bunch of people uh are usally looking at all the transtion they get because they want to know what is happening on the on their own wallet so they will they are likely to see your message if you send one you can also build some onot uh just try to interact

with a smart contact uh used by your target with the blackout hunting or something like that and try to kind of fish the blackout to make him use your smart contract and if you trap your smart contract you will get the money we will talk about this uh these things later now I'm going to show you a very quick example of what we can do uh with um classic uh investigation basically uh I use dust um it was um very not not that much interesting story it was just a guy who got scam for $100,000 so I Tred to help him just to learn and do something cool uh so I start sing just to find the main wallet

of the attackers when I finally had some IDs of the list of addresses is the was usually using a sender fishing link uh inside the transaction for some of reason this is not the website I send I modify a little bit the URL because I don't want people to investigate myself and um I got lucky I just send an automated message saying hey please connect to the website to get some airdrop air drop is like free money and $5 so by curiosity is click on the link and that's it because at the exact moment when the attacker clicked the link it was outside web3 so he had an IP address on my um appach logs so I just because you click

on the link on the input data I was able to start uh thing outside the blockchain and it was very dirty because I basically just put the IP address uh on I Just Launch map scan on the IP address and um well it's for something that I call this like from T transaction to the living room whoops so from the IP address uh I formed my HTP logs after sending the fishing Lanes I find some CCTV so I still don't know what where is the money uh thater stole but I can basically just go to his house and sto his car so I don't get back the money but uh now it's in the police

end um we can continue um after after this uh finding but it's becoming the offensive security so let's do the red side uh investigation why off security uh people need to investigate the blockchain uh basically because all the information are stored uh you can't remove it so if an attacker try to exploit a smart contact or failed you can find all the step of the attack you can replace the attack you can fix the bug if the attack fails and well basically you are just able to see all explo attempt uh on all the blockchain it's just like if you had access to the logs of all internet so you can do a bunch of stuff uh you

canuse the data from fire for B as well uh usually when you're doing a good bony you are not testing in Life or in prodction you are doing a clone of the blockchain locally and you are testing locally so you don't break anything and you you don't provide information to other people but you know there is dirty people outside and so you can find a very bunch of uh transaction containing your ATT attemp so you can uh just extract the log and start to weaponize uh the information and this is where the pH start um on blockchain you have some nodes the basically you send the transaction to the node and the node Pro um Shar the transaction with

the other node and this is a blockchain but in your lo you have something called the memory pool the memory pool is a list of all the transaction uh send to a node to a miner and the minor will um sort the direction and include them into a block and inside this memor pool you can find all the function or the C information um sorry inside this memory pool um you have the list of transaction and this transaction contain all the technical information that the users want to do at this point all the step all the event nothing is executed in the blockchain side so you have this um window where you can read the information before it's

going to be executed and it's going to be interesting at this point because you can look at the takes the transaction you can uh intercept it and you can replay the exact same uh request before the attacker if you are faster than him you can basically stall his attack and play the attack before him and think it's going to be interesting oh oops I I forgot to share the the schema so basically the main pool is the step before the miner so all the are single uh transaction and the miner includes the interaction in the block and at this point we are going back to what I said before the pos position of the transaction inside the block because

when you send a transaction you need to PID uh the to pay gas fees and the first transaction is the transaction with the most gas used so that's how you can front run people basically if you see in your main pool a transaction with I don't know 1,000 gas phase uh you can take the for request send the same request with 2, gas phe and basically you are just doing the transaction before that Ure it's mostly used um to perform for trading or sandwich attack so basically if someone want to be buy a token for $1 uh you you will intercept the the transaction you are going to sell the token at a higher price and then um include the L book so

you exploit money change not interesting in your case but this is basically of front rning is working this kind of front rning uh in the cyber security uh field happened a lot of time um basically if some of you are interesting on the blockchain ACT you are probably aware of the curve Finance act uh and sto uh 20 millions of th and someone who who were looking at the main pool intercept all the attack and save I think half the money if I remember correctly so with the exploitation of the M pole uh you can um identify the export before execution to block the attack so basically if the attacker are going to sto all the money from the smart contact

you just have to copy the attack extract the money put the money in a safe place and just let the attacker fade the attack uh you can limit the the loss also by manipulating the price just before the attack so you reduce the impact of the attack uh you can use it to improve your B SKS um and a bunch of stuff initially I start writing about uh front raining and M the myam Valu this is um the name of well anyway I was uh I was uh telling I started writing about Fring and M but I realize it needs a dedicated torque so I change a little bit my point so basically to summarize a little

bit um everything we can do on the righted side um you uh the idea is just to uh analyze all the information that are un unusual like all the transactions that are not made to to transfer money from an account to another you can start looking at all the function all the call and you will find uh exploit you will find weapon basically you will find a weapon uh so this is a very very open source World um so what's coming

next uh I stopped writing about uh me and front running and I realized alphan is very too short so I was thinking about a workshop about um web3 so basically oh to do scripting to start B and or to perform front run to to analiz the blockchain and start doing very cool stuff so I wanted to know if anyone will be interested by uh front rading our security blockchain Workshop next year okay one two okay you're welcome um so uh basically I just get some uh unpaid extra work so I think I'm not a businessman um so Sor I got a little bit lost uh yeah if you have any question uh please feel free to reach out if I'm a little

bit slow to it's because my vacation is starting right now so I'm not exporting the memory pool but another kind of pool so just wait as uh wait if you want to to discuss but I'm still hour tonight if you want to chat uh I'm see I think I'm a little bit early because uh it's my my second talk in English so I was a little bit stressed uh if you have any question uh feel free to ask if not we will see again maybe for our Workshop anyone does anyone have any questions no all right thank you very much