Web3 101: Smart Contract Auditing

Hello, good afternoon everyone. Uh, very happy to be here for the first time at Bites too. So, let's talk about this topic. I want to start the conversation before introducing myself, although I've already been introduced uh who among you has worked with Web 3, even if only from a development perspective, have interacted a little with blockchain, do you know a little bit about this topic? I see a hand over there. Okay, I'll see others. Let's say, those are relatively new technologies. And of those who have worked on it, who knows about Web 3 security? I see that there are few hands here, let's say, it's a new topic, so few people have worked on development and even fewer are going to be

people who are focused on the security issue. So, the idea behind today's talk—that's why I called it " First Steps"—is to provide a Web 3 One or an introduction for those who want to start learning about Web 3. I'm going to give you some resources, platforms, an introduction to what blockchain is, some tool frameworks, and we'll see how we can start testing. So, who am I? Hey, I'm Oscar Uribe, I'm a security tester, etc. hacker at Fluidax. Danilo, who also posted a few times, is a colleague; we also have several colleagues. Uh, I spent some time doing security research, uh, looking for CBS. I'm also a CVF player and sometimes I like to play CTFs, especially

the binary exploitation, reverse engineering, and that kind of thing. I also use the web. I am a systems and computer engineer, and here is my LinkedIn profile in case anyone has any questions about the talk. I think we can share the presentations with you, but if anyone has a specific question or wants to ask me something, we can stay in touch here.

Hello. Yes, ready. So, the content... well, let's start by talking about what blockchain is. We're going to talk about Ethereum, Smart Contracts, and Solidity. Uh, during the day we've seen that there's been a lot of talk about UAS. We talked about UAS in natural languages, we talked about UAS in web applications, and we're also going to talk a little bit about UAS in the context of smart contracts. I'm going to share some tools, some resources where we can go to practice and we're going to do a small demo, uh, let's say simulating a real attack that occurred, let's say, on the blockchain, on the mainnet. So, what is blockchain? Blockchain, let's say, here we have a definition, uh, I

almost don't like to give it. I think it's blockchain. Blockchain is a distributed database. What does this mean? So, I have a chain, let's say, where information is stored and there will be people who will write to them. So, it's not like in the... uh... when you talk about centralized applications where there's a database that everyone queries, but rather everyone has copies of that database. Each of the nodes belonging to the blockchain will have that information replicated. Uh, where is it used? Where do we specify what applications it has? DeFi topics, uh decentralized finance, uh we've explored a bit about identity, bond issuance, certificate issuance, and one of its characteristics, there are many ecosystems, uh let's say most of us

here know Bitcoin, right? Uh, but we also have other ecosystems, Ethereum, and let's say each of these ecosystems starts by presenting its native currency and from there they develop, let's say, a community of different topics. Um, let's say the beginning when one talks about blockchain, what is that thing where it is based? Uh, blockchain is based on something known as the consensus algorithm. This is how the integrity of the blocks is guaranteed . We said, we're not talking about having a centralized database here, but rather having information in several places. So, I ask you, if I have it in several places, how do I ensure that someone who has that information doesn't modify it and then say, uh, no, that transaction

wasn't for 100, but for 1000? How do I guarantee that integrity? So, that's where the consensus algorithm comes in. Here we have two types, uh, proof of work or proof of stake. For example, Ethereum initially worked with proof of work, Bitcoin is on proof of work, but there are many ecosystems that are starting to migrate to proof of stake. What is the difference between these two types of consensus? In Proof of Work, let's say, this is the one we 're most used to, those who have seen videos explaining it a little bit, blockchain, it's the one you find most often, where all the nodes, let's say, all those that belong to that network, this is

where the miners come in, they try to solve a calculation that is very computationally heavy in order to guarantee that, let's say, there are several competing, everyone has the information. When a new block is to be added, they try to solve that algorithm, and the first one to solve it is the one who can add that algorithm to, let's say, the blockchain. Why is that done? Because, well, if I have to solve that calculation computationally, it's costly to be able to add new information to the blockchain. So, when someone manages to do this, the other nodes, since they do n't want invalid information to be entered say "Well they mined it first, but the information

they entered is valid." Then, the other nodes validate it, and that's when a new string is added to the block. Then there are other topics that we'll talk about more specifically when we're explaining the ecosystem itself, but the person who is able to mine that block receives a reward in the ecosystem's native currency. So what is Bitcoin mining? It involves solving computational calculations to add new information to the blockchain. That 's in Proof of Work. Proof of stake has, let's say, a different methodology. Here, if I want to enter proof of stake, I have to freeze an amount of, let's say, of my currency. I need to stake it, store it, and then I can start validating

nodes. So, how do you choose the person who will add the node to the chain? It's done by random topic. Let's say, if I have more frozen currency, then I'm going to have a higher probability of being chosen to add to that chain. Starting to talk a little bit about attacks, uh in blockchain there is an attack that is 51%, we are talking about all the miners wanting to add information. What happens if I control more than half? Since I control more than half, I can tell if that is an invalid block, that is a valid block even though it was an invalid block. So it's one of the attacks that's being talked about. And why is it, let's say, a

more theoretical attack? Because of the number of miners there are, because of the amount of interest from different people. So first economically having the amount of resources to be 51% of a network and more of an ecosystem already like Bitcoin or Ethereum, which are large. Well, Etum, we're no longer in PR for, but it's more complicated. Well, that's blockchain as a general definition. This talk is very focused on Ethereum, which is one of the blockchain ecosystems. So, let's start breaking it down. We started in blockchain. Now we're going to talk about Ethereum, which is one of the ecosystems that was built on blockchain technology. So, it's a platform that was adopted to, uh, start to

, let's say, to develop applications on it. It was created by Vitalic Buterin in 2015. We're still talking about new technology, and its main feature is that it allows you to create smart contracts. So, what is a smart contract? We'll define it later, but let's say that the characteristic of Bitcoin is that you can't have smart contracts. So, when we talk about smart contracts, it's a feature that Ethereum has, but there are other blockchains that have started to implement it. some of its components. We have that Ether is the native cryptocurrency, just as in Bitcoin we have the because Bitcoin is the native currency. When we talk about that ecosystem in Ethereum, it 's the Ether, uh, all the validation, all the

blocks run on a virtual machine similar to Java, well this is the Ethereum Virtual Machine, the IBM and it's the environment where all the transactions are processed. An important concept that we will talk about later is gas. Hey, what's up? The miners have to be paid, right? So, miners need to be given a contribution each time information is added to the block. So, gas is something that if I want to make a transaction, I pay a fi, let's say, a small tax, and that fi goes into a pool and that's how the miners or those who are validating the blocks are paid. The consensus mechanism that we already discussed. Initially Etherium worked on Proof of War, but when Etherium 2.0 was released

in 2022 it was changed to Proof of Stake. And addresses, an address is a wallet and/or an alias because both can send transactions within the blockchain and it is, sorry, it is simply a unique identifier. That's what he tells me. Well, just like I have a bank account number, a wallet is like that identifier that tells me, "From this wallet I'm going to send here or from this wallet I'm going to send, I'm going to interact with such and such contract." It's like an identifier that allows me to make transactions. Ready? Now we're going to talk about smart contracts. What is a smart contract? It's a nice way they wanted to describe a piece of

code. Well, a block in a smart contract is a fragment of code that I compile and upload to the blockchain and it will be executed. So, what advantages will it give me ? If I have code that's on the blockchain, I'll be able to talk to it. I will be able to have a logic to make transactions based on that . Let's say, in my smart contract I can generate the logic of a bank; I can have a contract that allows users to deposit, withdraw money, validate balances, and so on. So, it's that code that's added to the blockchain. I have to compile it, upload it, and that will also have deployment costs, etc. some languages ​​that exist.

We have Solidity, which we'll talk about a little bit in this talk, Viper, which was in Python, Rust is used a lot in Solana and other languages, Ray Kairo, and even C+M+ can be used for smart contract issues . So there's a wide variety here, but for people who want to get started, I highly recommend Solit and Smart Contracts on Ethereum because I find it quite user- friendly. We're going to look at a little bit of syntax and stuff right now. So, what is Solity? It's a language, let's see that it's object-oriented. To me it's similar, it's somewhere between JavaScript, it has certain influences from Java and, let's say, because of the object-oriented aspect , well, uh, JavaScript runs

on the IBEN, on the Ethereum Virtual Machine. I think this is outdated, the version we're on is 0.824, but I think it has changed. I would have to check. You can also go to the Solity LAN website, which is the organization that develops and maintains Solity, to see what version we are on. Here's another important concept before we understand. Well, if I want to create a smart contract, I'm not going to do it; we already said that what is written on the blockchain stays there. If I've already uploaded a contract that's incorrectly configured, that logic will still be there, and if someone enters funds, they can either steal them, or the transactions will be blocked, or the

money will just stay there, locked up. So that's what testnets were designed for; there are different networks that allow me to run tests on them. So, in Sol, in Ethereum we talk about what is the mainnet, it is the main network where all the systems are deployed, NFT issues, all those things are deployed there, but there are also testnets, we have these three: Goarly, Cepolly and Ringping where I can do tests. Uh , why? Because, let's say, remember that if I want to deploy a contract, that costs, that's worth a certain amount of gas, so I don't want to spend my money so easily, so I can deploy it here. Uh, funds can be used,

you can even try it right now. You download MetaMask, you say you're going to be on a Testnet and you go to a faucet and select which network you're on, you put your wallet and that will give you funds, it will give you a certain amount of Ethereum, fake money because we're on a Testnet and with this you'll be able to make your transactions and it will be displayed here and anyone who connects to this network will be able to see your application. Okay, let's talk about Remix. It's also a tool that I think is very useful for people who want to get started; even though this talk is focused on security, it can also be helpful for those who want to start exploring blockchain development topics. That's a

development ID that's, let's say, here on a web page. So, you can go to remix.org and say, here I'll be able to write my contracts. Here I have a written contract and it will allow me to do, let's say, different things, compile them, deploy them on a network, and so on. Okay, so what's the first thing we do when we 're learning a programming language? In other words, Hello World. So, let's see what a "hello world" program in Solidity would look like. Hey, here we have Hello World. I'm going to briefly explain what it does, and we can even try it out in Remix right now. So, when we talk about Solidity, you see that it's

quite similar to an object-oriented language, only here we don't talk about classes, but rather about contracts. Look, we have here a contract, which would be like the equivalent of a class. We're going to have attributes like in a class. Look, I have some bytes here. Uh, let's say there are other types of objects here. We have 8 bytes, which would be literally 8 bytes, that's the size of the object. And it's called data. Here we have three functions. We have a function called hello world. And what this function does, I'm telling you, is a pure function that won't modify the blockchain and that will return a string that is stored in memory. So, that's why we're

doing a "return hello world". Uh, and we have a function that sends two numbers. Look, here I'm sending a sign-in of 256, and A and B are also sign-ins of 256. I add them together and return the sum of the two of the same type. So there we saw a world, a sum, and how to store information on the blockchain. Uh, here I'm sending you some data, which is some bytes, and that data, look, here it's with undersore, which is the variable that arrives, I'm going to save this variable that I have stored here. important things. If I'm consulting blockchain information, that won't cost me anything. I can, for example, this variable of those bytes that are here, I can

call them, I can make a get function to return them to me, or sometimes when one deploys they are generated automatically. That doesn't cost anything, but writing does. That's why deploying a contract costs money, that's why making a transaction costs money, because writing means adding a new block to the transaction chain, to our database. That's why writing to the blockchain has a cost. So, here we're going to make a little demystification. Uh, I have the contract here and for now we're going to work from the terminal, but so that we also know Remix, what he's going to do is paste it here. Here he tells me, "Be careful, that's code we 're pasting. They might try

to steal your NFTs or something." So, let them review and trust the code. This code is reliable because I made it, but it's important to validate when it's used. Okay, important topic, this first line tells me the version of Solidity I'm working with. So, well, here's the answer to your question. We went from 824, 825, it's outdated, but hey I want to work with this version. So, I'm doing great here, I don't have to install it. So here I go and check what version I'm currently using, 8.0, and here I should save and it shouldn't give me an error. So that, let's say, that also has a syntax check and makes certain corrections for me. So now we have the

code, we know what it does. Let's deploy it. How can I deploy it in Solidity? We have several options, let's say. Here we have some providers that give us remixes. They have created their own blockchain networks and here I can choose if I want, for example, a remix network. Those that say "BM remix" are their networks. I don't know, Shanghai. Uh, once I select the network, here I can choose which contract I want to deploy. So, here I'm going to choose the contract I have, I click deploy and look, down here I see the contracts I've generated and here I'll be able to interact with the contract. For me, analyzing a contract is almost like looking at

an API when you're in web hacking because it's like functions that I have and I can call them with certain parameters and they'll return something, taking into account the issue, the issue of gas, the issue that if I'm going to write something it will have some cost, but let's say for me I make that analogy of talking to an API. One cool thing about using remix networks is that it generates several wallets for me. These are directions. Note that the addresses are hexadecimal and each one is generated with funds. So, I have here 100, 200, 300, 400, a lot of money. And with this we can start doing tests. So, given this, why does this

first wallet have less money? Because I deployed to that contract, that generated a cost, a fee, and that consumed gas. That's why we don't have 100 in this one, which is the one we deployed it with. Here we're going to start interacting. Then we saw that there is an AD function. So if I give him two numbers, look, I'll call him and here's the answer. 1 + 2 equals 3 most of the time. We have Hello World here, which we're saying, it's going to return it to me. Look, we're doing it with this one here, it has the same number. I'm going to call hello world and it returns the string hello world here. But how are we

going to write here, oh, this is 32. I think I'll die here. I don't know if it's possible like that. Well, I'd have to do something here, otherwise I'd die. Oh, well, there are eight. No, it's not that serious. Two, three, four six. Yes, I put eight. Okay, that's where you put the bytes. The format here is normally by putting a ray to stop it, but this one would generate one, let's say it's stored in the database, let's say, it would be stored on the blockchain, so this one would generate a cost for me. I don't know why it's failing. Ready. So, we've already seen how to generate an amount. We already have a basic introduction to Solity; we already know

how it works. I think we've all already done our first deployment of a smart contract. If I wanted to do it on Mainnet, it would be the same thing. I have the code, but I do need to top up my balance before I can deploy it. Uh, even in remix I'll also see here that if I want to expand here they'll give me options. For example, I could connect here with MetaMask, but I don't see it here. So, look, he would open my MetaMask wallet here, and if I have money in some testnet or mainnet here in MetaMask, I could even do the deployment from right here in Remix. So it's a pretty cool tool for not

having to struggle too much with configuration. Ready? Oas. We are interested in security. So let's start looking at how these contracts can be exploited. Hey, here's the link to the project, the top 10 OAS Smart Contracts. Okay, let's start talking a little bit about each one, what it consists of, and yes, we'll talk about the definition of each one briefly. First up is Reentrancy Spoiler, this is the demo we're going to do right now. This is the, sorry, vulnerability that we are going to exploit in the demo. So, at this point I'm not going to go into much detail. Anyone who wants to can read it. We have integers, overflows and underflows, the same as in C in

low-level languages. If I have a data type and I add one to my largest number, then the counter resets. The same applies to the other side. So that also applies. That's why they saw that I had a 156, so those are whole numbers of 256. Dependency issues. One problem with blockchain is randomness. So it's very difficult to have randomness in blockchain. So if I'm assigning randomness, one on the blockchain, since it has access to all the information, I can see what that randomness value is that I'm assigning and I can use it to predict values. So if I have a lottery that generates a random number, but it depends on time, I can easily know what value needs to be

sent to guess that. So, when it comes to dependency, it's complicated. Access control vulnerabilities, that's on the web, it's everywhere. There are also functions here that are critical. So, the critical functions, I don't want just anyone calling them that. I'm going to set it so that this function can only be called from wallets or with certain controls that pass some check. We have front running attacks. These are quite interesting because blockchain transactions are not done instantly. I, let's say, send a block and before that block is added, before my transaction adds a block, other things can happen . And here blockchain is a little, let's say, racist in that respect because it prioritizes people who give more

gas. If I contribute more gas, I can make my transaction run first. So, if I can do it, if I have a way to control my malicious transaction, let's say, uh, I can, there's a transaction that manipulates the price of something. I can say, someone sent, bought something, wanted to buy something, uh, let's say made some purchase. What I do is, a transaction that inflates or lowers the price depending on what I need, I can do a front run, that is, run before the other transaction, and with this I can manipulate it so that it is written first and will have a different result than the transaction that was sent. So, the fronts are related. Right now I'm

going to explain an attack that uses this a little bit in DeFi, in decentralized finance . Denials of service. If you go and explore, there are a lot of smart contracts deployed that are completely unused. Due to programming logic, or some error, the contract could not be interacted with now. And I recorded it, there are funds there. So, blockchain is where that contract is, money was sent, it stayed there, there's no way. You didn't use logic to remove them. The contract was suspended due to a denial of service; those funds were frozen. Logic errors, the same, because it's a programming language, you can add logic errors in calculations, let's say, in calculation errors. Similarly, insecure randomness makes it very

difficult to generate random numbers. Even you know that it is impossible for a computer to generate numbers. One speaks of pseudorandom numbers because it starts from a seed and so on. So here in OAS too, let's say, in Smart Contracts one can also abuse this issue of randomness to predict values ​​and abuse it. Vulnerabilities in the use of gas. Gas is, let's say, if I have a contract, on certain lines, each instruction costs me a little bit of gas. If I limited the gas and it wasn't fully executed, then there may be problems due to the way the gas is administered. If I have an infinite loop, it will use up the gas of the

user who is sending the transaction, etc. And we have external calls that haven't been reviewed. Sometimes contracts can call other contracts, but if that's not properly validated, it can introduce vulnerabilities or, let's say, certain problems. There is even a vulnerability that if I am calling from one contract, if I make the call incorrectly, that other contract could end up executing the code in this contract here, not in the one that was called. So there are issues there. Okay, let's talk now, I think we understand what we're going to find now. What tools and resources can I use to learn or find this information? MetaMask, let's say, those who have ever bought NFTs or have done

some testing, well, I don't really like to move around much in that crypto world and all that, but I did install my MetaMask once and do some testing with it, but for testing on Testnet and that it's quite useful. Note that even Remix can be integrated. That's a wallet that one can install. It's a browser plugin where I create a password and that generates a certain number of wallets for me, and then I don't have to memorize them or anything, I can access them with that password. We already saw the remix, so I won't explain it again. We have Brownie, which is a framework made in Python for testing, let's say, against smart contracts. So, what

advantage does this give me? I can generate my own local environment, I'm going to generate my own blockchain and using Brownie makes it easy for me to, let's say, generate, diploy contracts or interact with them in some way. So it's pretty cool, and let's say, you 'll have your own Ethereum virtual machine on your computer to test it out. We have Ol, uh, we said that Solidity is a compiled language, so we need a compiler. The Solidity compiler is Sol. I can even install it with the command ` solc` in Node.js, sorry, on Linux; on Mac, `br install` or `apt install Solc`. I even think it can be installed with npm, and then we can have it ready

to compile our contracts. Ganach. Ganache is a tool that allows me to generate my blockchain. Let's say, I can generate my own blockchain emulator and I can have my blockchain there and every time I'm going to do tests it generates a new one and it will give me, just like we did in Remix, a list of wallets that I can already use to start interacting. We have libraries, just like this one , we have a couple of very similar libraries, Web 3 Pi and Web 3JS. One is made in Python and the other is made in JavaScript. So, let's say if someone wanted to create a website that deals with blockchain, with Ethereum, well, they would

use, for example, one of these two to interact with the blockchain from the website . So it can also be used for testing. So I also recommend that you take a look at one of these two. Open Cepelin. Well, when smart contracts started, it was a company that generated a lot of standards where I can start to look up how to do something securely. So, when we talk about coins, I can generate my own coin on Ethereum. I can invent any currency that runs on Ethereum, but to do so I have to follow a standard. For example, in coins that standard is known as RC20, it's RS20, it's the standard for coins. And if I want to create an NFT, then I would do RST 721.

So, that will force me to have certain functions. A withdrawal function, an approving the handling of funds, uh, a function for, let's say, if we're in RS 121, which are NFTs for mining, burning tokens, etc. So in Open Speleing we don't just have those two standards, there are more. One can generate tokens, let's say, grouped together, and different standards emerge from that. So, it 's also quite valuable documentation. Now I'm going to start recommending some websites for learning. I want to, we've already seen what vulnerabilities there are. I want a testing environment to start looking for vulnerabilities. So, I have this page, this turnout, where from the browser console itself , I'll have access to

Web 3JS, which was the JavaScript library, and from there I have a series of challenges and I can start exploiting different vulnerabilities. So, they're going to tell you, "There's a contract that does such and such, so steal the funds or come back and do a denial-of-service attack on the contract." So, each of the challenges will have a validation process to pass the challenge. So, it's pretty cool to start testing. And if you're interested, well, Open Cepelin is hiring here. This was developed, I forgot to mention, by Open Zeppelin. So, if they're doing really well doing that, then send us Open Sepelin to see what they'll have them do. Uh, Hack de Ox, uh also Hack de Ox a

year ago, I don't remember if it was last year or this year, they started deploying some blockchain challenges. So, those who are into hacking and want to learn, let's say, also find challenges, well here are some challenges too. At first there were only some easy challenges, but now they have started to put challenges of different categories. So, you can also take a look at the challenges to see what you find. Well, we know that a lot of money is moved on the blockchain. So, just as there are book bounties on the web, well, Web 3 wasn't going to be left out, and there's a platform called Immunify where you can find bounties, companies that launch their

smart contract projects, where they offer ridiculous amounts. The truth is, the bounties they pay on Web 3 are ridiculous amounts, because the impact it could have, the amount of money involved, is enormous. So, here you can find very lucrative bounties, but I also offer it as a learning tool because you can go in when they disclose the bounty, you can go in to review and understand a little bit about how it was exploited. We have Duler Deffy here, it's a GitHub repository, you can search for it and it has challenges, but they are focused on the topic of DeFi. Remember that DeFi stands for Central Finance, so it's like all those logics that are used for, let's say,

financial matters, but in a decentralized way. So, there are loan issues, uh, different things that can be done, uh, issues of, oh, sorry governance Oracle well uh pricing Oracles, that is, those that calculate the prices of things, etc. So, there are different attacks here that one can start. I also recommend learning the standards first, and playing with Ethernote first, because when you get into Deffy, the attacks are a bit more complex, and sometimes they're not so technical, and you have to understand more about the logic of how prices are calculated and it has more financial aspects. Well, here's a list of resources as well. I'm also going to leave it there so they can take a picture of it. Here are

all the people I spoke to. Let's say we have MetaMask, remix, Browni's theme. Uh, this is new, it's documentation from Soliti, so you can find everything there. Ganache web 3JS, this tool that you can install on your computer different versions of Solc C. Uh, just like in remix I could choose which one I wanted, uh I can install different compilers and choose which one I'm going to use. So, for example, this Solc Sol C select tool can, uh, allow me to choose which one I want to use for the contract. We have Ethernout, which is the OpenCepelin page for challenges, Hackd. Hey, here's a repository with different tools and techniques for exploring smart contracts. Slider, which is

a tool for performing static analysis on smart contracts, Immunify, and Solidity by Example, which is a page where they will teach you how to program in Solidity through examples . Okay, let's get started with the demo. Well, I'm going to start explaining. First, I'm going to give some context about the attack we're going to replicate, what happened, and also, so we can see the amount of money involved, how much money was affected. This is then known as the DAO attack. So first let's talk about what a DAO is. A DAO comes from the acronym decentraliz eh autonomy eh organization eh decentralized autonomous organization . So, let's say it's like how a cooperative works, like giving an example here where there are people

who have different members and there are rules so that they can generate transactions between them. This was launched in 2016, it was one of the first DOs, they were just starting to talk about these concepts and when it started, when they deployed it, let's say, a block, uh, Ethereum, it raised $150 million worth of ether. They also know that those values ​​in the end are not so real because, well, the value fluctuates a lot over time. When they are in the sales phase, let's say, they go through different phases, a phase for uh, like believers, things like that, where people are joining, but when they were already selling, they were hacked and almost 50 million dollars were stolen using a

vulnerability known as reentrancy. If you remember when we talked about the top 10 AS vulnerabilities, we saw that the first vulnerability there was reentrancy. So let's understand what reentrancy is. Uh, I'm going to ask a question here. Who are the, let's say, developers? So, just to get an idea, who has any idea about development? Okay, we changed the question. Who still remembers that concept of recursion? Who got it? Ah, well, that was the question; it had to be a different question, let's say, about recursion. Uh, remember that it's a way for one method to call another method, and there have to be stopping conditions to make that happen. Whenever I try to explain this attack, it seems very similar to how

recursion works. Because? Let's explain. We have the decentralized organization here. We have a smart contract that the attacker deploys. Note that the attacks are not carried out directly from the user's wallet, but the attacker can deploy a contract and launch the attack from there. That's what we're going to do right now. Let's say, there's a function called withdraw money. I'm going to withdraw all my money. How do I know how that logic develops? So, the user has some funds. Then, the application will validate if the user has those funds and transfer the money. Um, what happens if I, uh, let's say, have some funds, transfer the money, and then subtract the amount of the funds? What happens if I do it in that

order? I receive the transaction, so I know I'm going to withdraw a certain amount of money, so I transfer it to the user and then, well, first I validate, if the user is going to withdraw 10, I validate that there are more than 10 or the same amount in their account, I pass that check, okay, then I transfer the money and then I subtract from my record that I have of the user, they had 10, so I tell them that they no longer have 10, but have zero. Do you think there's a logic to how that vulnerability works? Do you see any mistakes? Yes, the answer there is yes, because here we always have to follow a

principle which is check effects, interact. I always have to check first. Okay, that's fine, let's check. But I have to do the effects first. What are the effects? Subtract the user's salary, or balance, from my database. Because? Because of how blockchain works, if I leave the balance to be subtracted , in the end, what the attacker will do is, when the money transfer arrives, he will send another one. The transaction is then paused. He never subtracted the balance. The next time you log in to validate, you will still have the same balance because it was never deducted. Then that process is repeated recursively until, in the end, not the amount of funds the attacker had, but all

the funds that were in the contract are withdrawn. I'm going to leave the contract completely blank. So why did they only take 50 million here? Because they realized the attack and managed to freeze things, but the attack could have been worse because they could have stolen all those funds. Why is this attack possible? Let's say, when you deploy to a contract, which is the attacker's contract, the contracts must have the ability to receive funds. So, there's a function called fallback, which is the function, it's like the code, the code logic that runs when money comes into my contract. So, what I do, this function, well, I think more than one person's eyes were already shining, I

can use it so that money arrived on my contract. So, I go back and call to withdraw money and he sends it back to me. Ah, that feature came back to me again. I'll call her again. And then in the ruling I guarantee that whenever I receive money I can call the withdraw function again so that in the end I remove all the funds from the contract. So, let 's say reentrance is based on not following that principle of check effect interact and the fallack function that can be implemented in any smart contract. So in the end, the contract will eventually fail, but it won't fail because the contract doesn't have the funds to come in to, let's say, return to the

malicious contract. Well, then talking is very easy. So let's see how this would look, let's say, in reality. Let's do a test, let's explain a local blockchain and let's replicate the attack. Here I have it, I'm going to show it right away from Visual Studio so we can see. Well , we even have here, I'm going to show you a small example first so we can see how brownie can be used, let's say. I'm adding this a little bit here so it looks better. I'm going to put a demo folder here , it's completely empty, and what I'm going to do is, with Brownie, I already installed it and it can be installed with Python, I'm

going to run Brownie Nit. What uninit does is create, let's say, this directory structure; it creates a contracts folder, a test folder, a script folder, and a build folder. So, let's say, in contracts is where I'm going to put the logic of the sol points, the Soliti contracts. If I'm going to do tests in scripts, I can put scripts that do something, a script that deploys the contract, that sets certain parameters, that makes certain calls. Let's say in these build folders it's once I compile the contract, uh, I'm stuck there. But let's see what Brownie does; I don't have to do that step of compiling the contract, then taking that text, that compiled contract and

uploading it to Ethereum or my blockchain, because Brownie does all that for me by default. So, if I have that structure, uh, I'm going to show it here, let's say, what we have. So, remember I told you we had a folder of contracts. Here in this folder, we have, let's zoom in a little more . Uh, we have this, which is going to be the bank contract. Let's review its logic a little bit . Uh, the class is called contracts. Here we are using an older version of Soliti for ease of use. Let's say that in newer versions the attack can still be carried out. In object-oriented programming, we have a constructor. So, when the

contract is deployed—in the Hell War example there wasn't one, but when the contract is deployed for the first time— I can pass certain parameters to it so that its instance is generated. So, in this case, the constructor only receives a name. We have a deposit function. Uh, this function is public. Because? Because I want everyone to be able to call her. And here appears a new value that is payable. What does that mean? It is a function that allows a user to send money in order to interact with it. Because? Because what I want is that I 'm looking at this message. I look at the user who sent an ether, so in my balance array,

in the user's address, I save that the user has a balance. So that function has to be payable because they have to send me money. Let 's say I have an arrangement where I keep the record of that money as such, those will remain stored in the contract . We have a function that returns the balances of all users and we have the withdraw function. We said that the error occurs when the principle is followed, when the principle of check, effect, interact is not followed. Here we have to check, we are checking the balance, that the user's balance is greater than or equal to, it is important that what I am asking to withdraw is greater than or equal to what

the user wants to withdraw. So, if this is the case, great, we can withdraw here. This function is what sends the money to the user. So when he withdraws, I have to collect the funds I have in my contract and pass them on to the user who wants to withdraw. So, this is where the money is sent. That would be the interaction. Look, he's in second place. And the effect is when I take it from my balance record and subtract the amount that the user wanted to withdraw. So, look, we're not following that principle here because, to fix this, this line should go down to prevent this attack from happening. So, an attacker realized that a contract was deployed

with this structure and noticed that there is a vulnerability in the withdraw function . So, what he does is exploit this vulnerability; I ca n't do it from a wallet because when he gives me money, I ca n't immediately call him. That's why one chooses to use a contract. Then one is going to generate a proxy contract, as they call it, to generate the attack from it. What I do here is I have a reference to the bank contract and in the constructor what I do is I pass the address, the wallet, the address, well the address of the contract and with that I generate a reference here. So, here it 's as if I had an

instance of the bank and I can call all these functions that the bank has here, call balances, deposit, etc. So, I do that from the builder. We have a function, you're on the attack, we're going to talk about this in a moment. We have a deposit function. Um, I want that once I open the contract, I can deposit a certain amount of money, as per the contract, into the bank, because remember there's a check that says I have to have funds to withdraw. That's why I'm looking for ways to have a certain amount of money in the bank. So this function allows me to do that. We have a get balance function, where I'm going to look at what the

balance of this account is, let's say, to do some tests. We have this attack function which simply calls the remove function. Look, he's only withdrawing one Ether. So, we're going to do this exercise . We're going to deposit an ether. We're going to remove an ether attack; it's the one that starts the attack. Below we have the fallack function, which we mentioned allows us to perform this attack. So, what I'm reviewing here, we want to keep taking money out, we were kind and we want to keep taking money out until the contract has nothing left . Look, here I am making sure that it keeps calling withdraw until the balance, here I am calling how much money

the contract has, is different from zero. In other words, when the bank has zero, then I've stopped, because I've already withdrawn all the money, I don't want to keep withdrawing. I already withdrew the money, not only mine, but that of all the users. Remember, that's what we're talking about there. And here I call bank.draw withdraw again, lando un. So what I'm doing here is that every time I call this fallback, every time I get money, I withdraw another heter. So, I deposited one, but at the bank there were 100 euros counting all the balances of all the users. So, this is going to be done 100 times until it leaves, let's say, the bank contract empty. That function is extremely

important because, remember, we're talking about contracts that hold money. What happens if I don't use this function to extract the funds I've surrounded myself with? Well, that money will be frozen in the contract. So, I carried out the attack, I took all the money from the bank, but the attacker won't be able to withdraw it because he won't be able to transfer it to a wallet. So, this function, what it does is that the person calling it—and here's a vulnerability, we'll talk about that in a moment— this function allows them to transfer all the funds in this contract from the attacker to a wallet, which is like the attacker's wallet itself , the attacker's address, the AES

. Why do I say there's a vulnerability here? Because they remember that in OAS there was access control, that vulnerability is public. If anyone else noticed that there was an attacker contract here and calls this function, it will drain all the attacker's funds. So, even these cases have occurred. Uh, the attackers don't have, even though they found a vulnerability, they didn't realize that their own contract was vulnerable and another hacker hacks them, hacks the hacker and with that they steal the funds simply by calling a function. Ready. So, what I'm going to do here is go into my folder. So we already studied the structure a little bit and I'm going to show you the

script I have here to simulate the attack. Ready? So, look, uh, I like to do the demo from the terminal so you can see the outputs. So, here's the brownie console. Look, he automatically uses Ganache, which I have to have installed, to generate a local blockchain and he generated 10 accounts for me. So, with this I now have a local blockchain that I can interact with. Hey, here's something really cool: you can even download a real copy of the blockchain and set it up here, make it work with real data, and I could go to the exact date, let's say, each block has an ID, go to the block with that ID where the attack occurs, go and replicate it,

make the same transaction, the same transactions that the attacker made to steal the information. So, it's also pretty cool to be able to replicate the real attack, let's say, locally. So, that's something you can try as well . Well, since I 'm using Urauni and I have the contracts here in this contracts folder, what it does is compile them for me and I can access them here through variables. I already have a bank reference and I have an attacker reference. So, with this I could do things like deploy the contracts and stuff. So, I'm going to stay here. Hey, remember I have 10 accounts. So, here I'm using eh account, it's an array of 10 values. So,

here I'm using it as the last account and that's going to be the deployer account. So, if we look here at deployer, it has this address addr the account on our blockchain. I'm going to create two users. So, I'm going to say that user one is account number one and user two is going to be the second account. So, here we have user 1 and user 2. Notice that they are different addresses. Okay, let's generate our attacker, because we want to have the attacker, the one who will carry out the real attack and steal the funds from those two users. Here we're going to do a deployment, that is, we're going to upload our contract.

For now, we only have the compiled contract, but from the deployer, which was an account we created, I'm going to... remember that this is just a reference. So, I have the bytecode of the contract already compiled and when I do this deployment I'm going to send it, I'm going to deploy it on the blockchain. So, remember that our smart contract, our bank contract, had a constructor that was a string that was the name of the bank, and here I am passing it to you, and here I am passing the from of the deployer to simulate from what address it was generated. So I do this, if it turns blue it means the transaction was sent. Here

I see the gas limit, the cost of the gas. Since this is a local blockchain, you can configure it to use gas , to use a certain amount of gas or not, and it tells me what current block I am on, how much gas I use, and so on. There it is, like all the information. No way? What happened? We already have a user account, we already have our bank contract. So, let's simulate, uh, a normal flow. User one, let's say, from user one, here I 'm telling you, user one is the one who is going to do it from that wallet that he has, he is going to send two ether. Remember that this deposit function was

payable, so you have to send ether. They're going to take out of the 100 Ether that this account had, they're going to take two plus the cost of the gas to send it to the contract funds. So, here's the successful transaction. So, at this point, how much would it cost to outsource the contract? Two. User two had a little more financial fluidity and deposited five Eter. So, uh, look, here I am doing from user 2, five Eters and at this moment there should be seven Eters in the contract. Here we are simulating, let's say, the sales phase. There were users who were buying, putting money into the contract. We are simulating that part. The attacker realized that

the contract had funds, discovered the vulnerability, and generated our attacker code. We already analyzed it and what we're going to do here is deploy, we're going to upload our attacker contract to the blockchain . Look, what I'm doing is attacker account and remember that there was a builder who received the bank's address. So, since we 're already doing it in the real environment here, I have in bank.adres Adres, like, what address the bank contract was deployed in. So, here we have the successful action. For example, look, I can make a bank. Ades, if they write it, eh, that's where I get the bank's address and I can also attack. And this is the address where

my contract, let's say the attacker's contract, was uploaded. Remember that there was a limitation to this attack, which is that the attacker had to record at least one. Because? Because there was a check to make sure they had enough funds to start withdrawing. So, we created a deposit to bank function. Remember this. which allows me to simply deposit the money I send him, if it is greater than zero, into the bank. So I deposited it there, transaction successful, and let's see if they were paying attention. How much money should be in the bank? How many sets? Eight. One user entered one, another two. Well, the eh eight. Ah, yes, eight. Uh, yes, that too. 2 5 and the ET that we just

recorded. In fact, we're going to validate it here. Okay, first let's print out what user one's balance is . Well, that was the PR. I took the wrong line. Okay, we're going to print it here. Here I am doing a division by 10 to the 18th power because of the units issue, let's say, when one is in Solity one can work with different units that are like centimeters millimeters meters, so here there are also ways ta ta , until one gets to ter. So this works in we which is a 10 to the 18th power. One is equivalent to one Way. So, here I am doing the conversion so that it shows it to me

in ether. Here we have two. That's like the balance of user one. Now let's look at user two, how much do they have? User two has two. Correct. Everything is fine. Okay, let's see how much the striker's contract has in the bank. What is your balance? One. So, user two has user one has two. User two has five and the attacker's contract stipulated one ether. Now let's see what the total balance is in the bank, how much money is in the bank. So, you did answer correctly, there are eight. Um, let's see how much money is in the striker's contract. There are zero. Remember that sometimes we only use, we send one, but we deposit it in the bank right there. So, it is

initially empty. Here are some topics for the test. I'm going to take a snapshot. I can take a snapshot of my current blockchain and then I can revert to a previous state if I want to make any changes or revert to a specific point, or if I want to revert to an attack. So, I'm going to use a snapshot in case I want to go back. And here in the script, this is where the attack begins. So, let's see what we do here. Remember that we made an attack function that withdraws one, but there is a backflip that every time money arrives at the attacker's contract, the function will be called again . So, I'm going to call this

suspense. And the transaction was successful. We still don't know what happened. Let's check what the results were of sending that transaction. So, what do you think should happen? What would be the user one's balance in the bank? The balance, remember that was the one that deposited two. It's two or how much, uh, mistake, because I didn't put the uh and I didn't put this here. Two. Because? Because it's here, remember that we at the bank have a different logic. We have an arrangement that stores the balances, which was never updated, and we have the real money, which is stored directly in the contract. So what we're returning here is how much he has in that

array of balances. So, following that same logic, how much money would user two have? It would have five, it wasn't updated either, but now we're going to check how much money is in the bank. What do you say? Does the attack work or not? Look, it's at zero. In other words, we stole all the funds from the bank. We had just done a test and there were eight. This value of eight went to zero, only in the real world it wasn't eight, but 50 million dollars. Let's see how much money is in the attacker's balance. Remember that initially it was zero, but now it's eight. Because? Because they are the 5 + 2 + 1 of the users

who deposited. And if we look at the user's balance, the attacker's balance, well, it's one because he had to have deposited one in order to start the attack. So, what we do here is the attacker calmly calls the function that withdraws my funds, and if I look now, the attacker's account balance is 107. So, we just got rid of that. That's where they applaud during the talks. Uh, let's say this is

where the robbery already took place. Ah, he took all the money from the contract. Look, if I go back here, well, if we see how much this is before the attack, I did a chain revert, the attacker had zero and the bank had eight. And we managed to get all that money transferred to our attacker's account . Well, here I had the slides in case something went wrong in the demo, because it's the same thing we talked about. And so before the questions, I also want to show you another thing you can do, let's say. This is the solution to a box hack challenge. So, here I'm doing it with web 3.p and when you deploy a challenge on

HackDebox, they give you a web provider to an RPC endpoint where I can connect and with this I can generate an object and, for example, they give me the private key because from the private key I can generate the ADES, the ADES of the contact and, let's say, the ADES that I will have to interact with. What I need to do is download the contract and compile them. Ideally, one generates an ABI which is like the functions, contract information. So, one can extract this and , since the contract is already deployed, one can say, this IPI, this Bitcode corresponds to the contract that is deployed in Taladres and with that one can generate the same

objects that we generate from attacker, from bank, one can extract them with this. And here they can, for example, here there is a, here there is a, the contract was create creature contract and there was an attack function. So, what I'm doing here is sending it to attack that function, and with this, one can start interacting with these types of challenges, and those are the ones that CTFs find. They usually give you an RPC endpoint, address information, information to generate the private key, and with that you can start testing. Also, if anyone wants or needs me to share any code, I can share it with them later. Now, questions. If anyone has questions.

What else, Oscar? Um, I have two questions. The first question is, if you find a bug in a smart contract, what could that client or victim do to remedy that if it 's already deployed? That's a very good question. Well, the thing about blockchain is that what happens on the blockchain stays on the blockchain and there's no way to modify it. So if I uploaded a vulnerable contract, I should have put some logic into withdrawing those funds or doing something, or it's going to be affected. Let's say, what's used here when you're talking about deployment issues and best practices is that you use contracts, an RC called proxy contracts, which allow you to have different implementations. So,

what I do is find a contract that was vulnerable in the proxy contract and say, "Ah, de-use this contract and use this new implementation." And that's where I correct the vulnerabilities, but theoretically, it couldn't be modified once a contract is deployed. That's why, sorry, that's why I was saying that there are contracts with frozen funds because those funds were transferred somehow and there's no logic to it, or some mistake happened and they got stuck there. So there's a good amount of money there that's frozen in the Block for anyone who wants to go and get it. Oh, thanks. And the other question was, if, let's say, I don't know, I'm a bank and I've been

attacked or am being attacked, is there any way I can find the attacker's code on the blockchain? Uh, what I can do in blockchain is, let's say, there are even companies that have been dedicated to the topic of monitoring transactions. Remember that transactions are public, that's why addresses are used so you don't know who owns the information. So, they monitor transactions to see what kind of things are being sent to my contract. I can find out which ADRES is interacting with me and then, based on transactions, build that logic, but I won't know who the real attacker is . That's about what I can do. Thank you. Questions.

Hello. From your offensive point of view , what do you think are the biggest challenges we face in terms of cybersecurity in relation to anomaly detection, or rather, the detection of anomalous behavior, vulnerabilities, etc., in smart contracts? That's a very good question, and even a complicated one to answer. I think the issues we have there are, firstly anonymity. Well, even though I have traceability, I don't know who is actually interacting with me, and I have a response time to start doing my analysis. Well, I've been attacked, and I would realize that I was receiving a suspicious transaction, and that's when I would have to start responding logically. So, if this transaction has already been written, the issue is that it has already been registered on the

blockchain, it has already been executed, I can now start trying to see if with my providers where the funds are coming from and I can freeze funds from wallets or something like that, but let's say they also have techniques where, the same thing they do with bank accounts, they start distributing among different wallets and thus some money is lost, but they manage to withdraw a certain amount. So, regarding blockchain, we need to improve how things are implemented so that before a transaction is written to the blockchain, we can improve the implementation logic to monitor that these things actually arrive, because in blockchain, once something is written, we're already in trouble.

What type of attack was used on the Ethereum network to cause a fork? Well, I think the decision to switch from Proof of War to Proof of Stake was basically because it was discovered that Proof of Stake was causing environmental problems due to the scarcity of processing cards and farms, so the decision was more along those lines. But I understand that there was a theft of money, that is, it was a very large transaction that went to the blockchain, as you say, which once it is written cannot be changed. So, by unanimous decision, they decided to switch to a new blockchain. If the issue was that decision, there must have been something very close to a 51% attack because, let's say,

the offense is the advantage that proof of stake offers to proof of work. It's like the advantage there is, but honestly I'm not really familiar with it and well, I don't remember how that attack works, so I 'm not like, uh, you caught me, it's easier. When you did the part about returning the chain to how it was before the River Chain, two questions. What did the number that appeared on the console mean? And if within the environment in which that string is running, the one that was previously there is overwritten or a duplicate of that same string is created. Ready. Let's say this number is the block number. Note that each transaction has a

block number. So, for example, when I made this transaction to withdraw the funds, it was number seven. So, when I took the snapshot, number five was the transaction that was the last block that had been generated there. So what he does is go back to that and delete it. He can do it because we're local and there's no need to go through node validation and all that stuff. Remove the blocks that were added starting from that ID, from that identifier. That's like what Brownie does underneath. Ready. Thank you. Ready. Well, thank you very much. Thank you so much. Thank you so much. Applause.