This webcast was originally published on September 10, 2021.
In this video, Beau Bullock discusses the intricacies of blockchain security and smart contract auditing. He explores common vulnerabilities within smart contracts, demonstrates a live hacking example, and provides resources for further learning. This comprehensive overview helps viewers understand the potential security risks and the importance of diligent smart contract audits in the blockchain space.
- Smart contracts are immutable once deployed, making rigorous engineering essential.
- Vulnerabilities in smart contracts can lead to significant financial losses.
- Understanding and monitoring blockchain technologies and smart contracts is crucial due to their increasing incorporation into various sectors.
Highlights
mFull Video
Transcript
Transcript begins at 30:38 of the webcast recording –
Jason
It is 01:00 which means everyone that’s not going to be speaking, which is me and Bo. Please go ahead and kill your microphones and cameras. Jared, thanks for joining us.
do not end the webinar. Please leave the webinar in case you are leaving.
Beau
Oh, I’m still a presenter. That was me.
Jason
It’s like a moment. All right, so for all of it, all of you on discord, if you could post a gift today of, like, that represents where you’re from.
If you don’t know how to do that, down in the bottom link chat bar. So, we’re in the webcast live chat. So go ahead and post a gif. Where you’re from represents either a flag.
Deb posted the crab with a knife. That means Baltimore. so go ahead and do that.
Beau
Binary badger. Beat me to it.
Jason
Florida man right there.
Beau
Yep.
Jason
So thank you for joining us. My name is Jason Blanchard. I’m the content community director here at Black Hills Information security. We’re joined here today with Bo Bullock. If you didn’t join us for the pre show banter, well, you can always join us next time we show up 30 minutes early.
Because you. Some of you show up early. Because we show up early. It’s a vicious cycle.
Beau
Because it’s fun.
Jason
Yeah, it’s fun. I’ve been on another webcast where, like, it’s just dead silent, and then all of a sudden, hello, welcome to the.
Beau
Webcast from Black Health Information security. Today we’re going to.
Jason
Yeah, yeah. Okay. All right, that’s fine. but we got Bo here today and I’m going to just tell the story real quick because it’ll lead into Bo. And I know he’s got a lot of stuff to cover, but essentially we’re doing this because Bo was trying to explain blockchain and smart contract auditing to me.
And if you could have seen the look of my face, like, just kind.
Beau
Of glazed over, I was like, I.
Jason
Really need like a getting started and, please take me back to the basics. And so bo, I can do that. And so a month later, he has this webcast. We’re going to do it for you today.
So, if you have any questions about blockchain smart m contract auditing, we’re going to try to answer them today, but it will be at the end. But you can ask them anytime, we’ll save them, we’ll store them to the side and then we’ll get back to them as soon as we can.
We might go into like extra innings or something here at the end, just depending on how many questions we have. Last thing, if you ever need a pen, test, red team threat hunts or soc or anything like that, where to find us.
And with that, bo, it’s all yours.
Beau
Thanks, Jason. All right, everyone ready? Let’s go. so this webcast is on getting started in blockchain security and smart contract auditing.
so this is meant to be a primer, like Jason just mentioned, for understanding some of the underlying issues around, blockchain security specific to smart contracts, which I’ll get into.
There’s, actually a number of other elements in this entire blockchain ecosystem outside of smart contracts, but we’ll get to those as well. I’m going to walk through some of the reasons that I think, blockchain security is important and why this talk is even a, thing, as well as some case studies into some of the major hacks that have happened.
I’m going to show you some examples of some real world things that have happened. I’m going to show you how, a project got hacked for $600 million, just because a few lines of code, were vulnerable.
it’s going to be an exciting talk. I’m also going to walk through what smart contracts are and give it a primer into auditing smart contracts and how to find vulnerabilities.
I’m, also going to do a live demo, so I did actually sacrifice a couple chickens, earlier. Hopefully the demo goes well. we will see how it goes.
All right, so without further ado, let’s get started quick. note about me. I’m bo bullock. I’m a pen tester, red teamer here at Black Hills. I’m also the author and instructor of a, cloud hacking training course called breaching the cloud.
also a host of a podcast that we have called the Coinsec podcast, which is a weekly show where we walk through a, lot of the larger security issues around blockchain and cryptocurrency in general.
I, spoken at a few different conferences. I’m also, I also write some music. so I do some, some synthwave, metal, that is under a project that I call no bandwidth that is out there, which honestly, if you ever want to use it, like it’s background music, feel free to use it.
You have my permission, like you do YouTube videos. Gerald was just asking, asking. I’m actually to use it. so I think it’s awesome, like feel free if you ever want to use any of that stuff. All right, so roadmap for today.
first section that I’m going to be walking through is why blockchain security is important. give you a high level overview of why do we need to worry about this? Why is this something that should be on our radar?
I’m going to give you an introduction to smart contracts. the term blockchain tends to get a bad rap alongside, buzzwords, AI, machine learning. I see people all the time in the security industry just disregarding it because, of that buzzwordiness around it.
But I’m gonna show you today that a lot of organizations are implementing, blockchain within their various projects. And it’s something that if we don’t start paying more attention to security issues, these hacks are just gonna continue.
and it’s something that we need to kind of step forward and start to proactively start fixing. like I said, I’m gonna do some hack case studies. We’ll do a smart contract, actual exploit.
So I’ll show you how one of these exploits actually looks in the real world, how, some of these, these projects are getting hacked and how tokens are being stolen. And then finally I’m going to leave you with some additional resources to get started.
if you are interested in jumping into doing auditing, why blockchain security, this is the first slide that I think it should be something to just take in.
Just take in this slide present. This is why blockchain security, in less than a year’s time, more than $1.2 billion has been stolen from smart contract based projects, that are on top of various blockchain infrastructure.
A lot of these projects are various exchanges and other blockchain based projects where they are implementing use cases and, using smart contracts as the underlying technology, which again, I’ll get into what that actually is in a moment.
and the thing is that a lot of times the smart contracts literally takes one or two lines of code that are vulnerable. And in those cases where they’re vulnerable, it results in these major, major hacks that just drain these massive amounts of funds from projects.
one of the cases that I’m going to walk through later on today is the first example there. Poly network, over $600 million stolen from one single, project.
just think about those numbers for a second, because colonial pipeline, when they had the ransomware attack, the ransom was less than $5 million. But most of these exploits that have occurred against smart contract projects are a lot higher than that.
In addition to smart contracts, there’s growing use cases for just blockchain in general. First and foremost. bitcoin was the first, decentralized currency.
That’s been the primer of where a lot of this industry has grown off of. Right. so it started with currency, but off of that, a number of different projects have started building out different use cases.
So for example, decentralized finance, or defi, is a huge, huge industry right now, that is booming. That basically facilitates peer to peer transactions, without a middleman.
So you have these exchanges where you can interact with other people directly through a smart contract as opposed to going through like a bank. Then there’s, digital identity.
some projects are looking at tracking identity on the blockchain. for example, some websites that are implementing web three and interacting with metamask wallets allow you to authenticate using your private key, of your wallet itself that, tracks who you are.
Non fungible tokens, nfts are hugely exploding as well, and popularity supply, chain tracking media. So anti piracy. This is kind of an interesting use case.
So I saw Disney, is actually using blockchain to help prevent movie piracy. And so the way they’re doing that is basically by limiting the amount of playback time in theaters.
So like they would provide a blockchain based solution to prevent piracy. It’s kind of interesting. So anyways, the point of the slide is to kind of show like, outside of just currency.
A lot of people understand and recognize that blockchain is synonymous with cryptocurrency. But, in addition to that, people are building these other projects on top of it.
That’s leading to more and more use cases. With that, it is a new frontier because people are still trying to figure out what to do with it. People are still trying to understand where is it the right place to use it, where is it?
Not where. Can I just use a database instead? There’s a lot of times where people are like, oh, maybe I should use blockchain for that because it’s a cool, hip word, but, in fact, really all you needed was a database.
but if you ever needed something that was truly decentralized, blockchain might be the right solution for that. With this being a new frontier. The thing is that you have a ton of projects that are just racing to, be first to market.
That leads to really, really big issues because you have companies that are just trying to get their project out there, without actually implementing strong security as a base layer.
They’re more interested in actually just getting to market, which, it’s something that’s happened throughout history, throughout computer security history. You have a lot of companies that are trying to be first to market in a lot of traditional it cases or in computer science cases in general.
you don’t have this majority risk factor of if you have this one tiny little vulnerability, it’s just going to wreck your project. If you build a web application, sure, you have to worry about hacks of the web app to make sure people don’t get the backend database, but typically it doesn’t result in you losing millions and millions of dollars.
but with that being said, you have these established, well known companies now. So like Microsoft, IBM, I mentioned Disney, Walmart, they’re implementing different use cases outside of just the public blockchains that you’re aware of.
So things like, bitcoin, ethereum, I’ll talk about a number of other ones throughout this talk. Those are public blockchain solutions. But there’s also private blockchain solutions where companies can actually implement their own private blockchain.
I’ll show you example later on today, about how easy it is to just deploy your own private blockchain. more than just smart contract security though, too.
Throughout the most of this today is going to be primarily built around smart contract security because that tends to be where the brunt of the exploits are happening.
But in addition to that, this entire ecosystem is huge. There’s a lot of different elements at play here. First off, we have layer one, which is the underlying blockchain protocol itself.
the actual software layer. If we look at like the actual software running on systems that is managing the decentralized network itself. So like bitcoin core or go Ethereum, Geith is another client, that runs the Ethereum network for the most part.
These are software pieces that just run on computers around the world that sync the blockchain for whatever, whatever blockchain, tech it is.
So like if it’s ETH, you’re probably running, Geith. Like for example, I have an ethereum node here, that runs Geith. These pieces of software get vulnerabilities too. There was one just a couple of weeks ago, that caused a fork in Ethereum.
I was actually hit by it too. I was watching because I have a grafana dashboard where I can actually see all the blocks happening. I was actually watching, I could see where, it was actually being exploited.
That’s layer one, that’s the low level layer blockchain. Layer two is a step above that, an abstracted layer just right on top of layer one. That typically a lot of layer two solutions these days focus on scalability.
So, an example of this is the bitcoin lightning network. One of the biggest problems that bitcoin transactions face is speed. so what they have ended up doing is trying to abstract those transactions out to a second layer where they’re actually, facilitating peer to peer transactions and then resolving it later on on layer one.
so this is like a second layer on top of the underlying layer one. Technology smart contracts, is what we’re going to dive into today. So smart contracts are these, they’re programs, they’re software programs that get deployed to a blockchain.
these are like when you hear somebody talk about a token or a decentralized application or nfts. like nfts are hugely popular right now. Those are tied to a smart contract somewhere on the blockchain.
then we’ll another element outside of these first three layers, software wallets and hardware wallets. I’ve done another webcast and I think we actually have a blog post on the black hill site, where I talked about securing coins and stuff.
which you have the option of either being in custody of your own cryptocurrency, with a non custodial wallet where you’re actually in control of it, or actually using an online, custodial based wallet.
or you have hardware wallets too. These are physical devices for storing private keys, that are then used to send and receive funds. in general, we recommend that you store your own keys and you protect them yourself because the thing that is a really big problem with how a lot of cryptocurrency works is that if you don’t control your keys and you let an exchange control them and that exchange gets hacked, it’s just gone.
There is no insurance, there’s no wait to get it back. So as long as you control your private keys, you are in control of the funds. then you have mining software. Another big element to the blockchain ecosystem is mining of the tokens themselves.
These are specialized hardware, and software that does the mining. then centralized versus decentralized exchanges is another big element.
centralized typically require, know, your customer Kyc, which is your sites like Coinbase, binance. some of the bigger exchanges out there. Decentralized exchanges are what we’re going to focus on, when we talk about smart contracts is defi.
Decentralized finance. These are exchanges that are built on a smart contract deployed to a blockchain that users can interact with while ever going through a centralized entity.
then one of the most important elements, people, social engineering. This is one of the reasons that I think that the blockchain gets a bad rap, and it’s due to all the scammy, things that happen, a lot of what are called rug pulls that happen, in the blockchain ecosystem where an organization may try to get investors in their project and then they just run away and steal it and make it look like a hack.
So that happens, that can tend to give blockchain bad name too. So with that being said, like there’s all these elements, but we’re going to focus on smart contracts for today.
So I really like this quote. I think this is probably one of the best ways that I’ve seen smart, contracts defined from a risk perspective.
So this is a quote from the book mastering ethereum, by Andreas Antonopoulos and Doctor Gavin Wood. And essentially what this quote says is that you can’t develop smart contracts using the traditional software development, lifecycle that you’re used to, you can’t just think, oh yeah, we’ll just patch that in the future.
If it doesn’t work, you have to apply rigorous engineering and software development methodologies as you would to aerospace engineering. If you’re going to build a plane, you don’t just say, oh yeah, that wing issue, we’ll just patch that in the future.
Sometimes now you have to make sure everything’s going to work successfully before you actually launch it, because one of the biggest, things to be concerned with, with smart contracts is that they are immutable.
What does immutable mean? Immutable means that once it’s deployed to a blockchain, it can be changed. This creates a number of problems.
A program, think about a software program that you’re used to running. typically if there’s a vulnerability that gets exposed in that piece of software, then the manufacturer, will go patch it and you’ll be good to go.
So the thing is with the nature of blockchain is that once you deploy something, it is there forever. That’s the nature of blockchain, how it works. It’s supposed to be there, unless you actually go in and destroy the contract, which is possible.
or there are ways to actually create what are called proxy contracts, which actually allow you to do a pseudo upgrade, which I’ll talk about later on too.
But, for the most part, the contracts that you deploy cannot be modified to grasp what’s happening here. take a traditional program, deploy it to a decentralized blockchain.
and now you have this program that users can interact with that is decentralized around the world. it’s not just on a centralized computing system.
These, contracts, they actually get, executed within virtual machines via the node software. So I mentioned Geith earlier, the node software.
these contracts are typically written in high level languages, which I’ll show you some examples here in a second. then they get compiled into bytecode. So whenever a smart contract is deployed to a blockchain, it actually gets compiled down into bytecode language, prior to actually being deployed.
the thing is that that byte code is actually something you can visibly see on the blockchain as well. it’s still possible to go and reverse engineer the bytecode, after it’s been deployed to the blockchain too.
But, in most cases the developers of smart contracts tend to open source and publish their code publicly as well.
these smart contracts, they only run if they’re actually called by transactions. So you can employ them. They will sit there, and unless you’ve actually sent a transaction, they’re just going to stay there. So where do these run?
on the Ethereum network, if we’re talking specifically about Ethereum, there’s this thing called the Ethereum virtual machine. Now, Ethereum itself, right, it’s a blockchain protocol that it’s similar in nature to bitcoin.
But the big difference is that with like bitcoin, the primary mechanism for it is to function as a decentralized ledger of transactions, right? So the whole point of bitcoin is basically to train to, to track the entire history of all transactions that have ever happened on the bitcoin blockchain.
Ethereum also in addition to tracking the transactions, has added a state machine, in addition, so, that whenever a smart contract is executed, it will actually store a state on the blockchain as well.
And it uses opcodes to execute these tasks. Now, one of the ways that they’ve implemented a way to prevent just having a contract that just loops endlessly forever and would just denial of service is, they implemented this thing called gas.
And so every single execution, every single task that a contract performs has a cost. And so it would actually take monetary backing to create some sort of endless loop, right?
which is, attackers are not incentivized to do that. but anyway, so the evm is a, it’s a virtual machine that you have both volatile state and a persistent state.
So you can think of it like a traditional, computing system when it comes to, how the memory is stored and how storage is stored. So you can actually have persistent long term storage that happens on the blockchain, or you can have, tasks that execute memory, that don’t actually get stored to the blockchain.
and the thing, that’s interesting with smart contracts is that, or not just smart contracts in general, but with Ethereum is that you can have accounts that are both, or they can be either externally owned, which means that they’re your traditional, user account.
So if I create a new wallet that’s considered an externally owned account, or contract accounts, this becomes really important because contract accounts and externally owned accounts both look pretty similar, when it comes to the addresses.
You wouldn’t be able to tell them apart when it comes to an actual address, and that will become important later on because you can actually utilize contracts as an attacker.
You, can deploy your own contracts to attack existing, contracts. So how do you write a smart contract? So solidity is the primary language currently, and the most utilized language for writing smart contracts.
It is a high level language. It’s very similar to JavaScript or C, like I said, by far like the most dominant currently, and it’s something that, I’ll show you a few other languages here in a second, but, it’s something that right now this is the most dominant one.
But just be aware that there are others too. Keep in mind that when you write this code, it’s ultimately going to get compiled down to byte code anyway.
one of the ids that I’ll show you later on, and the demo is remix id. So this is a good, id, for developing smart contracts. I mentioned earlier that the code tends to be posted publicly and the reason is for a few different reasons.
One thing that is very common throughout the smart contract world is that trust is of utmost importance.
To create that trust, a lot of projects decide to post their code publicly and they verify it. one of the main ways that you can go and actually track transactions is through, an explorer, like etherscan.
So there are these explorers where you can actually input a contract address or a wallet address and see all the transaction history that’s happened with it.
in addition to the bytecode that is connected to a smart contract, and if a, if the person who created that smart contract has actually gone and verified their code, you can actually see the verified code there as well.
so it will match up with the bytecode, and you can trust that what you see in the smart contract code posted publicly is what’s actually being executed.
This is important because like I said, there’s a lot of cases right now where, there’s a lot of scams happening, rug pulls. and as a user of these different, contracts, you want to be aware of what you’re using and so it’s out there so that you could actually audit it yourself.
similar to just using open source code. but it does help expose those potential vulnerabilities and backdoors.
All right, so this is an example, just a quick example to show you what solidity looks like. first we have the compiler version at the top. this is just specifying which solidity, compiler version we’re going to compile with.
This is an example faucet contract. What a faucet is, is basically, what it sounds like. It’s a faucet that will drip a certain amount of a token out.
the idea here is that you would fund this faucet with a certain amount, of a token or coin. And then users of this faucet could get a little bit of that, if they needed to use it.
This is actually a really common occurrence on a lot of the test networks in Ethereum. You have, a number of test networks out there and that will help you facilitate testing out very smart contracts instead of paying with real money, on these test networks there are faucets that will actually drip little, small amounts of coins for you.
This is an example. Just show you what it looks like real quick. A contract, called faucet. it is a payable contract. That means that we can actually send, we can send coins to this contract directly.
It has a single withdraw function, here that is public, specified public, meaning that we can interact with it, publicly. Anyone can interact with this function, then there is a limit to what you’re allowed to withdraw.
we could specify a withdrawal of, This is in wave format, which I believe this is 0.1 ether. if you actually converted it to two ether, and then it will actually just transfer it out to the message sender.
So whoever interacted with it. so this is a really basic example, but to give you an idea of what smart contracts are, this is a smart contract. It’s a very basic short, example, but this is what it looks like.
And this is the type of thing that, a lot of companies are building and they’re making these massive contracts that are similar to these, and it’s deployed to blockchain where you can actually interact with it, from a decentralized perspective I mentioned, solidity is not the only one, right?
So right now it’s like 1980s apple versus Microsoft. in the blockchain technology world where you have all these different blockchains that are competing to, be the most efficient and innovative.
so you have, obviously, I’m sure most of you heard of bitcoin and, I’m talking about Ethereum today, but you also have Solana, which there’s smart contract capabilities.
For Solana Cardano is, pushing out smart contract capabilities. but my point with this slide is that when, you look at developing or auditing smart contracts, just understand that there’s not just one language, there’s not just one blockchain.
There are all these ones competing. And where this actually goes is to be determined. Who ends up being the winner is still to be determined, on which one’s the most efficient, which one’s the most innovative.
It’s something that, we’re going to just have to see where it goes. But honestly, learning what the vulnerabilities are in regards to what are some common issues I think is going to translate well across the different languages.
it’ll be something that you have to identify similar nature within the code itself whenever you look at other languages.
But the underlying concepts, which I’m going to show you, some of them today, will likely be fairly similar. So, smart contract vulnerabilities, now we’re getting into the brunt of the security aspect.
Now we have a very high level. Hey, here’s blockchain, here’s smart contracts. Let’s talk about some of the vulnerabilities and how some of these projects are getting hacked. The smart contract vulnerabilities, the biggest, the most important thing here is that they typically result in a significant loss of funds.
And it’s because you have all these projects that are jumping in, trying to be first to market, getting funding, hyping different projects and whatnot.
because to be brunt or blunt, there are a lot of people that see it as an investment world, but if you abstract yourself from the investment side of it for a second and just look at the technology, it’s interesting stuff if you don’t even actually pay attention to the monetary side of it at all.
the fact that you can execute these smart contracts decentralized. I have a computer in my house that runs Ethereum software. I can interact directly with that ethereum node.
and anything I do interacting with that node will get actually copied and distributed to every single other node. so you can have these applications that are just decentralized from everything else. So you don’t have to go to any centralized website to do that.
You can host an entire website, using smart contracts decentralized, so you can interact with it on the node itself. You can actually use ipfs, so the interplanetary file system.
To host code files, you can use, there’s ens. So the ethereum name service is just like DNS, in the traditional world, except for contract, addresses.
So you can actually have an ens name that points to the files on IP. It’s really interesting because you actually have a client locally to interact with these. Anyways, looking at the vulnerabilities, though is what we’re about today.
That’s why we’re here. Since contract code is public, anyone can analyze it for issues. So this becomes very important that when you publish this stuff publicly, you don’t have any issues because, as an attacker, so this is one of the interesting things about smart contracts is that as an attacker, I can build my own public, or, I’m sorry, my own private network, of nodes that I can actually test these contracts against, or I can do it against test networks.
So there’s public test networks out there, that you can actually deploy contracts to and test out exploits. So if the project’s code is public, then I can go deploy it on my own system and then try to find vulnerabilities and attack it locally.
and then this is how a lot of the exploits happen. The attackers will go pull the public code down, deploy it locally, and then write exploits for that contract, and then go attack it publicly.
this is another topic, of conversation. But, the whole idea of monitoring and how could you potentially monitor somebody trying to attack your contract and stop it is another conversation which we talk about some of the stuff on the podcast, on the Coinsec podcast.
If, you ever want to come on and chat about that thing, definitely let me know. the other big thing here is that no patching. Since contracts are immutable, you can’t go and patch them.
You can do a pseudo patching, though. You can create proxy contracts that are basically a front user facing contract, that store the state and they point to the actual contract, on the backside.
If you were to find a vulnerability, you could actually deploy a new version and then modify the proxy contract to point to the new one. but that still doesn’t necessarily mean that old contract can’t be interacted with.
the other big thing too, stolen funds can be very difficult to track, which, is another conversation. Maybe, that’s another webcast in and of itself is tracking transactions.
All right, so let’s dive into some of the vulnerabilities and what we’re looking at here, because I think these really, to me, like when I first started looking at smart contract boltons, this is what really got me interested is how some of these vulnerabilities actually manifest themselves, and how to go about exploiting them.
One of the more popular ones, is called reentrancy. One of the things that’s fascinating is that as an attacker, you can actually deploy your own contracts.
You can deploy your own smart contracts to the blockchain that interact with existing contracts. What reentrancy, basically, is it’s a vulnerability where the contract that you’re targeting has a function that allows, for, let’s say withdrawing ether.
Maybe you’ve stored something, like a, stored a certain amount of ether in this contract for whatever purpose, and you’re going to pull it out. if that contract doesn’t actually update the balance of your account within that contract’s context, prior to actually calling and sending you that ether, there may be a re entrancy issue where you could actually have it, withdraw it to your own smart contract and have it actually execute, a fallback function in your contract.
Whenever a contract calls a function that doesn’t exist, a fallback function can be created so that it says hey, that function you call it doesn’t actually exist.
Let’s run the fallback function. So the fallback function in your attacker contract would simply just call that withdrawbalance again. And you create this loop where basically you’re like, oh, I’m withdrawing.
Prior to it updating in the contract. Call my function in my attacker one, then call the withdraw again, then call my function, then withdraw again until it drains everything.
This is re entrancy. I’m going to show you an example of this, later on today too. Another, big topic is, front running.
So what front running is, with blockchain technology, whenever you submit a transaction, that transaction actually stays in this place called the mempool for a little bit before it actually gets mined.
The mempool is like, in this example here, you see this box. All these transactions get posted to the mempool. And miners, the ones that are actually validating transactions, can decide on which transactions they want to go mine.
and typically it’s like a who pays the most gets their priority, of who actually gets mined first.
So if, for example, I’m an observer and I’m watching the mempool for a transaction that I know is going to a certain contract, I can actually see a transaction come in and try to front run them by submitting the same transaction but paying a higher gas price.
And in a lot of cases what this means is that the miners will actually see my transaction that I sent, that actually I paid more, and they have an incentive to go actually mine that one before the person who originally submitted it.
This could be to give you a quick example, imagine a contest of sorts where if you’re the first one to submit an answer, then you get the reward.
If I’m watching that contract for the answers and I see that somebody has submitted an answer. I could front run them by taking the answer and then sending my own transaction, but paying a higher gas price.
So that’s something to be aware of as well. integer overflows and underfloor. So numbers, right. This is, very similar to how your odometer works.
If you old school odometers, I don’t think any modern day odometers probably do this, but old school odometers used to be able to run it up past the highest register and it would go back to zero.
This is what an overflow is. in smart contracts you have unsigned integers which are zero to the two to the 256 minus one.
So, it’s a very, very large number. And if you hit that highest register and go past it a little bit, it’ll come back down to one, two, three again, and then same thing for sign integers, but you have negative values.
So an example here, of a uint overflow. let’s say you had one and you added two to the 256 minus one to it, you would actually get zero.
so what this means is that if there aren’t certain security checks in place, or if there aren’t certain, libraries in place to prevent these kinds of overflows, then you may be able to bypass certain security checks.
So, let’s say that you had a time lock on a contract that said, this function can’t actually be performed for a week or something like that.
Then, if you were able to overflow that time lock value, you may be able to roll it back down. So it’s only like the lowest possible time, which, could be like a few seconds or whatever.
denial of service. so in ethereum, one of the ways that they help prevent massive, transaction issues is by having a gas limit.
So the gas limit is there basically to prevent contracts, from just running endlessly. And so each block has a certain limit of gas that can actually be performed.
So if you have a contract, that you could actually, basically loop it until it’s endlessly, basically, endlessly, filling up that gas limit, then it would lead to a denial service issue, which honestly can come from non malicious issues too.
Like just bad coding. Like if you just had a piece of code that looped endlessly, then you might hit that gas limit, which will just cause that transaction to revert. Then, there’s unexpected revert.
If there’s functionality that relies on a fund transfer to be successful, let’s say that I have taken owner or I’m the leader of this game or whatever in this contract and somebody else tries to bid higher than me to become the new leader.
The contract should refund me my initial donation but I stop it from actually happening just by reverting that payment then I can maintain leadership over that contract.
So another issue to worry about, right, denial of service access control is honestly in my opinion one of the most important things that honestly this comes from just my history with active directory environments.
attacking on prem networks. We look at hierarchy of how permission should be delegated. We look at this all the time like domain admins and how permissions and role based access control all these things.
Smart contracts have a similar type of ownership with access control as well. ownership over a contract typically means that you can do things like transfer assets, maybe you can mint tokens, maybe you can vote, maybe you can actually freeze transfers from happening.
by default the owner is the account that actually deployed it. You can implement various libraries to create these function modifiers which basically modify a function so that it requires something like an owner to actually perform that function.
You can also a lot of times can find that if there are certain vulnerabilities maybe you can actually pass off that ownership to somebody else or trick the contract into transferring that ownership.
Because if that’s the case then me as an attacker take ownership over the contract, perform administrative functionality on the contract, like either just straight up destroying it or sending tokens or whatever funds are in the contract externally.
these are things to look at as well when it comes to vulnerable code. As you’re auditing different contracts looking for things like this function here, this fallout function where the owner equals the message sender.
it’s a very simple thing. If you call that and you are the one who sent the transaction, it makes you the owner of that specific contract timestamp dependence.
So this is another issue. So this occurs from a misunderstanding of timekeeping in smart contracts. so block timestamps. So I didn’t get into like the, the deep like what is blockchain and how are blocks formed and all that stuff.
but in ethereum you have blocks of transactions that get grouped together and then they get processed by the network. they get mined and then whenever those get validated and posted back to the network they get a timestamp.
So whenever the miner actually posts a block to the network, they can give it a timestamp, and in addition to that, they get a block number. So the block numbers are sequential.
These are things that you can use to, trigger time based things and contracts. but timestamps, on the other hand, have an issue where, the miners can actually modify, by a certain degree, the, actual time, so they can actually make it look a few seconds in the future.
or they can modify it enough to change a result. An example of why this would be something that would be useful. let’s say you had a game or whatever where, the last person to join wins.
Then miners could modify the block time to a later date so they win. So they could actually say, I’m going to be a participant in this contest. I’m m actually mine my block, and, make it look like it came a little later.
But, that’s just another example. But, there are a ton of other issues that are still being found all the time. These are just some kind of. Just to throw at you today, just to show you, hey, here’s some of the things that are happening.
And, here’s some of the issues. With that being said, functions that appear secure on their own may also turn into really critical issues when you combine them with other functions that they also, on their own, look secure.
This has been something that has happened to, a few different cases. I’m going to walk through a couple of case studies here where, you may have a function on its own. If you audit the code by itself, it’s like, oh, yeah, this is fine.
and then you have this other function. Oh, yeah, it looks fine. But the second you combine them, whether it’s just a reference to the other one, you may start, to implement new issues.
So if you want to look into smart, contract vulnerabilities, there’s a couple links here on this slide. All right, let’s go through some case studies. All right, so the first one I’m going to talk about here is geranium finance.
so this was in April. This was a $57 million, pack. and so uranium was a clone of, a decentralized finance site called uniswap.
except they did it on the binance smart chain. And remember earlier when I talked about decentralized finance? The whole idea here is that you have facilitates, peer to peer transactions where you don’t actually have to.
Jason
Deal.
Beau
with a middleman. So in this case, and this is honestly, this is a common thing, where projects will actually copy code from other people.
like don’t ever say you didn’t copy code from stack overflow because this is a very common occurrence. People copy code all the time. And there’s something to be said for, reusing previously audited, previously examined code.
If there’s code out there that’s already been audited, that’s already been analyzed for issues, there’s probably a less chance that it’s going to have vulnerabilities.
But the second you start modifying it, you need to be real careful. This particular, project, they modified portions of this swap function.
If you look at the screenshot I have here, they basically changed some numbers. They changed, 1000 to 10,000 as a balance check in the contract.
except they missed one location. So they modified it in these two places with the purple there, but in the red, you see, they actually left 1000 instead of modifying that one to 10,000.
So literally this problem came because of a misplaced zero. so an attacker was able to deposit funds, into this particular token pair and then, exploiting that misplaced zero was able to drain the entire thing.
So literally a zero caused that problem. poly network, this is the big one that happened, last month. So $610 million stolen, poly network enables, so the whole idea around poly enable cross chain transactions.
So, this is, it facilitates peer to peer transactions across different blockchains. So like ethereum to finance smart chain to polygon, you can actually transact across these different blockchains.
And with poly they have these things called keepers. So the keepers, are these trusted entities. So these are back to the access control we talked about. the access control issue.
These are the trusted entities for those cross chain transactions. So the way it works is that a user sends a transaction on one blockchain and then it gets repeated on a destination blockchain.
And the way that actually is allowed is you have these keepers that sign the block on the source blockchain. So these official keeper accounts, they see a transaction happen on one blockchain, they sign it.
Then the user submits that signed block to, this contract on the destination blockchain called the ETH cross chain manager. When that block gets submitted to the ETH cross chain manager, if the signature is valid, so if the keeper officially signed that block, then the contract on the destination blockchain will actually, transact that, that, they’ll make that transaction for the user that they wanted on the destination blockchain.
But the thing is, is that the execution happens as the ETH cross chain manager contract, not as the user accounts, not, as the actual user account themselves.
It happens as the actual ETH cross chain manager contract. Why this was a problem is because the ETH cross chain manager actually had permission to change keepers because they were an owner over the ETH cross chain data contract.
So another contract within this network of contracts, was able to be modified so that, the attacker could actually exploit it and make themselves a keeper.
So they were actually able to figure out that if they submitted a transaction, using the correct, payload, they could actually change the keeper over this contract to their own account.
And after they did this, they could then sign fake blocks and send these arbitrary transactions that ultimately resulted in $610 million being stolen.
So kind of a sidetrack thought here, but this is another kind of really interesting piece to this entire puzzle, is that they returned all of it.
And honestly, it’s a really bizarre thing. It’s something that I’ve seen happen multiple times now, with different hacks, is the hackers, go and they export a contract, they steal all the funds, and they return it, which, who knows why.
but this particular case I want to bring up because, it’s interesting because a lot of people say, oh, yeah, blockchain is anonymous. There’s no way you’d ever track anything.
but the thing is, this hacker that, stole $610 million prior to the hack, they sent a transaction from a chinese exchange called who.com to their wallet.
And, this is something you can see on the blockchain. So it becomes a question of, okay, whose account is [email protected]? Dot. So who knows if they got tracked on that way or what?
Or maybe they just got spooked that maybe they screwed up and left us out there. Who knows? but it’s just another interesting element to the puzzle. This one happened just a couple weeks ago.
Cream finance. so this is an $18.8 million, stolen, cream finance is a decentralized lending protocol, and one of the things they do is, what’s called flash loans.
And flash loans are another really popular thing, in smart contracts. So what are flash loans? Flash loans are the ability for a contract to provide funds to a user, in a single transaction.
So, you could actually request like a million dollars or whatever as a loan. But the caveat is that you have to return it in that exact same transaction.
And programmatically, this is actually looked at from a programmatic level to validate that you’re actually going to return that fund. If not, that transaction actually gets reverted.
this is something that arbitrageurs, so people that deal like arbitrage, which is like let’s say that I had bhis coin or whatever, right? And it was $5 on one exchange and $6 on another exchange.
I could go buy for $5 on this exchange and then go sell for $6 on this other exchange. So there’s a lot of arbitrageurs that pull a flash loan. They’ll go try to do that exact thing within one transaction and then return it.
so one of the things with, with this particular hack that’s kind of interesting is that they did have an audit performed prior to getting hacked. The thing is that the vulnerable code got introduced after their audit.
if you’re going to get a code audit, don’t go adding stuff that you haven’t actually audited as well. because what happened is they implemented a new token, remember, with decentralized finance, you have these token pairs where you can actually trade different coins and tokens directly, within the contract context itself.
So they implemented this token pair for amp token. Now the thing about amp token is that the contract associated with amp token is an ERC 777 contract.
ERC 777 is another protocol contract, spec that actually has these hooks that allow you to call the sender and receiver contracts within the contract itself.
Whenever they implemented that, they actually introduced a reentrancy vulnerability. We talked about reentrancy earlier, but they introduce us this vulnerability after adding in this token pair contract.
It allowed an attacker to actually nest a second, borrow function into the transfer function before, it’s actually updated. This is what it looks like, when you actually abstract, yourself out to each transaction layer for this particular issue.
So the attacker, flash loan borrows 500 ETH, uses it as collateral to borrow 19 million amp. Then they exploit reentrancy on the initial contract to borrow 355 more ETH, before that initial borrow is updated.
So they were able to go liquidate the tokens that they had borrowed, use that as payment to repay the contract. Because remember, with flash loans you actually have to go back and pay back what you borrowed.
the attacker figured out, oh, I could reenter the contract, extract more, pay back my initial fee, and I’d be left over with some extra ETH and amp tokens. So they did that 17 times which ultimately resulted, in 5.98 thousand ethereums with, $18.8 million.
All right. Oh, wow. We were getting short on time here. All right, so I’m going to run through a demo. this setup for this demo, I’m going to be using, ganache, which is basically a personal Ethereum blockchain hosted, on a virtual machine.
I’m going to be using truffle, which is a development framework for Ethereum. I’m going to show you remix ide, which is a web based ide for writing and deploying smart contracts. I’m, going to use metamask, to help facilitate sending transactions.
And then, Dan vulnerable defi. This particular example comes from a, a project that was built to help with understanding vulnerabilities in smart contracts.
throughout this process, I built a new quick start guide for if you want to jump in and start hacking smart contracts, this guide should help you get set up with the same stuff that you see today.
This is, start dot blockchainhacks.com new, quick start guide for you guys to check out. All right, go to the demo.
All right, so I’m going to go through this a little bit quickly because we are running kind of short on time here. but I’m going to try to give you the best example of what this is, what’s going on here.
All right, so we have a contract, it’s a lending pool, similar to what we just talked about with, the flash loans. So it has a single, function here called flash loan.
And so this flashlan function takes an external input, from anyone who calls this particular function.
In this function, we have a borrow amount. So that’s how much we want to borrow. we have the actual borrower address, we have a target, and then we have call data.
So if you go down to the code, within the smart contract, you’ll see that first off they get the initial balance of the pool, because they’re going to check that later on.
So they want to make sure that whenever the person takes out a flash loan, they return it all at the end. So they have to get the initial balance. Then we have a transfer function where they transfer the token.
They send the damn valuable token, to the borrower specifying the borrow amount. Then on success, or I’m sorry, then they’re going to call.
This is the part where the vulnerability is actually, it’s going to call, a target address that we can specify. So if you look at the parameters back up here, this address here, we can actually specify this address.
We can actually specify this target that is going to be called and the data that is sent along with that call. If that’s successful, then it’ll pass the next check, which is this require statement.
It must require success to get past the spot. Then ultimately it’s going to check the balance to make sure you paid it back. All right, let’s look at some of the exploit code.
Now remember what I mentioned earlier is that as an attacker we can deploy our own contracts. This is us deploying our own exploit contract.
In this case, I’m just calling it flash exploit. First off here we are going to set the addresses for the pool that we’re going to be attacking.
And we’re also going to set the Erc 20 token address of the token that is associated, with the pair that we want to actually steal. And then here we’re going to specify the data payload that we’re going to send.
Now here’s the thing, with this particular contract, they’re importing the ERc 20, token contract as well.
And because that ERc 20 token contract has been imported, we can actually interact with it from the contract itself. So the thing that is really important here is that whenever this call happens, this call is actually happening, it’s originating from the pool contract itself.
So the pool contract, when we actually call this function will send, the data that we specify to wherever we want it to go.
because they had imported the ERC 20 contract, we can actually send a payload that says approve our attacker contract address as a sender of this token.
then we’re going to call the flashlan function, we’re going to specify zero. we’re not going to try to borrow anything because we don’t want to have to worry about returning any values or anything like that. So if we just specify zero, then it’s going to succeed because there is no, necessity for returning it.
We’re specifying our attacker contract. We’re going to specify, the token contract itself and then the data that will ultimately approve us as a sender of that token.
And then finally we’re going to transfer, we’re going to call the token contract directly to transfer tokens from the target pool to our attacker, wallets.
Let’s see how that looks. I’ve got ganache here. This is ganache. this is what I mentioned as your own private blockchain, here we can spin up a number of accounts.
I’ve spun up ten different ethereum accounts here, all with 100 ETH. This first one I used to deploy the contract. Remember when you deploy contracts it actually does cost gas.
I’m going to grab the private key here of this account and we’re going to use that as our attacker account. So if we go back to metamask, here, let’s go ahead and add that one in.
So we will import accounts. Then we’re going to paste the key in, import and yay, we have 100 ETH. so additionally let’s go ahead and add the token in, so that we can actually see the token pair.
So I’m going to go back to ganache, I’m going to go to the contracts tab in ganache. I’m going to go to the damn valuable token here. I’m going to grab the address.
Jason
And.
Beau
Then we’re going to add that in as a token pair.
So you can see it. Already picked up the ticker address. Dbt. We’re going to add that we don’t have any current DvT in our account. Let’s go look at the contract real quick.
and what the account values are there. If we go truffle console, we can interact directly with that contract. With ganache directly.
I apologize, we’re going to go over here a bit. I hope Jason’s not mad.
Jason
Not mad at all.
Beau
Bo, okay, I told you before, like I was going to kind of yolo the time on this. So I apologize. I didn’t actually, time any of this.
All right, so first off we’re going to get the token contract, into a variable. we’re going to get the pool into a variable, so trust your lender pool.
so these are both the deployed contracts. We have the token contract that has the invaluable tokens and we have the pool that also implements a swap function or the flash loan functionality, of that token.
Now, what we can do is look at the token balance, of the pool so we can see what the balance looks like there.
We get this value back. It’s kind of crazy looking like what is that? So that is in what’s called big number format. We can actually use web three utils to actually bring that back to a decimal, number.
So again, add in the value there and we get one e plus 24. What that means is one followed by 24 zeros. And why does that 24 zeros.
So our token, the dan valuable token has 18 decimal places. And so 24, -18 you get six, which means we have six zeros, which is a total of 1 million tokens.
This contract has 1 million tokens currently. let’s check our attacker address real quick. Like I said, we should have zero there.
Let’s grab that, come back over to the terminal, we will do token balance of we will put our attacker address in there.
We get zero. Currently our attacker address has no tokens. let’s go exploit this contract. Now I showed you the exploit code here.
Now as this account, as the attacker contract. in remix here in the id we can use injected web three, environment which basically will connect to metamask, which our metamask wallet is connected to ganache, our local blockchain.
So this will facilitate us being able to deploy this contract, to our local blockchain. So I’m going to deploy it.
Jason
And.
Beau
Then we get the verification here because we have to sign it with our account to send this transaction. So this will deploy the contract and then once it’s deployed, one of the cool things about remix is that it will actually show you the deployed contracts here and allow you to actually interact with the functions we can actually specify, our next or the values that we want to utilize for this exploit.
So I’m going to send a borrow amount of zero. I’m going to send an attacker address of our own because ultimately our exploit is going to send tokens to our attacker address. So let’s go ahead and specify that.
Then we’re going to need the target pool and the token address. So we’ve got the token address here, then the pool address contracts tab, truster lender pool.
So that’s the address of the pool. Retargeting and transact. So now this is us interacting directly with the exploit contract that we just published.
and when we interact with that we’re sending this transaction that’s basically saying hey, make this attacker contract, have approval to send tokens from that pool because they had an issue, they have a vulnerability.
Now if we go look at our wallet, our metamask wallet, we should see that we have a million DVT, we have successfully exploited this particular pool.
if we go back to the console and check the balance of the pool, we should see that it is now zero. So we’ve drained the pool of the dBt tokens.
All right, so that’s the demo. Let’s get back to the slides real quick because I have a couple more slides I want to get to and then we’ll wrap it up. All right, so just quick recap of what we just did.
Identify the vulnerability. In smart contract, we deployed our own malicious contract. They called the vulnerable function in the target contract. We called the exploit function in our own malicious contract, specifying the target.
And then that exploit actually set our attacker contract as an approved sender of the Erc 20 token from the pool. And then the attacker contract then initiates a transfer of all the tokens from the pool to our attacker wallet.
Lastly, I’m going to run through just real quickly a few security tools. If you’re like hey, how do I jump into this? How do I start looking at this? visual studio code is a really good, versus code people use for all kinds of purposes.
If you go grab the solidity visual developer plugin, or extension, then that will help you analyze a lot of the stuff too. it will highlight a lot of the syntax, highlights a lot of security issues.
It also uses soraya, for generating call graphs, which is really nice. Things like this where you have the call graphs that show where the different flow is.
This is that pool we just exploited. You can actually see the flash loan function, and how it actually calls the ERC 20 contract, the balance of and transfer functions and how we actually call that target call from it.
Then slither is another tool. So solidity source code analyzers this is a static analyzer, for vulnerabilities in source code. Detects many of the common issues such as reentrancy functions that allow users to self destruct.
Contract has low false positives, it looks like this mythril and mythx mythril is an open source, tool.
It does symbolic execution. vulnerability scanning can also scan byte code directly. So if you don’t have the source, you can actually point it directly at bytecode. mithx is a paid service, that you can go subscribe to, and have it do longer, more in depth scans, in that quickstart guide that I put together at the start dot quick start, I’m sorry, start dot blockchainhacks.com I’ve got a few quick examples at the end of it for using slytherin, mithril and then some additional resources to get started.
so books I cannot recommend. more the mastering ethereum book. I absolutely love this book. I think it’s a great, if you want to jump in and really understand what is ethereum, what are smart contracts, what are some of the issues, go grab this book.
And it is also the entire book is open source on GitHub so you don’t even have to buy it. Then. Hands on smart contract development book is another good one.
learning solidity. I showed you a couple of tools there, on the last couple of slides. but actually learning solidity code itself is going to help more than anything to identify these issues.
So cryptozombies IO is a free dapp building game that is phenomenal. so that will walk you through creating a decentralized application, ctFs.
So for me, this is how I learn best, to be honest, is getting put in a CTF environment where I’m forced to learn something new.
Ethernot and damn vulnerable defi are both really good, CTF like environments. Bug bounty. So if you’re into bug bounties, there’s a huge bug bounty market on smart contracts.
And this is, this is a really good reason to go and learn this stuff because some of the, some of the bounties themselves are like a million dollars. they’re, they’re crazy. So check out some of these, the bug bounties that are out there and then I’ll do some key takeaways here at the end, to leave you with.
so I started out with talking about a few use cases, right? So use cases for blockchain are growing significantly. A lot of companies are implementing it. a lot of projects are racing to be at the front.
any of the hacks that are happening currently are resulting in a significant loss of funds. Since this is kind of, still an emerging technology, new smart contract vulnerabilities are still being discovered, and it’s something that we’re going to continue to find more and more of.
So it’s m something we need to be, we need to be performing. often security analyzers are good, so actual software vulnerability standards are great to get a high level view.
But just understand that at the end of the day understanding what the code is actually doing is going to be far more valuable, than just running a scanner.
You have to understand what it’s doing or you’re going to miss something smart, contracts are only one piece of this growing blockchain. Ecosystem. I showed you a slide earlier talking about layer one, layer two, wallet software.
All these things are additional things on top of this that we’re going to have to start looking at more and more of. So with that, that’s the end.
follow me on Twitter. I’m a daft hack on Twitter. put together that blockchain hacks quickstart guide. So if you’re like, wow, I want to go hack some smart contracts today. Let’s go.
this quick start guide should get you started with, setting up an environment similar to what I just demoed. and then we do the Coinsec podcast, which is weekly, about blockchain security. So if you’re like, I want to hear about the latest hacks.
Be sure to go check out the Coinsec podcast. And yeah, if you need a smart contract audit,
Jason
Black,
Beau
Hills infosec. we’re doing them now.
Jason
Thank you, Bo.
Beau
yeah. Hey, you feel like you understand better?
Jason
No, I gotta rewatch it.
Beau
Okay.
Jason
That’s just me, though. That’s no one else. I will rewatch it. there was a few comments, like during this is like, how did you fit all this information in your head and when did you get started learning this?
Beau
I guess like eight years ago. like, I started mining bitcoin like eight years ago.
Jason
And m this is one of those, like, when should you plant a tree or when should you start learning bitcoin? eight years ago or today? Like, it’s one of those things.
Beau
Well, so think about it this way. There’s only one country in the world that has adopted bitcoin as a legal currency, so there’s still a lot of other room to grow.
I’m, not saying that obviously that bitcoin is going to be like the only one that does it, but it is something that is still very much in an infancy stage. And I see it as, something that’s only going to grow more.
I think that, this industry is booming. and I don’t know, I think it’s worth learning for sure.
I don’t think it’s going away anytime soon.
Jason
I’m looking for questions right now.
Beau
Oh, yeah.
Jason
this one came up a lot, and so just. And he covered it here at the end. But like, if you were going to get started today, what’s the first thing that you would do?
Beau
so I guess it depends on what your purpose is. What do you want to do, because like I mentioned, there’s a number of different elements, to the entire blockchain world, right?
So there’s wallets, there’s mining, there’s, smart contracts. There’s all these things. Right now, I would say that the brunt of security issues, are in the smart contract space.
So learning smart contracts, if you want to dive into probably the biggest, riskiest area where hacks are happening, where bug bounties are, where, organizations are trying to figure out how to make these things work and not lose millions of dollars, I would say smart contracts is the place to start.
And to get started with smart contracts. Honestly, understanding Ethereum. first, and understanding what ethereum is, how does a blockchain work? because ultimately, smart contracts are deployed on top of Ethereum.
And to truly understand what a smart contract is doing, you kind of have to understand, like, what is the blockchain doing?
Jason
I got a quick question that I got to run. And then, Ralph, I’ll have you take over. bo, on your coinsec podcast, do you have people that ask questions and then you engage and respond?
Or is it just you guys talk and people listen?
Beau
Yeah, I mean, if people show up and they ask questions. yeah, I mean, we need people to show up, though, first.
Jason
So when people show up, if you have, like, a series of questions, or today, you rewatch the recording like. Like this, some becomes something like this. Today’s the spark. This is when the seed was planted.
And I would say the Coinsec podcast is where you just go next. And you guys are going to keep doing it. Is it every week or bi weekly?
Beau
Yep. Yeah, every week.
Jason
Yeah.
Beau
Awesome.
Jason
so I’m going to leave. That means, Ralph, at the very end, you get to end the webinar for all. both. You want to stick around for, like, five to ten more minutes while you all answer questions, but I got to go pick my daughter from school, so I will see you all later.
Beau
All right, see you, Jason.
Ralph
Bye, Jason. All right, awesome presentation, buddy.
Beau
Thanks, man.
Ralph
Yeah, good stuff. I was looking at to see if there’s any other questions in the chat, at least in discord, I think. I didn’t see any other ones.
I think I did see one question about, thoughts on the, algorand network. have you looked into algo smart contracts?
Beau
I haven’t looked into it specifically, no.
Ralph
Yeah, I actually haven’t heard of that one either. but these things pop up like crazy fast, so, kind of like.
Beau
what I was mentioning about, how there’s so many competitors, right? One of the things with bitcoin is that it’s made itself.
The whole purpose of bitcoin is currency. That’s its prime purpose. But now you have a lot of other, blockchain technologies, like Ethereum, Solana, cardano, all these other ones that are implementing smart contracts, and they’re all trying to figure out what’s the best way to do it, what’s the most efficient way.
We don’t even talk about consensus algorithms. Like, I didn’t even talk about like, proof of work versus proof of stake. all of these different ways you can actually do consensus. Like, that’s another, like, maybe we should do another webcast just on, just like.
Ralph
what do you call, blockchain 101, right? Because, I mean, this, this class was, Or this talk is really focused on security, right? Like, hey, this is there. It’s not just, but if we take that even one step back, right, because, the security is kind of like the higher level side of that.
Beau
Like, why? Trying to answer that question.
Ralph
Why do this? Why blockchain? Buzzword out.
Beau
I see a question. do logic bugs and ETH convey to other chains? Yeah, that’s actually a really good question. And so a number of projects have actually forked Ethereum, and, they’re actually really popular.
So things like binance, smart chain. and so with binary smart chain, you have contracts that are written on solidity, too. so, yeah, absolutely.
Vulnerabilities. There’s actually, So the vulnerability from a couple weeks ago, there was in, Geith. that one was a major one, right? And it actually caused a fork in Ethereum.
And that one because Ethereum was vulnerable. I’m sorry. Because Geeth was vulnerable. A lot of the other projects that had forked off of Ethereum also forked Geith for their own projects.
So those projects ended up having the same issue as well. So, yeah, they definitely, they definitely kind of cascade down.
Ralph
Yeah, there’s a bunch too. And they’re, they’re trying to ride the wave of, the already existing smart contracts so you don’t have to rewrite them.
Beau
Right, yeah.
Ralph
And again, to your point, right, you.
Beau
Just brought that up.
Ralph
Copy pasta. I made a change. oh. we lost our money.
Beau
So.
Jason
So, yeah, most of the questions we had on Gotowebinar were, how do we get started? We had a lot of people interested, especially people, in the infosec industry who are looking to maybe switch and look into this.
So that’s good. I think they’re in the right place.
Beau
Yeah, sweet. That’s really cool.
Ralph
I see one. Do you think blockchain technology will be the next after cloud technology? Do you think it’s the next big thing?
Beau
I wouldn’t put it in the same spectrum as cloud, I think. I think, I mean it’s different, right? It’s an industry of itself. it’s hard to say where the future will take it ten years to 50 years from now, it’s hard to say for sure.
who knows, maybe technology will advance so far where that you can efficiently run a full node on a phone, in which case you’re interacting with applications on your own phone at that point and not having to deal with like a centralized entity at all.
so I mean, I don’t know, I mean, I don’t think it’ll ever, I mean, in the near future take like the cloud spectrum. but who knows where the future will take it.
Ralph
Sure.
Jason
We had one more technical, I guess, question in gotowebinar was why solidity 0.06.12 still in use for new contracts?
Beau
That’s like, yeah, so most contracts should. so what that question is referring to is the compiler version. so we go back, I’ll go back to the slide real quick where we saw that demo or that example, contract.
here actually I think this one has it here. Oh, let me just go back to PowerPoint. This will be easier. so in the example here, if I could click correctly, there it is.
so in the example here, so at the top here we have the pragma, the solidity, 0.64. So that’s what that question was referring to is the solidity compiler version. so the compiler versions get updated with certain protections as well.
They add different, requirements. For example, if there was a vulnerability that occurred where there was a piece of code, like a fallback function or constructor, where it was named in an ambiguous way that led to vulnerabilities, then maybe they’ve updated the compiler, to make it stand out as an issue.
The compiler will just tell you hey, you’re using something that is vulnerable. so most projects should be using the latest compiler, right? They should be using the latest compiler to help understand a lot of those issues.
Jason
Right. There may be some backwards compatibility issues with certain things that people are doing on the network, right, that they need a specific version for, but yeah, that’s a good question.
Beau
Cool. well, I think that’s probably good. if, you guys any more questions, feel free to dm me. again, check out the podcast and yeah, looking forward to doing some, some more of these.
I think, I think there’s definitely room for doing a few more webcasts like this, so, yeah, I think a.
Ralph
One on one would be pretty awesome. So last question before we go, Bo. I only can buy one coin, which 01:00 a.m.. I gonna buy?
Beau
No, not gonna say no.
Ralph
I had to do it on that one. Well, hey, everyone, thank you for, watching our webcast. Bo, thanks for doing this. This is awesome stuff. Hopefully we can do some more of it. And I am going to end the webinar.
But it’ll take me 1 second because I have to find out where that button is, to end the webinar. I think I avoided it. All right, later guys.
Beau
Appreciate you all coming.