d3 arithmetic issues 3 arithm ithmetic tic iss ssue ues
play

D3: Arithmetic Issues #3: Arithm ithmetic tic Iss ssue ues - PowerPoint PPT Presentation

Feb 28, 2024 •304 likes •435 views

D3: Arithmetic Issues #3: Arithm ithmetic tic Iss ssue ues Integer overflow and integer underflow Unsigned vs signed integer confusion Turns many benign-seeming codepaths into vectors for theft or denial of service. Loss :

  1. D3: Arithmetic Issues

  2. #3: Arithm ithmetic tic Iss ssue ues  Integer overflow and integer underflow  Unsigned vs signed integer confusion  Turns many benign-seeming codepaths into vectors for theft or denial of service.  Loss : estimated at 150,000 ETH (~$30M USD at the time) Portland State University CS 410/510 Blockchain Development & Security

  3. Walkthr kthroug ough h sc scen enario ario  A contract 's withdraw() function allows you to retrieve ether donated to the contract as long as your balance remains positive after the operation.  An attacker attempts to withdraw more than his or her current balance.  The check in withdraw() function is done with unsigned (positive) integers, resulting in an always positive condition.  Attacker withdraws more than allowed and the resulting balance underflows and becomes orders of magnitude larger than it should be. Portland State University CS 410/510 Blockchain Development & Security

  4. Ex Example ple  April 22, 2018  https://peckshield.com/2018/04/22/batchOverflow/ Portland State University CS 410/510 Blockchain Development & Security

  5. Code e vul ulnerability nerability exa xample ple #1  Underflow Code Example function withdraw (uint _amount) { require(balances[msg.sender] - _amount >= 0); msg.sender.transfer(_amount); balances[msg.sender] -= _amount; }  Using uint makes require statement useless ( uint can never be < 0!  Attacker has 5 tokens and withdraws 6  Ends up with 2 255 -1 tokens instead in balance  What would make this code problematic? function popArrayOfThings () { require(arrayOfThings.length >= 0); arrayOfThings.length--; }  Brick a contract by setting the length of its array Portland State University CS 410/510 Blockchain Development & Security

  6. Code e vul ulnerability nerability exa xample ple #2  Overflow Code Example  Code seeks to send each address in _receivers , a certain _value amount of ETH from their account ( balances[msg.sender] )  Line 257, the amount local variable is calculated as the product of cnt (the number of receivers) and _value (the amount to send each receiver)  Line 258 ensures there are only 1-20 receivers  Line 259 ensures the amount in our balances is more than the amount  Line 261 updates our balances  Line 263 updates the balances for each of the _receivers  Any errors here? Portland State University CS 410/510 Blockchain Development & Security

  7.  Contract Exploit  Pass two _receivers into batchTransfer()  Pass 2 255 for _value (an arbitrary 256 bit integer)  What is the value of amount ?  Do the checks in lines 258-259 pass?  What is the effect of line 261?  What happens in line 263 to the balance of each of the two receivers?  Receivers get an extremely large _value added to their accounts without costing a dime in the attacker’s pocket! Portland State University CS 410/510 Blockchain Development & Security

  8. Rem emed ediation iation  Validation: validate all arithmetic operations contract Overflow { uint private sellerBalance = 0; function unsafe_add(uint value) returns (bool) { sellerBalance += value; // possible overflow } function safe_add(uint value) returns (bool ){ require(value + sellerBalance >= sellerBalance); sellerBalance += value; } } Portland State University CS 410/510 Blockchain Development & Security

  9.  Using SafeMath library (or an equivalent)  https://ethereumdev.io/safemath-protect-overflows/ library SafeMath { function mul(uint256 a, uint256 b) internal constant returns (uint256) { uint256 c = a * b; assert(a == 0 || c / a == b); return c; } function div(uint256 a, uint256 b) internal constant returns (uint256) { // Note: Solidity automatically throws when dividing by 0 uint256 c = a / b; return c; } function sub(uint256 a, uint256 b) internal constant returns (uint256) { assert(b <= a); return a - b; } function add(uint256 a, uint256 b) internal constant returns (uint256) { uint256 c = a + b; assert(c >= a); return c; } } Portland State University CS 410/510 Blockchain Development & Security

  10.  Replacing native opeartors with SafeMath in contracts contract MyContract { using SafeMath for uint256; uint256 result; function MyAdd(uint256 a, uint256 b) { result = 0; result = a.add(b); } } Portland State University CS 410/510 Blockchain Development & Security

  11. SI CTF Lab 3.3: D3_TokenSale

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

R&amp; E R&amp; E I ssu ssue 1 1: Proj ec ect Approvals I ssu ssue 2 2: : RE Progr

R&amp; E R&amp; E I ssu ssue 1 1: Proj ec ect Approvals I ssu ssue 2 2: : RE Progr

R&amp; E R&amp; E I ssu ssue 1 1: Proj ec ect Approvals I ssu ssue 2 2: : RE Progr gram Budge dget I ssu ssue 3 3:R&amp; E L Legislat at ive Report March 15, 15, 2019 2019 Exhibit D 1 Locations of Recommended Projects

447 views • 22 slides
R&amp; E R&amp; E I ssu ssue 1 1: Cycle 3 Proj ect A Approvals s I ssue 2 e 2: R&amp; E

R&amp; E R&amp; E I ssu ssue 1 1: Cycle 3 Proj ect A Approvals s I ssue 2 e 2: R&amp; E

R&amp; E R&amp; E I ssu ssue 1 1: Cycle 3 Proj ect A Approvals s I ssue 2 e 2: R&amp; E Rules es Decem ber 6, 6, 2019 2019 Exhibit F 1 Sources of R&amp;E Funding Surcharges and fees: Resident annual angling license: $4

361 views • 15 slides
Consumer Law I ssue Spotting Identifying issues and options for low-income clients Melissa

Consumer Law I ssue Spotting Identifying issues and options for low-income clients Melissa

Consumer Law I ssue Spotting Identifying issues and options for low-income clients Melissa Linville William Ross The Legal Aid Society of Columbus LASC (614) 737-0155 (614)737-0141 mlinville@columbuslegalaid.org Wross@columbuslegalaid.org

240 views • 22 slides
H ow the D eontic I ssue in the M iners P uzzle D epends on an E pistemic I ssue Martin Aher 1

H ow the D eontic I ssue in the M iners P uzzle D epends on an E pistemic I ssue Martin Aher 1

T he S tandard P uzzle C onstructing the model E xplaining the semantics Q uestion dependency H ow the D eontic I ssue in the M iners P uzzle D epends on an E pistemic I ssue Martin Aher 1 Jeroen Groenendijk 2 1 Institute of Estonian and General

1.05k views • 58 slides
Standy/PowerON S d /P ON

Standy/PowerON S d /P ON

The Last Issue The Last Issue e e ast ssue ast ssue Power Consumption Issues Standy/PowerON S d /P ON Processing Power Consumption Wireless Multimedia System y

391 views • 12 slides
Emp mplo loyment yment an and H d Hum uman an Reso sourc urces s Iss ssue ues

Emp mplo loyment yment an and H d Hum uman an Reso sourc urces s Iss ssue ues

AMERICAN ASSOCIATION OF PORT AUTHORITIES Port Administration and Legal Issues Seminar New Orleans, Louisiana Emp mplo loyment yment an and H d Hum uman an Reso sourc urces s Iss ssue ues Gwendolyn C. Hager Port Of New Orleans

461 views • 15 slides
Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary

Principles Of Digital Design Discussion: Arithmetic Binary Arithmetic Floating-Point Arithmetic Binary Arithmetic Same basic methodology as decimal arithmetic Important to know number representation Unsigned Signed

704 views • 11 slides
Curre nt Co mplia nc e I ssue s in Pha rma c y Pra c tic e ME L I SSA RE I CHE RT ,

Curre nt Co mplia nc e I ssue s in Pha rma c y Pra c tic e ME L I SSA RE I CHE RT ,

10/8/2019 Curre nt Co mplia nc e I ssue s in Pha rma c y Pra c tic e ME L I SSA RE I CHE RT , PHARM.D. OK L AHOMA ST AT E BOARD OF PHARMACY, PHARMACI ST COMPL I ANCE OF F ICE R F ina nc ia l Disc lo sure a nd Re so

292 views • 18 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
The Iss Th ssue ue The Currency of of Tim ime The Lan Land of of Aints an and Sc

The Iss Th ssue ue The Currency of of Tim ime The Lan Land of of Aints an and Sc

The Iss Th ssue ue The Currency of of Tim ime The Lan Land of of Aints an and Sc Scholars Suas must recruit 3,000 volunteers over Poor literacy levels amongst children in the next 3 years who must each give up Irelands

227 views • 10 slides
Bankruptc y I ssue : Appe llate Co urt Opinio n T hat Hig hlig hts F o rmatio n I ssue F

Bankruptc y I ssue : Appe llate Co urt Opinio n T hat Hig hlig hts F o rmatio n I ssue F

Case 18-60018 Document 63 Filed in TXSB on 12/04/18 Page 1 of 9 Bankruptc y I ssue : Appe llate Co urt Opinio n T hat Hig hlig hts F o rmatio n I ssue F ixable Case 18-60018 Document 63 Filed in TXSB on 12/04/18 Page 2 of 9

207 views • 9 slides
AME RI CAN CONSE RVAT I SM: T HE E VOL VI NG ROL E OF SOCI AL I SSUE S I N AME

AME RI CAN CONSE RVAT I SM: T HE E VOL VI NG ROL E OF SOCI AL I SSUE S I N AME

AME RI CAN CONSE RVAT I SM: T HE E VOL VI NG ROL E OF SOCI AL I SSUE S I N AME RI CAN POL I T I CS Justin Ro sta d Be midji Sta te Unive rsity RE SE ARCH T OPI C My re se a rc h q ue stio n: Are c o nse rva

417 views • 15 slides
Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit

Arithmetic for Computers October 31, 2008 Arithmetic for Computers ALU Arithmetic Logic Unit Performs most processor operations Control signal predicates addition subtraction logic operations shifting (w / or w / o sign extension) Figure:

205 views • 8 slides
CSI T 2 0 1 3 Rational Arithm etic w ith Floating Point Vaclav Skala University of West

CSI T 2 0 1 3 Rational Arithm etic w ith Floating Point Vaclav Skala University of West

CSI T 2 0 1 3 Rational Arithm etic w ith Floating Point Vaclav Skala University of West Bohemia, Plzen, Czech Republic VSB Technical University, Ostrava, Czech Republic http://www.VaclavSkala.eu Amman, Jordan 2013 Vaclav Skala

942 views • 48 slides
Ag T ruc king The Good, The Bad, and The Ugly I ssue s F a c ing the I ndustry F4A

Ag T ruc king The Good, The Bad, and The Ugly I ssue s F a c ing the I ndustry F4A

Ag T ruc king The Good, The Bad, and The Ugly I ssue s F a c ing the I ndustry F4A Pre-emption AB1513 CARB Driver Shortage / Driver Pay Dynamex / AB5 ELD Mandate Ac c o mplishme nts Air quality improved to

215 views • 9 slides
Predic'ng 'ssue-specific effects of rare gene'c variants Farhan Damani Biological Data Sciences

Predic'ng 'ssue-specific effects of rare gene'c variants Farhan Damani Biological Data Sciences

Predic'ng 'ssue-specific effects of rare gene'c variants Farhan Damani Biological Data Sciences 2016 Goal: develop a framework to predict 'ssue- specific regulatory effects of rare variants Rare variants are abundant and poten'ally

659 views • 38 slides
gravitational-wave detector Department of physics, Tokyo Institute of Technology, Japan Ken-ichi

gravitational-wave detector Department of physics, Tokyo Institute of Technology, Japan Ken-ichi

Parametric signal amplification for a high-frequency gravitational-wave detector Department of physics, Tokyo Institute of Technology, Japan Ken-ichi Harada Collaborators Department of physics, Tokyo Institute of Technology, Japan Sotatsu

481 views • 15 slides
EDMs of stable atoms and molecules outline Introduction EDM sensitivity Recent

EDMs of stable atoms and molecules outline Introduction EDM sensitivity Recent

W.Heil EDMs of stable atoms and molecules outline Introduction EDM sensitivity Recent progress in -EDMs paramagnetic atoms/molecules -EDMs diamagnetic atoms Conclusion and outlook Solvay workshop Beyond the Standard model

617 views • 51 slides
AP Review.notebook April 24, 2015 AP Physics Review 2 D Motion AP Physics Review Forces

AP Review.notebook April 24, 2015 AP Physics Review 2 D Motion AP Physics Review Forces

AP Review.notebook April 24, 2015 AP Physics Review 2 D Motion AP Physics Review Forces Problem Solving Strategy: Problem Solving Strategy: 1. Sketch a free body diagram of the problem. Label all forces. Kenimatic Equations for 1.

335 views • 7 slides
Laser-induced spin dynamics at the femto-second time scale: Understanding switching mechanisms

Laser-induced spin dynamics at the femto-second time scale: Understanding switching mechanisms

Laser-induced spin dynamics at the femto-second time scale: Understanding switching mechanisms with real-time TDDFT E.K.U. Gross Max-Planck Institute of Microstructure Physics Halle (Saale) First experiment on ultrafast laser induced

873 views • 61 slides
Design-by-Contract (Dbc) Test-Driven Development (TDD) Readings: OOSC2 Chapter 11 EECS3311 A:

Design-by-Contract (Dbc) Test-Driven Development (TDD) Readings: OOSC2 Chapter 11 EECS3311 A:

Design-by-Contract (Dbc) Test-Driven Development (TDD) Readings: OOSC2 Chapter 11 EECS3311 A: Software Design Fall 2018 C HEN -W EI W ANG Motivation of this Course Focus is design Architecture : work with many interacting classes

604 views • 38 slides
A 10-bit Linearity Current-Controlled Ring Oscillator with Rolling Regulation for Smart Sensing

A 10-bit Linearity Current-Controlled Ring Oscillator with Rolling Regulation for Smart Sensing

10-bit Linearity CCRO with Rolling Regulation Intro CCRO Rolling-Regulation Example Conclusions 1/19 A 10-bit Linearity Current-Controlled Ring Oscillator with Rolling Regulation for Smart Sensing M.Dei 1 , J.Sacristn 1 , E.Marig 2

529 views • 19 slides
Delivering Value. Kinross Gold Corporation Cautionary Statement on Forward-Looking Information

Delivering Value. Kinross Gold Corporation Cautionary Statement on Forward-Looking Information

First Quarter Results May 9, 2018 Delivering Value. Kinross Gold Corporation Cautionary Statement on Forward-Looking Information All statements, other than statements of historical fact, contained or incorporated by reference in or made in

367 views • 25 slides
Plant tuning: a robust Lyapunov approach Franco Blanchini 1 , Gianfranco Fenu 2 , Giulia Giordano 3

Plant tuning: a robust Lyapunov approach Franco Blanchini 1 , Gianfranco Fenu 2 , Giulia Giordano 3

Plant tuning: a robust Lyapunov approach Franco Blanchini 1 , Gianfranco Fenu 2 , Giulia Giordano 3 , Felice Andrea Pellegrino 2 1 Dipartimento di Scienze Matematiche, Informatiche e Fisiche University of Udine, Italy; 2 Dipartimento di Ingegneria

1.25k views • 98 slides

More recommend