吴家志:区块链智能合约及公链安全

2020-02-27 302浏览

  • 1.区块链智能合约及公链安全 吴家志
  • 2.Who am I ? •吴家志 (@chiachih_wu) •PeckShield研发副总 •美国北北卡州⽴立⼤大学计算机博⼠士 •原360 C0RE Team创始成员并担任团队负责⼈人 •原360超级ROOT产品负责⼈人 •内核安全专家,曾发现多个有重⼤大影响的安全漏漏洞洞,并多次荣获⾕谷歌、⾼高通、 华为等⼚厂商的致谢 •⽬目前专注于区块链智能合约安全以及数据分析 Top / Trusted / Safety / Timeliness 01
  • 3.Blockchain Status Quo • Ethereum in 2017 • 1,090 Dapps & 700+ Tokens • 100,000 New Users Per Day • Daily Trading > 1,000,000 • Market Cap in 2018 • 1,640 Cryptocurrencies • Market Cap > 330 Billion • Global GDPRank:28th Top / Trusted / Safety / Timeliness 02
  • 4.Blockchain Security Incidents 2018/06 2018/05 2018/04 2018/04 2018/02 2018/01 2017/12 2017/06 2016/08 2016/01 2015/01 2014/03 2014/02 Bithumb Hacks with $31 Million Dollars Stolen EDU, BAIC Smart Contracts Bugs BEC, SMT Smart Contracts Bugs Myetherwallet Suffer from DNS Hijacking BitGrail Hacks with Stolen Nano Tokens of 170 Million Dollars Coincheck Hacks with 530 Million Dollars Stolen Nicehash Hacks with 4700 BTC Missing with 62 Million Dollars Bithumb Hacks with 1 Billion Korean Yuan Loss and 30 Thousand User Info. Leaked Bitfinex Hacks with 120,000 BTC Stolen of 75Million Dollars Cryptsy Hacks with 13,000 BTC and 300,000 LTC Stolen Bitstamp Hacks with 19,000 BTC Stolen Poloniex Hacks with 12.3% BTC Lost Mt.Gox Hacks with Followed Bankruptcy Top / Trusted / Safety / Timeliness 03
  • 5.Blockchain Ecosystem Cryptocurrency Exchange Digital Wallet Infrastructure DApps Smart Contract Mining Pool Top / Trusted / Safety / Timeliness 04
  • 6.Blockchain Ecosystem - Smart Contract Cryptocurrency Exchange Digital Wallet Infrastructure DApps Smart Contract Mining Pool Top / Trusted / Safety / Timeliness 05
  • 7.Security of Smart Contracts Disclosed by PeckShield codename CVE-ID batchOverflow CVE-2018-10299 proxyOverflow CVE-2018-10376 transferFlaw CVE-2018–10468 ownerAnyone CVE-2018-10705 multiOverflow CVE-2018-10706 burnOverflow CVE-2018-11239 ceoAnyone CVE-2018-11329 allowAnyone1 CVE-2018-11397 allowAnyone2 CVE-2018-11398 tradeTrap1 CVE-2018-12017 tradeTrap2 CVE-2018-12062 tradeTrap3 CVE-2018-12079 … … Top / Trusted / Safety / Timeliness 06
  • 8.Security of Smart Contracts Disclosed by PeckShield codename CVE-ID batchOverflow CVE-2018-10299 proxyOverflow CVE-2018-10376 transferFlaw CVE-2018–10468 ownerAnyone CVE-2018-10705 multiOverflow CVE-2018-10706 burnOverflow CVE-2018-11239 ceoAnyone CVE-2018-11329 allowAnyone1 CVE-2018-11397 allowAnyone2 CVE-2018-11398 tradeTrap1 CVE-2018-12017 tradeTrap2 CVE-2018-12062 tradeTrap3 CVE-2018-12079 … … Top / Trusted / Safety / Timeliness 06
  • 9.Security of Smart Contracts Disclosed by PeckShield codename CVE-ID batchOverflow CVE-2018-10299 proxyOverflow CVE-2018-10376 transferFlaw CVE-2018–10468 ownerAnyone CVE-2018-10705 multiOverflow CVE-2018-10706 burnOverflow CVE-2018-11239 ceoAnyone CVE-2018-11329 allowAnyone1 CVE-2018-11397 allowAnyone2 CVE-2018-11398 tradeTrap1 CVE-2018-12017 tradeTrap2 CVE-2018-12062 tradeTrap3 CVE-2018-12079 … … Top / Trusted / Safety / Timeliness Not Disclosed Yet CVE-ID CVE-2018-11310 CVE-2018-11441 CVE-2018-11446 CVE-2018-11520 CVE-2018-11521 CVE-2018-11561 CVE-2018-11582 CVE-2018-11585 CVE-2018-12105 CVE-2018-12340 CVE-2018-12341 CVE-2018-12566 … 06
  • 10.PwningFomo3D:Pre-Calculated Contract Creation For Airdrop Prizes! Top / Trusted / Safety / Timeliness 07
  • 11.Fomo3D Lottery Airdrop Mechanism 0x0badbeef…ddd 0.1 ETH Fomo3D Smart Contract buyXid() if ( airdrop() == true ) 0.1 ETH + prize Top / Trusted / Safety / Timeliness withdraw() 08
  • 12.Don’t Implement Randomness in Ethereum Smart Contract! Top / Trusted / Safety / Timeliness 09
  • 13.What if msg.sender is a contract address? contract human { constructor() { isHuman() } } 0x0badbeef…ddd Top / Trusted / Safety / Timeliness 10
  • 14.Exploit •Pre-calculate the address X of the next contract that the attacker address is about to create [1]; •If X can’t be used to generate a good seed with the current airDropTracker_, goto step 1; •Create contract at address X; •Invoke buyXid() function from X to win the airdrop prize [1]https://ethereum.stackexchange.com/questions/760/how-isthe-address-of-an-ethereum-contract-computedTop / Trusted / Safety / Timeliness 11
  • 15.Attack in-the-wild Attacker Contract Boss Wallet Address Top / Trusted / Safety / Timeliness 12
  • 16.Attack in-the-wild (1) This pre-created contact will create a “good” contract addr (2) Create the “good” contract addr (3) Send 0.1 ETH to buy keys (4) Get the airdrop which is >= 0.1 ETH (5) Withdraw (6) Suicide and send everything to the boss Top / Trusted / Safety / Timeliness 13
  • 17.Allowance-Related Vulnerabilities
  • 18.allowAnyone (CVE-2018-11397, CVE-2018-11398) Top / Trusted / Safety / Timeliness 15
  • 19.Top / Trusted / Safety / Timeliness 16
  • 20.Overflow-Related Vulnerabilities
  • 21.Top / Trusted / Safety / Timeliness 18
  • 22.Top / Trusted / Safety / Timeliness 19
  • 23.Blockchain Ecosystem - Infrastructure Cryptocurrency Exchange Digital Wallet Infrastructure DApps Smart Contract Mining Pool Top / Trusted / Safety / Timeliness 20
  • 24.Ethereum Clients • Official implementations of Ethereum clients • Geth (Golang) • Eth (C++) • Pyethapp (Python — not maintained anymore) • Another popular client • Parity (Rust) - by Parity Technologies • Market share •Geth:~2/3 •Parity:~1/3 • Others Top / Trusted / Safety / Timeliness Datasource:https://www.ethernodes.org21
  • 25.Attack Surface of Geth Smart Contract Wallet DApp EVM related issues RPC interface issues Geth Node Other Ethereum Node Protocol stack issues Other Ethereum Node Web Top / Trusted / Safety / Timeliness Other Ethereum Node 22
  • 26.Ethereum Protocol Stack ETH LES Whisper … •Various Sub-protocols ÐΞVp2p RLPx Top / Trusted / Safety / Timeliness •Support arbitrary sub-protocols (aka capabilities) over the basic wire protocol •Connection management •Encrypted Handshake/Authentication •Peer Persistence •UDP Node Discovery Protocol 23
  • 27.EPoD:CVE-2018-12018 •Several message handlers for different types of messages •StatusMsg, AnnounceMsg, GetBlockBodiesMsg, etc. •However, the GetBlockHeadersMsg handler has a flaw:Top / Trusted / Safety / Timeliness 24
  • 28.EPoD:CVE-2018-12018 (cont’) Attacker getBlockHeadersData {
 Origin = some hash
 Amount = 1
 Skip = -1 (0xffff…f)
 Reverse = false
 } Top / Trusted / Safety / Timeliness Victim 1. Allocate array for max # of blocks • allocate (Skip+1):
 Zero-Size Array Allocated 2. Query from returned array[Skip] • Access array[-1]:
 Out-of-Bound Read 25
  • 29.EPod Demo
  • 30.Impact •Possible Victims of EPoD •Cryptocurrency exchanges •Mining pools •Boot nodes Exchange Exchange Mining Pool Attacker Mining Pool Exchange Boot Node Please upgrade to Geth v1.8.11 (or above)! Top / Trusted / Safety / Timeliness 27
  • 31.X Vulnerability isMining:Decentralized Vulnerability Platform (DVP) Top / Trusted / Safety / Timelinesshttps://dvpnet.io28
  • 32.Better Blockchain Ecosystem Togetherwebsite:https://peckshield.comemail:hr@peckshield.com