replay attacks on ethereum smart contracts con/def con 26/def con... · ü group3 no specific...
TRANSCRIPT
ReplayAttacksonEthereumSmartContracts
ZhenxuanBai,YuweiZheng,KunzheChai SenhuaWang
Aboutus
• 360TechnologyisaleadingInternetsecuritycompanyinChina.Ourcore
productsareanti-virussecuritysoftwareforPCandcellphones.
• UnicornTeam(https://unicorn.360.com/)wasbuiltin2014.Thisisagroup
thatfocusesonthesecurityissuesinmanykindsofwireless
telecommunicationsystems.Theteamalsoencouragememberstodoother
researchthattheyareinterestedin.
• HighlightedworksofUnicornTeaminclude:
– Low-costGPSspoofingresearch(DEFCON23)
– LTEredirectionattack(DEFCON24)
– Attackonpowerlinecommunication(BlackHatUSA2016)
PPT www.1ppt.com/moban/PPT www.1ppt.com/sucai/PPT www.1ppt.com/beijing/PPT www.1ppt.com/tubiao/PPT www.1ppt.com/xiazai/PPT www.1ppt.com/powerpoint/
www.1ppt.com/ziliao/ www.1ppt.com/fanwen/www.1ppt.com/shiti/ www.1ppt.com/jiaoan/
PPT www.1ppt.cnPPT www.1ppt.com/kejian/www.1ppt.com/kejian/yuwen/ www.1ppt.com/kejian/shuxue/www.1ppt.com/kejian/yingyu/ www.1ppt.com/kejian/meishu/www.1ppt.com/kejian/kexue/ www.1ppt.com/kejian/wuli/www.1ppt.com/kejian/huaxue/ www.1ppt.com/kejian/shengwu/www.1ppt.com/kejian/dili/ www.1ppt.com/kejian/lishi/
Part1 Part2 Part3 Part4
TheMainIdea
BackGround DemonstrationSafetyProblem ReplayAttack
Part1
Back Ground (Blockchain & smart contract & Ethereum)
What is Blockchain?
Blockchain is:
ALarge-scalegloballydecentralizedcomputer
network
Asystemthatuserscaninteractwithbysending
transactions
—Transactionsareguaranteedby
ConsensusMechanism
Advantages of Blockchain
• havingtheunifieddatabasewithrapidconsensus
• Withlarge-scalefault-tolerantmechanism
• Notrelyingontrust,notcontrolledbyanysingleadministratoror
organization(notforprivate/consortiumblockchain)
• Audit-able:externalobserverscanverifytransactionhistory.
• Automation:operatingwithouthumaninvolvement.
What on-earth can Blockchain do?
Cryptocurrency: digital assets on the Blockchain
Therearetokensinthepublicblockchainsusedtolimittheratesofupdatingtransactions&powerthemaintenanceofBlockchain.
RecordRegistration(suchastheDomainNameSystembasedonBlockchain.Timestamptotrackhighvaluedata
FinancialContractsGeneralComputation
Non-monetary Characteristics
Support Functionalities
Ethereum
About 2013, the public realized that Blockchain can be used in hundreds
of applications besides cryptocurrency, such as asset issuance,
crowdfunding, domain-name registration, ownership registration, market
forecasting, Internet of things, voting and so on.
How to realize?
Smart contracts are pieces of code that live on the Blockchain and execute commands exactly how the were told to.
“smart contract" - a computer program running in a secure environment that automatically transfers digital assets according to previously arbitrary rules.
business people
Developer
Smart Contract
How to build one?
■ Blockchain with built-in programming language
■ maximum abstraction and versatility
■ it is very ideal to process smart contracts
Ethereum
Ethereum
EVM: It is the operating environment for smart contract in
the Ethereum. It is not only encapsulated by a sandbox, but
in fact it is completely isolated, that is, the code that runs
inside the EVM does not have access to the network, file
system, or other processes. Even smart contracts have
limited contact with other smart contracts.
Operating System
Contract usage scenario
Hedging contracts, Savings Purse, Testamentary contract
Financial scenario
Online voting, De-centralized governance , Domain name registration
Non-financial scenario
Part2
Related Safety Problem
The Ecology of the Ethereum
On average, there are 100 thousand of new users join the
Ethereum ecosystem every day. The users are very
active, with an average daily transactions of more than 1
million times on Ethereum.
The safety issue of the Ethereum
attackandtokensteal
exchange
probabletobehijacked
wallet
overflowattack
smart contract
main parts
The security problem of smart contract
April2018,
BECcontract
May2018,
EDUcontract June2018,
SNCcontract
Directlyaffectsthemajor
exchanges,includingthe
issue,rechargeorcash
withdrawalofthetokens.
Vulnerability in Smart Contracts
According to < Finding The Greedy , Prodigal , and Suicidal Contracts at Scale>, In March 2018, nearly 1 million smart contracts were analyzed , among which there are 34200 smart contracts can be easily attacked by hackers.
How to lower the probability of loss ?
A complete and objective audit is required for smart contracts.
The emergency response can be made when the vulnerability was found in Smart Contracts
Reward can be provided when someone detect any bug .
Replay attack on smart contract Part3
What are we care about - Replay attack Replayattack:IfatransactionislegitimateononeBlockchain,itisalso
legitimateonanotherblockchain.
WhenyoutransferBTC1,yourBTC2/BTC3maybetransferredatthesametime.
Our discovery
Manysmartcontractsadoptthesamewaytoverifythevalidityof
thesignature,anditispossibleforreplayattack.
Our motivation
Weproposedthereplayattacksinthesmartcontracts,whichhopeto
attracttheuser’sattention.
Wedetectthevulnerabilityinsmartcontracts,whichhopetomake
themmoresecure.
Wehopetoenhancetheriskawarenessforcontractcreatorand
ensuretheinterestsofinvestors.
� wefoundthereplayattackproblemexistsin52smartcontracts.
� We analyzed the smart contract example to verify the replay
attack.
� Weanalyzedthesourceandprocessofreplayattacktoexpound
thefeasibilityofreplayattackinprinciple.
� Weverifiedthereplayattackbasedonthesignature
vulnerability.
� Weproposeddefensestrategytopreventthisproblem.
Our Contribution
• Judging whether the contract is accord with the ERC20 standard.
we set three scanning standards to discovery the smart contracts which have the VULNERABILITY.
require(totalsupply>0)
Vulnerability Scanning
• Get the name of the contract to determine
whetherthenameisvalid.
Vulnerability Scanning
• Filtersmartcontractsvulnerabletoreplayattack.
ScanningResult:52riskytargets
Vulnerability Scanning
● It has been confirmed(proved) that there are two smart
contractsallowproxytransactions..
● Ifthetwosmartcontractsuseasimilarmechanismandshare
thesametransactionformat.
● Whenatransactionhappensinonecontract,thistransaction
will be also legal in another contract, and the replay attack
willbesuccessfullyexecuted.
Why does the replay attack occur?
The issue lies in this line: bytes32 h = keccak256(_from,_to,_value,_fee,nonce);
Example
Attack Process
● wechosetwoERC20smartcontracts,theUGTcontract
andtheMTCcontract.
● wecreatedtwoaccounts,AliceandBob● we deposit some tokens in the two accounts in UGT
contractsandMTCcontracts.
● atleastoneEthereumfullnode
Experiment condition
Step one: transaction records on the Ethereum were
scannedtofindoutaccountswhichhadbothUGTtokens
andMTCtokens(weusetwoaccounts,AliceandBob).
Verification of the replay attack process
Steptwo:BobinducedAlicetosendhim2UGTtokens.Thetransactioninputdata
isshownasbelow:
Function: transferProxy(address _from, address _to, uint256 _value, uint256
_feeUgt,uint8_v,bytes32_r,bytes32_s)
MethodID:0xeb502d45
Verification of the replay attack process
Step three: Bob take out the input data of this transaction on theblockchain. The parameters “from, to, value, fee, v, r, s”were extracted
from [0]- [6] in step two. The following is the implementation of the
transferfunction.
Verification of the replay attack process
Stepfour:Bobusetheinputdatainstep2toexecuteanothertransferinthe smart contract of MTC. The result of this transaction is shown as
below.
Verification of the replay attack process
Stepfive:Bobgotnotonly2UGTtokensbutalso2MTCtokensfrom
Alice.Inthisprocess,thetransferof2MTCtokenswasnotauthorized
byAlice.
Verification of the replay attack process
Part4Demonstration
Select contract
Account setting
genesis.json
the UGT contract and the MTC contract
• AliceandBob
• Alice(thesender):0x8e65d5349ab0833cd76d336d380144294417249e
• Bob(thereceiver):0x5967613d024a1ed052c8f9687dc74897dc7968d6
• Bothownsometokensfortransferring.
UGTToken:0x43eE79e379e7b78D871100ed696e803E7893b644
MTCToken:0xdfdc0D82d96F8fd40ca0CFB4A288955bECEc2088
Core code
Demo
Demo
ByApril27th,2018,loopholeofthisreplayattackriskexistsin52
Ethereumsmartcontracts.
accordingtothevulnerabilityofthereplayattack:
l High-risk group (10/52): no specific information is contained in the signature of
smartcontract,whichthesignaturecanbefullyreused.
l moderate-risk group (37/52): fixed string is contained in the signature of smart
contract,whichtheprobabilityofreusingthesignatureisstillhigh.
l Low -risk group (5/52): the address of the contract (1 in 5) or the address ofsender (4 in5) is contained in the signature of smart contract. There are strong
restrictions,butthereisstillownthepossibilityofreplayattacks.
Statistics and Analysis
l Replayinthesamecontract(5/52)
MiracleTele RoyalForkToken FirstBlood KarmaToken KarmaToken2
l Cross-contractsreplay(45/52)Besides,wedivided these 45 contracts into 3 groups, for the specific prefix
dataused in thesignatures.Cross-contracts replaysmayhappenamongany
contractsaslongastheyareinasamegroup.
Accordingtofeasiblereplayattackapproaches:
Statistics and Analysis
ü Group1 thespecificprefixdata1usedinthesignatures(28/52)
ARCCoin,BAF,ClaesCash ClaesCash2 CNF,CWC,DET,Developeo,
Envion,FiCoin,GoldCub JaroCoin metax,metax2 NODE,NODE2,NPLAY,
SIGMA, solomex, Solomon Exchange, Solomon Exchange2, Trump Full Term
Token,TrumpImpeachmentToken,X,ZEUSTOKEN ZEUSTOKEN2,cpay.
ü Group2 the specific prefix data 2 used in the signatures (7/52)
"\x19EthereumSignedMessage:\n32" Acore CLC CLOUT CNYToken,CNYTokenPlus,GigBit The4th
PillarToken,
Statistics and Analysis
Accordingtofeasiblereplayattackapproaches:
ü Group3 nospecificprefixdatausedinthesignatures(10/52)
BlockchainCuties First(smt),GGToken M2CMeshNetwork M2C
Mesh Network2 MJ comeback, MJ comeback2, MTC Mesh Network,
SmartMeshToken,UGToken
l Replaybetweentestchainandmainchain(2/52)
MeshBoxMeshBox2
l Replaybetweendifferentmainchain(0/52)
Accordingtofeasiblereplayattackapproaches:
Statistics and Analysis
Accordingtothetradingfrequencyofabove-mentioned
contracts
By9:00April30th,2018,
• 24contractswerefoundwhichhavethetransactionrecordswithinoneweek,Theproportionis46.15%ofthetotalnumberofcontracts.
• 9contractswerefoundwhichhavethetransactionrecordsfromone
weektoonemonth,Theproportionis17.31%ofthetotalnumberof
contracts.
Statistics and Analysis
According to the trading frequency of above-mentioned
contractsBy9:00April30th,2018,
• 16 contractswere foundwhich have the transaction records beyondonemonth,Theproportionis30.77%ofthetotalnumberofcontracts.
• 3 contractsOnly have the records for deployment. The proportion is
5.77%ofthetotalnumberofcontracts.
According to the comprehensive analysis, 63.46% of the
contracttransactionsarestillactive.
Statistics and Analysis
Ø Thedesignersofsmartcontractshouldalwaysconfirmthe
suitable range of digital signature when designing smart
contracts.
Ø Thesmartcontractsdeployedonpublicchainshouldaddin
the specific information of the public chain such as the
chainIDandthenameofthepublicchain.
Ø Theusersofsmartcontractsneedtopayattentiontonews
andreportsconcerningtheloopholedisclosures.
Countermeasures
p The security problems of smart contracts have been
widelyconcerned.
p Aslongasthesignaturewasnot limitedbythesmart
contracts,thereispossibilityofreplayattack.
p We believe that loopholes on the Ethereum smart
contractshavenottotallycometolight.
Conclusion