 good morning everyone morning thank you for attending our talk this research is about replay attacks SRM smart contracts now let me give a brief self introduction I must emphasize here that deng shen bai is a primary researcher he didn't mark he did more than a half over the work but for some issues of research he can't attend this talk today so the job is all to introduce the research to you my name is Yiwei Zhang I am a security researcher of Yun Kong team and this is my colleague Kun Zhe Cai Yun Kong team is a research group within 360 technology the team was formed in 2014 we fixed on the security issues in numerous types of wireless systems but we also encourage members to do other research that they are interested in this this is why we also have this topic today's talk can present four parts at the beginning we will introduce the background of blockchain smart contract and SRM then we will discuss security issues about potential risks in smart contracts suddenly we will talk about the key point replay attack and we are going to show why it exists and how it works and the last one is the demonstration of replay attacks and the statistical analysis of similar vulnerabilities now let Kun Zhe Cai show you the first part hello hello everyone as you know my name is Kun Zhe Cai I come from China so the first topic is in background and mainly about the instruction of related files of replay attacks like blockchain smart contacts or SRM so we've heard some news about blockchain but what is blockchain yeah blockchain so to speak is a large-stake globally directly computer network and the users can interact with it by sending transitions each processing is messaged with cryptographic central and the order of presentation enforced is a demand by mechanism called the global call global conditions the advantage of blockchain are listed here it has unified the test best ways to repair the concerns which allows a statement to be completed with three within three to sixty a sixty second rather than three days or and more it offers a way with a large-scale fault tolerance in which system can withstand 33 to 40% not a feature or still operate normally under the control of hackers blockchain does not really trust and not controlled by any single administrator or organization except for prevailed chain and extra team chain so it is able to be audited external observer can verify the history of transitions it can operate auto auto moments without any human involvement so next then what to actually can blockchain achieve first it can actual actual cryptical claims which is digital asset on the blockchain right right now sorry sorry public chains offer their own tokens to remind the rate of updating transitions and the insertives the limitations of blockchain next it has some non-monetary feature in include the reclaw the rate reclaw the as a DNS based on blockchain and time-stamp makings out of to crack high value data then blockchain systems for some other other functionality including including concepts that can actual custom custom the Dignos and the Dictos and assets exchange Dicto assets are all for option and face call deal with this and generally computer I'm sorry my poor English so I tried to relax sorry for now we have no made we have no many application of blockchain in the field of management how about those things no no fancy field about twenty-thirty the public release that the blockchain can be used in hundreds of application besides the com besides the com beside that and such as and such as asset domain name recognition and ownership recognition market for market for setting and internet of things working and so on and how to realize those applications we need the smart contact what is smart contact it is a computer program running in a secure environment that actually that automatically transfers the Dicto assets are according to previous previous rules for example I will give you a tips support your bed with your girlfriend that she will give you give you 100 bucks if you can figure out what's what's inside her shopping bag maybe that is the dress or t-shirt and you made it but your girlfriend will not pay you anything you haven't you have to accept it because that you have no other way to get your reward however if there is a smart contact once you made your guess current and the cooler will automatically be enforced and there's a risk and there's a reward in real solution it it might be a Dicto token will come into your pocket your pocket so smart contacts are a piece of coder living in the blockchain and and enforcing certain fun certain personalities how do you construct the secure environment for smart contact certainly there are many public chains for smart contacts and let's see the most popular one as some what is that some it's a blockchain with a built-in programming language and it offers maximum app server and and worst that Lee so it is very ideal to process smart contracts as some has a secure update operation system called as some called as some very virtual machine also as also known as the EVM this is not encapsulate by a sandbox but in fact but in fact it is complete isolated well that is a coder that run inside the EVM does not have access to the network or five system or another proxies even some other contracts have limited contact with with another or other smart contracts with EVM so our smart contacts can be used in many things one of them is one of them is the financial since a fantasy including hedging contracts saving wallet and the other now ventures in include includes online voting the center disorganized the managing and managing managing and the DS3 connotations hmm however with increasing speed of application of SM and a smart contact many security issues come along hmm according to an ally and an elite and the league a call according to analytics 100 and the southern the news users joins as some ecosystem daily on the average they are they are called they are quite active and in for delay transit and transit stations over one million times on the SM this is this is increasing make this tactic attack many eyes from hackers and security as security issues come up for more frequently in many parts of our ecosystem such as such as exchange wallet wallet and the smart con atc there are there are several security security issues come up including change attack and the wallet hygiene or the hijacking and the overflow attack in a smart contact as to smart contact which is most one binti one binti ball in the as them there are also many security issues and just for 20 and 18 in April contact such as BS will detect with detect with one binti in my security attacks to several contact like edu or other in June there are another security issue there are other another security issues reported to smart contact like SNS or this open air loopholes made a huge impact on the module module exchange affecting several functions including talking as nature talking deep talking deposit and a token deposit and the talking with draw according to the most recent research papers from a share guy and university college London after organizing be close to one million smart contact and 34,000 of them are one binti ball to hacking and they also same they also they also assemble another 3,759 so in the case of this smart contact and found that 18 at eight and nine percent of them currently loopholes so so how to lower the probability of loss first we require a complete and objective doubt for our contact and second and second we and second when any loopholes is found we need to make we need to make any abundance respond to a response so that we could now at first at first time well at first time of these contact is beginning attack and the third they are there need to be some it may relate a reverse for those who detect and report any bugs to to positive to positive instant as a whole system is operate and so next part is my college my is a has some guidance you and by the way I'm very sorry my English so so give you next good one I am back now next we are going to fix on the issue of replay attacks in smart contract now let me explain the concepts of replay attack as a distinguished from replay attack in traditional network world it's not to capture and the recent package that is if a transaction is legitimate on one blockchain it's also legitimate another blockchain so when you transfer BTC one your BTC two or BTC three may be transferred at the same time that is the replay attack in blockchain to replay attack we found that that many smart contracts adopted the same way to verify the validity of the signature and it's possible for replay attack our motivation is that we propose replay attacks all smart contracts and we should to attract the user's attention we try to detect the vulnerability in smart contracts and make them more secure finally we want to enhance the risk awareness for contract a creator and then you hear it interests of investors to achieve our goal we have done several things that we found that the replay attack a problem exists in 52 smart contracts and we analyzed the smart contract example to verify the replay attack we analyzed the source and the process of replay attack to expand the feasibility of replay attack in principle we also verify the replay attack based on the signature vulnerability and finally we proposed defense strategy to prevent this problem then I'm going to show you something the first item is water ability scanning our aim is to get the name and the number of water ability or replay attack in smart contracts and then we set the three scanning stands to discover the smart contracts which have the water ability first judging whether the contract is accorded with the RC20 standard this requires the total supply to be greater than zero second get the name of the contract to determine whether the name is valid certainly failed the smart contract so vulnerable to replay attack the SRM provide if they they if they recover function to verify signature if I contract to use that is a recover function it was marketed as suspicious this scanning program can be found at the following site it's a in our good hub storage after we audited and the Wi-Fi to the scan output we found the 52 risk targets and this is the code to scan the RC20 token contract you can get it from the GitHub from our GitHub storage why does the replay attack occur the signature of a user were utilized in smart contracts if the contents of the signature were not correctly limited by the smart contract there is possibility of replay attack such as the interface transfer proxy her is an example the contents of the MTC contract signature and the contents of the UGT contract signature are exactly the same this is an example in the contract the issue lens like this line the KECA K256 function calculated the hash and the hash is the input of the signature so we can see in the parameter of this function it's just a form to value fee and announce there is nothing related to the contract itself exactly now let me explain the attack process was that part of the transaction in a contract one you the a wanted to transfer 100 tokens to you the B through proxy C and the access address three tokens should be paid for proxy C as a service fee in this process they input all the signature of user A should be a B 103 and the latest month one then the transfer were carried by proxy C after this transaction being completed you the B can get 100 tokens from you the a was suppose you the a doesn't carry out the transfer are a contract to through proxy so the latest announce is also one we're suppose you the now the replay attack starts after we see 100 tokens from you the a you the B replay the signature of you the a in from I I counter one in I counter two now he can get another 100 tokens in I counter two without the permission of you the a that is to see this smart contract I counter two were attacked by you the B and the 100 tokens of you they were stolen next to verify the existence of this vulnerability we conducted an experiment the experiment condition at least as as follow we choose two ERC 20 smart contracts the UGT contracts and the MTC contract then we create two accounts Alice and Bob next we deposit some tokens in the two accounts in corresponding contracts and the procedure of this verification is that in step one the normal transaction records on the SRM or a scan to find out accounts which is both high with which has both UGT tokens and MTC tokens but here we use two accounts Alice and Bob in step two Bob we induce the anything to send him to UGT tokens and the transaction input data is shown below the lens 0 to 6 corresponds to the augmentation of the function transfer transfer proxies in step 3 Bob take out the input data of this transaction on the blockchain the parameter from to value fee are way and as well it's the credit from from this method the following is the implementation of the transfer function in step 4 Bob will use the input data in step 2 to execute another transfer in the smart contract of MTC the result of this transaction is shown as below step 5 Bob got only not only two UGT tokens but also two MTC tokens from Alice in this procedure the transfer of two MTC tokens was not authorized by Alice now we come into the final part demonstration and the analytics and to begin with the demonstration we select two contracts the UGT contracts and the MTC contracts then we send to our own accounts Alice and Bob Alice is the sender and Bob is the receiver both the two accounts own some tokens for transferring next this is the port code in the code of the parameter from to value fee we are as are all acquired from UGT this is the call as the parameter read from the chain the parameter are as and away a signature in another token replay from to fee are exactly the same as the last call and the simple proxy transfer scenario is that first they use a dedicated startup party UGT to help him transfer tokens UGT gets the address of the contract and creates the instance of the tokens to be transferred after that they will get the signature from UGA and they invoke the transfer function provided by the contract to send the tokens to the token receiver UB then the proxy see we are wait for the information that the minor hide down the package process and the finally transaction process of finishing now let me show you the demo for comparison I curious the balance of Bob on both UGT contract and the MTC contract he has six tokens on both the two contracts now I transfer three tokens from Alice to Bob on UGT contracts through a pro theory with a few seconds for the minor to pack okay it's finished now I curious the signature and I curious the balance of Bob on both UGT contracts and MTC contract again the balance on UGT is 9 but on the MTC it's still 6 I copy the parameters from UGT to MTC and the start the replay attack you can see I just needed to input the the password all proxies I don't need it to input the password of Alice it means that we don't need the permission of Alice it's finished now I curious the balance of Bob on MTC we can see the balance is 9 is 9 now so Bob stole three tokens of Alice on MTC contract to show you the impact of this vulnerability we also made some related statistics and analysis by April 27th the vulnerability of this replay attack risk exists in 52 a theorem smart contracts finally according to the vulnerability of the replay attack we divided these contracts into three group the group one the R10 contracts there no specific information is contained in the signature of smart contract so the signature can be fully reused and in the group two there are 37 contracts in these contracts the specific string is added into the input of the signature but the signature is still can be reused in the group 3 the address of the contract or the address of the sender is contained in the signature of smart contract but there are strong restrictions but then you still have the possibility of replay attack secondly we classified these contracts by feasible replay attack approach five contracts can be replayed in the specific contract itself and another 45 contracts can be replayed between different contracts besides we divided these 45 contracts into three groups for the specific perfect data used in the signature cause the contract replays may happen among any contracts as long as they are in the same group the group one and the group two both eight specific identical data to the input of signature we mark the specific perfect data used in group one as data one and we mark the specific perfect data used in group two as data two so for example you can see the data two in these contracts is the same string as a random sender messaging in group two in group three they don't add any prefix data to the input of signature just from to value free and the last and then there are two chains can be replayed between testing and the main chain certainly according to the trading frequency or above mentioned the contracts by April 13th 24 contracts were found which had the transaction records within one week and the night contracts were found which have the transaction records from one week to one month the proportion of nearly 20% of the total number of the contract is active 16 contracts were found which have the transaction records beyond one month and three contracts only have the records for deployment so according to the comprehensive analysis 16 percent of the contract transactions are still active the reason for replay attacking smart contract is that they misuse the signature when constructing the contract the contractor so our contract manuals are listed here first the designers of smart contract should always conform the suitable range of digital signature when designing smart contracts second the smart contracts deployed on public chain should aid in the specific information of the public chain such as the charity and the name of the public chain and other identity card information finally the user of smart contracts need to pay attention to news and report and reports concerning the vulnerability disclosure and the conclusion is that the security problems of smart contracts have been widely concerned as long as the signature was misused in smart contracts there is possibility of replay attack we believe that the water abilities on the Ethereum of smart contracts have not totally come to light thank you for listening our topic if some guys have some question of this attack and you can send mail to you can send the mail to us thank you