Get a Jumpstart
While you wait you should set things up:
- View these slides at: trfl.co/devcon5
- Install Node.js v10
- Download Ganache UI Alpha or run
npm install -g ganache-cli - Clone the workshop repo:
git clone https://github.com/trufflesuite/devcon5-honeypot-exploration - Init the workshop repo:
npm install
Pentesting
Ethereum
Contracts
Who is Truffle?
Truffle is a company whose goal is to build tools to get developers from idea to dapp as comfortably as possible.
TRUFFLE
dev environment, testing framework, and asset pipeline for blockchains
drizzle
front-end library for dapps
Ganache
one-click blockchain
What is Ganache?
A personal blockchain for Ethereum development
- Ganache UI: graphical user interface
- ganache-cli: command line tool
- ganache-core: Node.js integration tool
Ganache UI
One-Click Blockchain
Ganache UI
Truffle Project Integration
Ganache Forking
Easy Mainnet testing without the cost
Ganache Forking
Now in Ganache UI (alpha)
Security
Ethereum development is High-Risk
- Bytecode is public
- Contracts are public
- Hackers are private and anonymous
- If you mess up, you, or your users, lose big with zero recourse
Key Concepts
A few things we need to know before we get to work
Gas
To transact on Ethereum you must pay a fee; this fee is paid in “gas”.
Gas is paid for in Ether.
Operations on Ethereum, i.e., storing/retrieving data, transferring funds, math(s) operations, looping, etc., require some amount of gas.
Generally, if a transaction attempts to use more gas than it is given the transaction fails and no state changes are persisted.
Fallback Functions
can execute operations as long as there is enough gas forwarded to it
A fallback function must be external and is unnamed. It is called when:
- a contract’s address is sent Ether, or
- a non-existent contract function is called.
function() external payable {
// Hello, I’m a payable fallback function.
// I’m invoked when Ether is sent to my contract’s address
// or when a method on my contract is called that doesn’t exist.
}Reentrancy Vulnerability
When a contract permits unintended re-invocation of any its methods after calling an external contract during a single transaction.
Smart Contract Reentrancy allows for multiple invocations of a contract’s methods during a single transaction, usually caused by forwarding excess gas to a malicious contract’s fallback function without proper reentrancy protection.
Disclaimer
Just because you can, doesn’t mean you should.
The intent of this workshop is to teach you how to protect your contracts against bad actors.
There is a difference between permissioned pentesting and white-hat (or black-hat) “hacking”.
Don’t steal. Stay legal. Be nice to people.
DAO Hack
The most infamous Ethereum reentrancy attack
// simplified version of the DAO vulerability
function payOut(address _recipient, uint _amount) returns (bool) {
// send `_amount` to `_recipient`, forwarding all remaining gas
if (_recipient.call.value(_amount)()) { 👈 reentrancy vulerability
// then, if successful, mark `_recipient` as paid
PayOut(_recipient, _amount);
return true;
} else {
return false;
}
}Reentrancy Protection
// 1) Checks-Effects-Interactions pattern
function withdraw() external {
require(balances[msg.sender] > 0); 👈 check
uint256 amount = balances[msg.sender];
// set balance to 0 before calling external contract
balances[msg.sender] = 0; 👈 effect
require(msg.sender.call.value(amount)()); 👈 interaction
}
// 2) use a mutex or OpenZeppelin’s ReentrancyGuard
function withdraw() external {
require(!lock, "Reentrancy not allowed");
lock = true; 👈 lock
/* do the things */ 👈 do things
lock = false; 👈 unlock
}An Anti Pattern
Using address.send or address.transfer to protect against reentrancy is an anti-pattern
address.call forwards all remaining gas by default, while address.transfer and address.send only forward 2300* gas.
2300 gas is not enough gas to allow for reentrancy, so it appears that we are safe!
However, this may not be true in future hardforks! You should not rely on gas costs to protect against reentrancy!
* ish, it’s complicated
Constantinople
Reduced storage costs allowed for reentrancy where it wasn’t possible before
An EIP included in Constantinople would have lowered the minimum cost of storage from 5000 gas to 200 gas.
This could have introduced vulerabilities into contracts that rely on the default gas stipend of transfer/send for protection.
The EIP was removed in Petersburg and was never live on Mainnet*.
* ish, it’s also complicated
Istanbul
Istanbul’s increased gas costs may break some contracts
address.transfer or address.send.// previously worked; breaks under Istanbul!
function() public payable {
require(total() + msg.value <= limit);
}
Do not rely on gas costs to protect against reentrancy!
The Honeypot
Hack the Hacker
What if we could design a contract that would not only stop the bad guy, but make the bad guy themselves the victim!
That is what an Ethereum honeypot contract is*: a contract that is cleverly disguised to look vulnerabile, but isn’t.
* in infosec this is a “mousetrap”, but in Ethereum we’ve been calling it a honeypot… so a honeypot it is.
Types of Honeypots
There are many ways to craft a honeypot; here are some tricky ones:
| Zone | Technique |
|---|---|
| Ethereum Virtual Machine | Balance Disorder |
| Solidity Compiler | Inheritance Disorder |
| Skip Empty String Literal | |
| Type Deduction Overflow | |
| Uninitialised Struct | |
| Etherscan Blockchain Explorer | Hidden State Update |
| Hidden Transfer | |
| Straw Man Contract |
You really should read some of this. (hint hint)
