What is blockchain security? - Dylan Dubief

okay thank you so hello everyone and welcome to my blockchain security talk uh before we start just a quick introduction so I'm a French Wonder manager I'm doing uh hacking since uh why you know since I'm getting older every years like everyone most of my friends know me from my world project I'll just like doing a screen injection by voice recognition or implementing a Vertex coffee pod control protocol to make a remote if you still have to work to grab your coffee useless button I'm also doing some more science stuff mostly with Bishop Fox since two years this is a nice job with very cool people of course the best of them are here today so

let's talk with us if you want special thanks to dadan for the conference and to the world beside the team and if you want to reach out after the torque here is my Twitter and Linkedin uh before we already start talking about blockchain uh just few disclaimers we are just talking about what we are not talking about so we are not talking about tokens value because it doesn't matter we are not talking about investment because I have no idea or to invest so if you want to be rich don't listen to me uh all the what are supposed to be digital art or these nft things with a dirty monkey we are not talking about

that Nifty technology was not made for that at first and if we think about scam pamper and fishing it's only interesting when you are doing investigation so we're not talking about that what we will discuss is uh or the secure aspect of a blockchain and a blockchain application and the main purpose of this work is to bring the interest in the offensive consultant and every curious people uh to the blockchain side so maybe we will have more people to work with even if that means less on this so now let's transfer uh the main question because on the internet you can read a lot of things about blockchain but most of the people talking and writing a book

blockchain just can't answer this question so let's install this question very quickly before we start talking about Security even if a blockchain is all about security sub blockchain is just a distributed database with a specific functionality it solves trust issues the issues solved by the blockchain exist since a while more than 40 years it was presented in in the 18th uh mostly known as a business Engineers problem to make it short the general business in this program is about a sending transmitting information when you know some of your assets some of your node or some of your general are compromise and not and can't be addressed in the business option and generous problem the story is if you have an army

with General and you want to attack your target you need to use your general to to send the same order to your world Army so if you say to your general to attack your opponent and one of your general decide to call for retweet you will just lose the battle this is the first issues solved by blockchain and other consensus Bitcoin was one of the first implementation of the business infiltrations of the wizard engine Awards program called as a business inflictorians solution the first proposal of a solution a solution was mostly mathematical to reach our consensus that allow you to to keep your system working even with interested assets you you need 3n with one

um trusted assets with m al the compromise asset with Bitcoin uh this is um not episodeinforterent implementation as it was present at this time it was reworked it was improved so we reach our constances of the 41 percent that mean you need one n plus one trusted asset process node to reach the consensus and be safe when you are transmitting information um it wasn't solving all the issues uh Bitcoin involved other issues like the accurate power the electricity etc etc so other people try to develop new consensus and here comes the proof of Stack etc etc the problem is the issues is proof of Stack at proof of work don't serve any issues so people continue to work and other

consultant so today we are here this is not only resulting for torrent this is not only proof of work this is not only profile stack this is a bunch of consensus and algorithms that solve the trust issues in different situations for instance the proof of work a week right here a token to reward people providing their Ash right power but you can face a Byzantine problem without um having to provide a token or anything there is tokenless blockchain that don't involve token money or this thing you have professional activity proof of capacity and even a mix of a few of them so this is a more complex subject and this is not about what you can

see on internet on non-technical paper this is about algorithm uh data transmission trust and cryptography so for this torque uh we are not talking about order consensus because we clearly don't have time to talk about all of them we are we will cover all the aspects of the production but this expression uh we answer one question if in your system you don't need to solve a Byzantine problem you just don't need a blockchain at all so even in your daily life you speak with people you want a blockchain in their product for a new observation you just have to ask them do you need to solve the first issues pictures as a business problem if not they don't need

a blockchain at all and even less a cryptocurrency well no we have a solution a consensus to solve trust issues but that's not enough to provide [Music] real technology we need uh decentralized application so after a few years we started to see some new blockchain that become application host with the smart complex technology so before we start about vulnerabilities and other stuff we need to understand the what is a smart contract basically a production is just as I say a super cheap database stored in a multi node with the same state the blockchain is another name explained action of block with data if you can store data you can store source code or code or IC or any kind of code

so if you are [Music] a code store on a blockchain powered by a node why not just call node randomly to execute code and let the console switch decide of and solve all the trust issues and this is all we got this first blockchain with smart contracts with decentralized application when the user only had to call some nodes randomly because the console switch solves the trust issues and we're able to execute code and do some do some stuff but at this point at this point we still have an issues that looks pretty obvious at this point we have no ethernet interface so the first blockchain it was just some developer with blockchain Smart Control knowledge and helping with

the blockchain doing some stuff but it was pretty Limited so they find a kind of a solution and here is how we come to world world so web3 or when I prefer to call the web 2 plus one layer because this is absolutely not an improvement uh there is a schema of the reality you have the blockchain with your load your data your code and some dirty website in front to create your web 2.1 of course you have a legit website mostly made by developer who publish the smartphone right but you have also a lot of other not so legit website and here we come with a website problem first all the trust issues served by the

blockchain is just destroyed by the website because the user will just connect to our website as centralized every website controlled by just one person or a team of developer but with the websites who will interact with the blockchain execute the smart contact that you have no ID of what is inside your your website so all the work made around the conferences and solving the byzantines program are just useless when you are using a single website to interact with your blockchain and this is not the only issues this is the biggest one because the blockchain just become absolutely useless with a website but

will impact your users because if our website is compromised because of Any usual vulnerabilities users connecting to the website are likely to lost their private keys are likely to accept transaction they are no clue they have no information about so now you have the consensus vulnerabilities you have the smartphone request vulnerabilities uh all the issues solve ISO consultances are destroyed by the website but you also have the website issues affecting your environment and with all the people building R1 blockchain without worry knowing what is a blockchain you can find some web stuff like some private key unique privacy we will own by one person running a world project with a lot of money inside stored in clear text in

some S3 packets VPS or other dirty server so what was a strange at first uh like the smart portal allow everyone to build our own because the decentralized application made by the smart contract allow people to answer every people to interact with the smart contract so everyone can build around become a threat because even if anyone can build it's clear that anyone shouldn't build around and most of security consultant and potassium no wire so let's see uh real use case of what uh our website vulnerability can look like last year I was looking around doing some research because I was tired of all these defy things or all this thing I would finance and money so I was looking

for some new project more real use case so I was trying to find some interesting game using blockchain ym because in my port of view game blockchain cam makes it can make sense for a game if there is gamer here you will probably know why especially if you are into LPG or strategy game a decentralized application can be interesting when it's come about Community when you come about in-game markets when it come about competitive game or a lot of things and you guys you can use a blockchain to run [Music] um gaming ecosystem without involving a single cryptocurrency blockchain is not about money so you can use uh for instance any gaming company social Blizzard or

anything or even online for for the people who know this game can have a private blockchain with public node with um we used by your just player to continue to build around the game and make the with the Game grow with the community that's why I'll start looking for a game uh I was quickly disappointed because I didn't find any interesting game but in our security point of view I found some the first game I did this was a Flappy Bird like it was on a web app a mobile app with just the usual Factory Bird game all world was a Nifty with some characteristics to deal with score with exchange competition Etc not very interesting

so industrial point is the team start to make some context with real money involved in price Sports so if you know there is a game published with a daily contest with money involved what could could go wrong of course it will be attacked because every day you can earn money spoiler on the story The Smart contact was not the issues so what was this game as every competitive game mostly when it's it's involving a prize pool with money you will attract boots to cheat and go to competitive game and be ranked without doing anything if you want to know more about voting game you have the perfect work tomorrow for the game every day you had five

thousand dollar in price pool every day eighty percent of this happened was distributed among the top five players so it was an easy way to make a decent uh daily amount of money and as a Target outside of a smart contract we had a JavaScript web app a mobile app for Android and iOS the fact the reality of this game is after only two days of launch a dedicated team from sankapur already finished to build about to attack the game the team will build this game was only focused on the Smart Control acts of the um was only focused on the smart controller the crypto currency Etc so when they publish the first version of

the game the game didn't had any um antibod on teach IT solutions inside the source code so it was an easy Win Thursday they published the game I did some communication people start to play ways the second day it become popular the third day the full top five was owned by the Singapore team and ultimately get grabbed by support team so they try to click to quickly answer the problem and develop some antibod solution but developing antibod solution is a real world works you can improvise so the next coming days was mostly the team updating the project pushing some antibods called Direction production to stop the building and on the other side the Singapore team

updating their bot to bypass the patch so the team got angry is start to ban all the birds on know your metrics so we're just like I am sure this guy is cheating so let's burn the birds we had like twenty thousand dollars of damage with all the users of goodbye for no reason it was a complete for people who was crying in company and Community it was kind of find from my point of view at this point I was just curious I started to infiltrate both the bot team and the project team I was at the point I had an accountant Discord on the both team getting access to some of the code of the Bots

and the other side they got me a moderation permission from the team and the Discord to manage what the support for us so I was just in the middle of everything looking with uh I wasn't robbery that was just having fun for me so I spent few days getting information okay that's the code from the boat located at the solution proposed by the project team and I didn't find any solution so before leaving this story I am just ID to do something just for fun it was kick so both team from the top five find a way to be first and just uh beat the bot so as every pen tester I'm start I start

looking at every piece of the project developing a boat was not Micron because first I'm too lazy to build a boat for this kind of game secondly it was JavaScript I can do JavaScript but I don't like it so I'm not gonna develop a bots in JavaScript so I start to look at the Smart contract didn't find any comment vulnerability both on any technique or all the contact undering the tokens the money it was pretty safe they had um what we call a code wallet this is a smart contact only order token and who are doing only one action so it was kind of a security by Simplicity oriented but I didn't find any way to get anything from the

contracts in the same way I didn't find the private key say properly store it in a sexual way real financing so I start testing the Android Android app because I like Android IOS app at all because I don't even have an iPhone so after doing some tests I found the app has no root detection so you can root your app doing something like this uh they don't care no certificate pinning so you can intercept every request between the phone and the game uh but I don't find any interesting that I have stolen to the phone except your own wallet but anyway I don't want to put my wallet on my phone or do this kind of stuff

uh so I started to look for another way and that's why I didn't spoke about the web app yet so I did what I'm doing almost every week I launch burp start to intercept all the requests between my browser and the game and I quickly found that there is not that much request I found one interesting request when you launched the game with some call to check your wallet check your build ID and stores the data inside Java JavaScript and after that even with the interception on you can play the game without being interrupted and when you complete the game when you lose you have a final request this request it was very simple you have no

authentication at all the first request getting your build ID information from your wallet was provide on the router with the score no authentication no permission control nothing just calling what they call an API I'm not even sure we can call that an API this is just a post request sending your board ID and the score so if you want to be first what should I do just simply send a request every day one second before the end of the contest just getting the top payer score and adding adding one and sending the request and that's it you win so just with this request uh the both team was out of the top one I just so

um yeah so I did the test once uh wasn't very interested by doing this every day and storing the money I was just curious entering to to beat the bad team so it was pretty successful um so at this point the result was or the security was on the smart contract side the game was just a client-side JavaScript with no authentication at all it was very game um the both team did lost a lot of time because I still I'm still trying to figure out why they did so much development to have about when they you just have to send a request to win the game and that's it there is a lot of work to

do for having a Warrior game in my point of view this is not even a bit at game in beta test this is just a proof of concept or oh you can make a game with the blockchain using real money for this is is a is a shame wait yeah perfect um so the point of the story was just to show you uh that even if you don't know uh Auto Pro to develop smart contract you can still be involved in blockchain security because a lot of people are directly doing dirty thing around the blockchain so you can have fun you can find some interesting stuff if you have a junior open tester this is also a

good way because you are going to find some vulnerabilities we didn't buy since 20 years so this is heaven this is like uh doing some training in some challenge website uh you have the people doing smartphones are then that build uh some up of this Smartphone right um this is also a good way to stop to learn smart contract because when you are going to analyze all these projects are working just you will start to understand uh all the technology bi the smart contracts used by this project Etc so it's a good way to start if you want to learn or to do some pen test or backbend tea but at the point you will you will you are

going to want to to test the smart contracts you are going to do some augmentation and there is a platform for backbending for smart contracts and the Ubuntu are pretty juicy because with a critical Ubuntu you can earn like Alpha million for a single critical Bundy so can be presented interesting but before you you launch yourself on the smartphone these things you need to know few things smart portraits are public and at the moment you publish your code is it's at risk everyone can read the code if the code is not easily readable you still have the Hope code so there is always a way to understand what the Smart Control is doing everyone can interact with everything so

it's like being attacked at every second and even if you shouldn't test in production most of the bug Bunty Target magnet the mail net is equivalent of production so this is a everything you are going to do we will have an effect and with blockchain and smartphone products all the thing you are going to do can be undone when you launch your attack when you try something since you launch our attack it's too late to go back and here we go to what I call the devops 199 technology methodology a few years ago a very big project with uh 300 millions of dollars inside [Music] issues on GitHub a user just come open an initial and GitHub and anyone

can kill your contracts when you kill a conflict you don't destroy the data when your data is on the blockchain it's the instruction but if you kill the contract it will lock the contract everything will be terminated nobody will be able to interact with it everything will be locked so this guy devops 199 open issue heading to the this big project that anyone is able to kill the products while you're waiting foreign [Music]

to the issue I accidentally hit the contract the contract so the guy was just doing some tests he looked he opened the issue because he was worried and while testing he accidentally triggered the function to catch the contract and then the contact got locked and all the money got lost so just because I don't know I forgot to comment online

or on the exploits it just locked 300 Millions after all you know I I guess you can understand why uh the name on GitHub is Ghost and not devops for people without no Gus is the name you got on GitHub when you delete dragons

as well after that anyways this is a kind of overall Story We Tell to new tester to African because we don't want this thing to happen again and I don't want to be responsible of this kind of thing I don't want to be covered uh because of a mistake became the most hated hated man of the world so I start to draw a checklist of things I should do to avoid this kind of issues first protect yourself you need to use dedicated wallet or smart contracts because when you interact with a contrast you are going to to send some authorization to give some permission to interact with the contracts so there is malicious contract you have honeypots when you

sell a notarization to this contact you can have some little piece of code hidden that will install everything from you if you interact with the contract so don't do the testing because the projects are verified but if you are doing it while testing just look at it onto that contract and trying to do some tests use the dedicated wallet so you are you will not lost anything uh on your car you or you will always need to double check the addresses I will explain you why in a in a few you also need to add the authorization control and withdraw and transfer function to avoid to lock your phone because if you manage to exploit

availability to store the token for good purpose like a good white ads and you plan to send the money back it's not a good idea to store the money in a more vulnerable contract than the previous one so you you will have to be careful of the way you are doing your tests to be honest I did uh uh make I did made some mistake when testing fortunately it was only on training labs and test environment so I didn't affect anyone but I have some surprise and this is scary long ago I was training on the job defy this is a lab you can use to learn or to pair or to exploit green lab smart

contracts so I was working on it just to learn a new way to to export smart contracts because there is a lot of different vulnerability it takes a lot of time to understand or to to to just to make a lot of time to learn all these vulnerabilities so I was dealing with one of the challenge this is a simple contract this is open number one you have three function one to deposit token one to withdraw token and one to do flash loan a flash loan is a function that allows you to borrow tokens perform operation you can execute and do anything you want with the token as long as you send back the same amount of token at the end of

your operation so you have to borrow the token do all the operation you want and send the exact amount back in a one cycle but this contact was vulnerable to experience the variety quickly on the flashlight function you have a variable at the beginning that will store the balance of the contract before the loan then uh you can borrow the token and execute anything you want and at the end you have a require this is a condition check that will control if the balance of the contract after your question is equal or above the balance before the probability is here because there is some subtleity in the deposit function when you deposit token you still have

the ownership of the token so the contracts the loan function is checking the balance of the contracts and not the ownership of the token so to perform your attack you just have to call the flashlight function will trigger your execute function on this execute function you have one thing to do just deposit the token you just borrow so you ask the contract to give you some token and in your execute function you deposit the token and you stop your execute function when your Galaxy function hand you trigger the condition check so the contracts will check his own balance since you deposit the token the condition there are met and everything can be run as expected

but it's not because you close your execute function that you are stopping your action after closing your executive function and deposit the token your attack function can withdraw the token you just deposit because you still have the ownership since it's a deposit so the condition is met but you can withdraw the token it is this is a way to drain all the token from a flash clone smart contract so you just have to follow this um this workflow withdraw that you can send the token back to you and you have ordered okay so I develop a smart contract to perform the exploit I launch my exploit and I got a surprise I had some debug on my code because I

was learning so before launching my exploits I was checking the balance of my target I was checking my own balance then I launch export and I check again boss balance so I can see that after my export the smartphone right don't have any token anymore so my export is working so token are not here the problem is my balance didn't change at all so I stole the token but I have no idea where is the token at this point I was just like why is the token where's the money I mean my spot did work because with the contract with the vulnerable contract don't have any token anymore that's sorry oh uh I'm going to tell you it was a lot

so unfortunately nobody got any any loss so I double check my exports my smart contracts once twice and I didn't find the reason it wasn't in my export at all it was on my launcher I was doing this testing since hours it was the middle of the night I was tired it was like the five-star challenge I was doing and a lot of research even if the export looks pretty simple it took me some time to understand the the process and perform the exploits and on my um on my launcher when I just called my smart contract with the exploit I just provide the wrong parameter I just copy past information from other experts I'm sure a lot of people are

doing pencils do the same when you are doing expectations a lot of time you copy some piece of code from my previous point to use it and at the end I just call my contract to attack and it's been it's instead of providing my own wallet as a Target to resize the token I just provide uh token advice so this is a contract that clears the token that's owned by no one and controlled by no one so at this point the token was just on a contract owned by no one and just locked and lost so if it was uh in production at this kind of an ability open in production I would not just

lost all the money because I was tired so I at this point I just understand oh it can be easy to damage a project or you can lost a bunch of token or money just because of our very damp error and um so the moral of this story is you can't perform a bug Bunty or testing the magnet the same way as our as your testing common web app because if you are just um I know Terror launching tours starting to bridgeforce address etci at a point you will make a mistake and just block and destroy a complete project every time you are working on a bug Bunty for smartphone Target blockchains you need to remember that everything you

do you do is irreversible you can't undo your action so uh sometimes you don't have other choice to test in magnet to test in production mostly for bug Bounty most of the bug Bunty program provides just address of contract on the main net so you are just with your own responsibility and sometimes it's a good idea to just sleep a little bit take a break before launching your export no when I'm not sure of the result I'm just going outside taking your work and double checking my code with a freshman because it can be very scary to launch and exploit in a minute what no you have all the information to start working on the blockchain

security if you are more into algorithms and Mathematics you can learn about the consensus to try to correct a blockchain in his own design you can learn smart contract language to try to do backbundies get rich by doing the real stuff you can also focus on this dirty web two plus one application uh you have a lot of possibility so before we I close this torch what is coming next after this there is a lot of thing the bug Bounty programs we have an overview and what you should do what you shouldn't do to to get Bounty without breaking anything but there is other stupidity or the differences with a common documentary as I said before everything is public on a

blockchain so the other terms when they are doing tests you can see every tracks it's like doing a bug bounty on the platform having access to all the logs so I know the first Speaker talk about collaboration and he's right but in blackbox and blockchain back booty this is more player versus player oriented this is a the first we got all the information and we have a working expert that got all the money because you don't have um pseudonym you don't have an email you just add a Roundup address with exha decimal characters so you can do the laser tracks analyze the action of announcers who are going to find a bug and find the

bug before him um I have some other talk a focus on consensus analysis but this is more longer and more mathematic oriented and the next level is what we call imev or minab extractable value this is um [Music] when you are working directly with a node on your side you can detect a transaction before it will accept its uh it was accepted in the blockchain so basically you can develop some tools to detect an attack and what we call that front frame so we place the attack before the attacker so basically this is a very interesting because you can monitor a blockchain so an attack coming replace the attack just one block before the attacker and get

the money before the attacker to save them on your cross let's just see what Builders will bring us because this is still an early stage for blockchain as we saw with the web two plus one this is a lot of around version so let's see what uh what is coming and what we are going to test in the shutters [Music] uh so no since this is the last third cup of the day if you have questions feel free to ask if not we can just have a beers and we can also discuss any question with appears thank you [Applause] any question comments remarks what kind of beer do you like oh it's again thank you very much for your talk uh

actually I was really interested in like the smart contracts because I think it's a feel that auditing of smart contracts I think it's a field a lot of people are not paying attention but it's actually like really interesting and it has some vulnerabilities That You Don't See many of them like the old C programs do you have like any let's say suggested path for people to actually start and get into the smart contracts and auditing smart contracts uh yes in fact uh smart contract language are not that hard um it's pretty similar to thank you to what you can see everywhere it's a mix of JavaScript you have some language more close to CEO of C plus plus so you

have Choice um you can this is not one language one blockchain most of the blockchain the buzz based on ethereum can use multiple language so you can interact with a contract with a language you you prefer so just look around find projects where you are interested in find the language you are more comfortable with and just do it and you have some pretty good Core Labs like the winner BFI to be honest I wasn't I was variable to build a smart contract before I try to hack them so I just learned a smartphone programming by attacking the not in prediction of course yeah thank you very much thank you Rio thank you Dylan any other

question going once going twice okay now we're gonna start with a raffle let's go with a round of applause thank you