Why/What Blockchain Exploitation?
In this blog series we will analyze blockchain vulnerabilities and exploit them ourselves in various lab and development environments. If you would like to stay up to date on new posts follow and subscribe to the following:Twitter: @ficti0n
URL: http://cclabs.io
http://consolecowboys.com
As of late I have been un-naturally obsessed with blockchains and crypto currency. With that obsession comes the normal curiosity of "How do I hack this and steal all the monies?"
However, as usual I could not find any actual walk thorough or solid examples of actually exploiting real code live. Just theory and half way explained examples.
Note: As usual this is live ongoing research and info will be released as it is coded and exploited.
Background Info:
- In client server we generally have the following:
- Front End - what the user sees (HTML Etc)
- Server Side - code that handles business logic
- Back End - Your database for example MySQL
A Decentralized Application Model:
- Smart contracts are your access into the blockchain.
- Your smart contract is kind of like an API
- Essentially DAPPs are Ethereum enabled applications using smart contracts as an API to the blockchain data ledger
- DAPPs can be banking applications, wallets, video games etc.
A blockchain is a trust-less peer to peer decentralized database or ledger
Consensus:
Proof of stake is simply staking large sums of coins which are at risk of loss if one were to perform a malicious action while helping to perform consensus of data.
Things to Note:
- So, the thing to note is that our smart contracts are located on the blockchain
- And the blockchain is immutable
- This means an Agile development model is not going to work once a contract is deployed.
- This means that updates to contracts is next to impossible
- All you can really do is create a kill-switch or fail safe functions to disable and execute some actions if something goes wrong before going permanently dormant.
- If you don't include a kill switch the contract is open and available and you can't remove it
- Smart Contracts are generally open source
- Which means people like ourselves are manually bug hunting smart contracts and running static analysis tools against smart contract code looking for bugs.
- Kill the current contract which stays on the blockchain
- Then deploy a whole new version.
- If there is no killSwitch the contract will be available forever.
- Many contracts and projects do not even think about and SDLC.
- They rarely add penetration testing and vulnerability testing in the development stages if at all
- At best there is a bug bounty before the release of their main-nets
- Which usually get hacked to hell and delayed because of it.
- Things are getting better but they are still behind the curve, as the technology is new and blockchain mostly developers and marketers. Not hackers or security testers.
- If sensitive data is placed on the blockchain it is there forever
- Which means that if a cryptographic algorithm is broken anything which is encrypted with that algorithm is now accessible
- We all know that algorithms are eventually broken!
- So its always advisable to keep sensitive data hashed for integrity on the blockchain but not actually stored on the blockchain directly
Exploitation of Re-Entrancy Vulnerabilities:
Example Scenario:
Example Target Code:
Example Attacking Code:
Setting up a Lab Environment and coding your Attack:
Coding your Exploit and Interfacing with a Contract Programmatically:
Conclusion:
Related news
- Computer Hacker
- Pentest Tools For Ubuntu
- Hacking Apps
- Hacking Tools Download
- Hack Tools Mac
- Hacks And Tools
- Hacking Apps
- Hacking Tools Windows
- Hacker Tools Windows
- Pentest Tools Download
- Hack Apps
- Top Pentest Tools
- Hacking Tools 2019
- Github Hacking Tools
- Tools Used For Hacking
- Hacker Tools Free Download
- Hacking Tools For Pc
- Hackers Toolbox
- Pentest Tools Website Vulnerability
- Hack Website Online Tool
- Pentest Tools Framework
- Hacking Tools Kit
- Hacker Tools
- Hacking Tools And Software
- Hack And Tools
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Windows
- Hack Tool Apk
- Pentest Tools Tcp Port Scanner
- Hackrf Tools
- Hak5 Tools
- Pentest Tools Github
- How To Hack
- Hacking Tools Windows
- Hacking Tools 2020
- Hack Tools Download
- Hack Tool Apk No Root
- Hacker Tools Windows
- Hacking Tools Kit
- Nsa Hack Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Software
- World No 1 Hacker Software
- Pentest Tools Tcp Port Scanner
- Pentest Tools List
- Pentest Tools Url Fuzzer
- Pentest Tools
- Hacking Tools Download
- Hack Tools For Pc
- Pentest Tools Find Subdomains
- Hak5 Tools
- Hack Tools 2019
- Tools Used For Hacking
- Hak5 Tools
- Hacking Tools For Kali Linux
- Hacker Tools Mac
- Tools For Hacker
- Hacker Tools Hardware
- Tools Used For Hacking
- Pentest Tools
- Hacker Tools Mac
- Hacking Tools Download
- Game Hacking
- Hacker Tools Windows
- Game Hacking
- Pentest Tools Online
- Bluetooth Hacking Tools Kali
- Hacker Security Tools
- Hack Tools For Windows
- Hacking Tools For Windows Free Download
- Pentest Tools For Windows
- Hacking Tools Download
- Hack Tools Download
- Pentest Tools Tcp Port Scanner
- Pentest Reporting Tools
- Android Hack Tools Github
- Hacking App
- Hack Tools Online
- Usb Pentest Tools
- What Are Hacking Tools
- Pentest Tools Kali Linux
- Pentest Tools Review
- Hack Tools For Windows
- Pentest Tools For Ubuntu
- Hacking Tools
- Hacking App
- Pentest Tools Find Subdomains
- Pentest Tools For Android
- Game Hacking
- Hack Tools 2019
- What Are Hacking Tools
- Hacking Tools For Kali Linux
- Hacker Tools For Mac
- Hacking Tools Name
- Pentest Tools Port Scanner
- Hacking Tools And Software
- How To Hack
- Hack App
- Pentest Tools Website Vulnerability
- Hacking Tools Mac
- Pentest Tools Framework
- Bluetooth Hacking Tools Kali
- Hack Tool Apk No Root
- Termux Hacking Tools 2019
- Hacker Tools Windows
- Pentest Tools Alternative
- Hack Apps
- Hacker Tools 2020
- Nsa Hacker Tools
- New Hacker Tools
- Hackers Toolbox
- Github Hacking Tools
- Hack Website Online Tool
- Hacking Tools And Software
- Hacking Tools Name
- New Hack Tools
- Beginner Hacker Tools
- Hack Tools For Games
- Hacker Tools Free Download
- Hacking Tools Online
- Kik Hack Tools
- Pentest Box Tools Download
- Blackhat Hacker Tools
- Hacking Tools For Beginners
- Hacks And Tools
- Pentest Tools For Windows
- Hacking Tools For Windows
- Hack App
- Hacker Tools For Ios
- Pentest Tools Tcp Port Scanner
- Pentest Tools For Android
- Hacker Tools Online
- Hacking Tools For Mac
- Hack Tool Apk
- Hack Tools For Windows
- Hacker Tools For Ios