Pentesting Ethereum Contracts: Exploring a honeypot contract using Ganache
Speaker: David Murdoch, Nick Paterno
Event: Devcon 5
Date: Oct 2019
In this workshop we will demonstrate some of Ganache's advanced features to instantly fork Ethereum Mainnet, granting developers a safe, secure, and risk-free environment. We'll explore what a re-entrancy attack is, review historical re-entrancy attacks (like the DAO hack), as well as the narrowly avoided re-entrancy attack vector that would have been introduced by the original Constantinople hardfork proposal. Attendees will attempt to perform a re-entrancy attack against an actual Mainnet-deployed contract that has been cleverly crafted to trick aspiring exploiters into becoming victims. We will utilize Ganache's forking feature to safely discover how it works, and how to write better — and more secure — contracts.At the end of the workshop we'll play a game of Capture the Flag, where you'll have a chance to exploit a real contract, earning actual Mainnet Ether if you are the the first to execute the exploit! But you'll have to be careful as things aren't always as they seem! Ganache is a fast, lightweight development blockchain, and is part of the Truffle tool suite. Ganache forking is a feature that enables developers to read from Mainnet, while transacting against a local development chain, enabling fast, sync-free development and penetration testing.