devcon 5 / protecting the baselayer from shanghai to osaka
- YouTube
- IPFS
- Details
Protecting The Baselayer - from Shanghai to Osaka
Duration: 00:21:22
Speaker: Martin Holst Swende
Type: Talk
Expertise: Intermediate
Event: Devcon
Date: Invalid Date
Most people know that Ethereum runs smart contracts and move ether around. However, "Ethereum Security" involves a lot more than only smart contracts, mining difficulty and managing private keys. This is a talk about the base layer security. There is a peer-to-peer stack, with it's own separate discovery protocol and p2p protocol, which can be used for eclipse-, DoS- and amplification attacks. There's a consensus engine which encompasses a lot more than only the EVM. In this talk, Martin Holst Swende will talk about vulnerabilities, attacks and hotpatching the mainnet -- lesser known incidents, hiccups and close-calls that have occurred on the road from Shanghai (Devcon2) to Osaka (Devcon5).
- Related
Devcon
Talk
55:44
Live Smart Contract Hacking
In this break-out session, a panel of well-renowned hackers and builders will perform security assessments of contracts that the audience submits - and anyone in the room is highly encouraged to help out and take part in the audit. There will not be time to perform full-scale reviews, but the panel will discuss the contracts both from a high-level perspective and also dive into the nitty gritty details, to see if we can find faults in the implementation. This is a panel session, where we want to interact with the community and bash as many bugs as possible, and hopefully demonstrate how tricky it can be to program for the EVM. Mistakes are what makes us learn: There shall be no shaming of anyone who submits a contract for review.
Devcon
Talk
20:44
Designing Smart Contracts With Free Will
A range of bribery attacks, collusion possibilities, and other economic vulnerabilities plague our smart contract design. Unlike with simple anti-patterns like recursion, these security vulnerabilities have no obvious fix. Join us for a deep dive into the state of the art bribery attacks that are technically feasible on cryptocurrency today, and their countermeasures. We will introduce and explain new signature schemes that resist the ability for users to be bribed on Ethereum-based smart contracts. We will teach developers of smart contracts how to build contracts that are maximally resistant to bribery, and provide practical tips for the protection of your users.Lastly, we will show and launch a toolkit that provides signatures with protection from an advanced form of bribery known as the Dark DAO, in which users are bribed undetectably. Our toolkit provides a simple API for any Ethereum contract to ensure the free will of their users through an easy to use library.Building bribery resistant smart contracts is of critical importance for voting schemes, oracles, prediction markets, proof of stake and other consensus protocols, randomness generation, and more. Join us in ensuring the protection
Devcon
Breakout
23:05
Batched Bonding Curves: Grieving DEX Frontrunners
It's been widely publicized that front-running is rampant across decentralized exchanges. Billy Rennekamp describes the technique developed to stop the parasitic behavior by using batched orders in tandem with bonding curves and how it's being used in a new fundraising app by Aragon Black.
Devcon
Breakout
27:10
(Defense Against) The Dark Arts - Contract Runtime Mutability
Smart contracts are no longer guaranteed to have immutable runtime code, and can be redeployed with new code using a variety of methods involving the CREATE2 and SELFDESTRUCT opcodes. In this presentation, we will investigate how this is done and how to protect against malicious mutable contracts. We will also explore ways these new techniques can be applied in order to enable new use-cases and to improve the user experience.
Devcon
Breakout
18:25
Fuzzing the Solidity Compiler
Since the Solidity programming language does not have a formal specification, testing the compiler implementation is an important way to obtain assurance about the correctness of code generated by the compiler. Fuzz testing is well-suited for this setting. However, applying fuzzing in the traditional manner (random input generation that is coverage-guided) is inefficient for testing compilers because a significant fraction of randomly generated code is syntactically invalid. If the fuzzer does not generate syntactically correct Solidity programs, the compiler will simply reject it. As a consequence, code optimization and generation subsystems of the compiler will not be tested. The approach adopted by us is to define a grammar for the Solidity programming language and automatically generate inputs based on this grammar. Grammar based fuzzing ensures that generated programs are successfully parsed by the front-end parser. We make use of libProtobuf and libProtobufMutator for defining the grammar and performing grammar-based mutations, and libFuzzer as the underlying fuzzing engine.
Devcon
Breakout
05:40
Keymanagement: Multisig based Custody as Enabler for Mass Adoption
Key management is a fundamental challenge in the widespread use of blockchain technology. Especially when it comes to managing large tokenized values, a suitable custody service is essential. While many existing custody services are primarily based on technologies such as Shamir's Secret Sharing, it makes sense to use a Smart Contract based Multisig to manage the rules such as access, what signatures are required, time delay, recovery of lost accesses, etc.
Devcon
Breakout
05:17
Securely storing wallet private keys for application use
Private key management is a complex problem in cryptography. In the last few years, we have seen attacks against cryptocurrency companies that seek to retrieve the private keys of user wallets. Within cryptocurrency, private key management has an additional complexity: the value of stored user funds related to that private key. Truly, key management is a challenge that has plagued secure computing for years.While storing keys is essential, it is equally important to securely use those keys in an application. Without secure use of private keys, applications are vulnerable to attacks to exfiltrate those private keys.In this talk, we will discuss the approach the AirSwap team uses to securely store and use private keys for high value wallets. We will show real world permissions, policies, and code used by our team. We will discuss common attacks against private key management systems and the ways that our implementation thwarts those attacks.This talk is beneficial to any team or company that interacts with the Ethereum blockchain via signed transactions and off-chain custom code. It is essential for any team that wishes to use a private key in their application code securely.
Devcon
Breakout
1:18:23
The inner workings of a smart contract decompiler
The workshop will teach some of the most useful algorithms and tricks needed to analyse and decompile an EVM smart contract: symbolic execution, memory modelling, loop handling and so on.Techniques shown during the workshop are useful in anything related to contract analysis - from writing your own decompiler, through using existing tools like Eveem, Mythril or Manticore, to working with formal verification K Lab style. Based on the experience from building Eveem.org decompiler and analysing all the bytecodes on the Ethereum blockchain.
Devcon
Talk
22:13
ERC 20 Test Suite: Towards Decentralized Security
Nowadays, a lot of Dapps and exchanges interact with ERC20 tokens and they expect certain behavior from those contracts. It is crucial to make sure that the token fully complies with ERC20 standard to avoid loss of funds and reputation. The problem is that one cannot easily verify this compliance. This can be done only by ordering an audit or writing and running a bunch of tests. However, these options are expensive and not scalable. In my speech, I will tell about a decentralized tool that we created to help developers solve such problems. ERC20 Test Suite is a service that runs a series of tests for ERC20 standard compliance in the form of on-chain transactions. The final test results are recorded in a smart contract. Test Suite cannot fake the test results as each test is a transaction recorded in the blockchain. SmartDec ERC20 Test Suite is open source: https://github.com/smartdec/testsuite Also, we have deployed our centralized instance of the tool here: http://testsuite.net/ropsten/
Devcon
Talk
24:07
Securing Cross-chain Communication
The last year witnessed several cross-chain bridges being hacked and millions of dollars stolen by hackers. Despite the bridges having gone through several audits, we still see them getting exploited because hackers were able to get access to authorized private keys, signature replay attacks, etc. Let us see what a secure cross-chain bridge architecture should look like and what are the possible attack vectors and mitigation techniques.