devcon 5 / the magic of ethereum addresses
- YouTube
- IPFS
- Details
The magic of ethereum addresses
Duration: 00:04:54
Speaker: Hadrien Croubois
Type: Breakout
Expertise: Beginner
Event: Devcon
Date: Invalid Date
More often than not, people get messed up when writing or copying ethereum addresses. The ENS is supposed to solve that but is not adopted by everyone yet. These errors can have spectacular consequences. Some end up with a happy end.- https://medium.com/bitclave/how-we-sent-eth-to-the-wrong-address-and-successfully-recovered-them-2fc18e09d8f6- https://twitter.com/drew___stone/status/1135703041997516801With the adoption of wallet smart contracts, this issue is only going to grow. This talk will describe where ethereum address comes from, how you could exploit knowledge of these mechanisms, and how you could protect yourself and your users using create2 based factory like the one deployed at 0xfac100450af66d838250ea25a389d8cd09062629.
- Related
Devcon
Talk
30:18
CBC Casper Design Philosophy
Consensus protocols are used by nodes to make consistent decisions in a distributed network. However, consensus protocols for public blockchains should satisfy other requirements, by virtue of the protocol being open. For example, they need to be incentivized, in that people will be incentivized to run consensus forming nodes in the first place, and in that following the protocol should be an equilibrium for consensus forming nodes.The CBC Casper family of consensus protocols has been designed to fit design criteria necessary for secure public blockchains. In this talk, we will explore the design goals and methodology used in CBC Casper research: economically motivated properties of the consensus protocol, the correct-by-construction approach to protocol specification, and the resulting rapid iteration.
Devcon
Talk
14:39
Scaling Ethereum with security and usability in mind
In this talk, I will go through scaling mechanisms and their disadvantages at a user and developer perspective. With our approach at Matic https://matic.network, plasma-fied sidechain, I will explain how we are tackling security using plasma, predicates, and normal state computation on the sidechain. Having specialized DApp specific fraud-proof using predicates, partial confirmations, different fee models allow us better usability for end users. Then will talk about how we are addressing the issue for users when they interact with multiple chains - Ethereum and Plasma sidechain using walletconnect protocol. Overall, it explains how connecting some important dots on Ethereum landscape can help us achieve scalability and usability, and clears our path to mass adoption which we all are aiming for.
Devcon
Breakout
07:40
Store your keys safely offline - never get online to sign transactions
The best way to keep your private key safe, is to keep it disconnected from the internet. This is usually done in hardware wallet, however most of those wallets are directly connected to a computer, either via usb or bluetooth. What if the wallet was never online and never ever connected to an online device. This is achievable using QR code. We did it with Parity Signer. I will present why we built it, how, do a short live demo, and what we will do in the future.
Devcon
Talk
05:40
The Gas Siphon Attack: The Technical and Economic Realities Behind Hacking Exchanges
The Gas Siphon Attack allows anyone to siphon value from many exchanges in the form of gas refunds, a mechanism built directly into the Ethereum protocol. Users can write a simple script that continuously drains unprotected exchange hot wallets of all of their ETH. Until this was responsibly disclosed, many exchanges were affected with varying degrees of severity. How it happened, who was affected, and the technical details behind the attack are discussed during the presentation. The talk dives into the details of the refund mechanism built into the Ethereum network, and how it can be maliciously abused. The presentation explains who is vulnerable and what they can do about it. A number of these types of technical exploits exist on both centralized and decentralized exchanges, and one may find that responsibly disclosing these attacks are harder than the actual exploit itself. Getting in touch with exchanges, continuous communication with services, and helping fix different systems may be a month-long journey that yields very little in return. Hacks, front-running, misaligned miner incentives, and economic disparities are all issues for exchanges and services that are discussed in this presentation. Finally, the talk covers different ways to protect yourself and your dapp from both known and unknown exploits. Preventative measures are presented that will allow for protection from these types of attacks.
Devcon
Breakout
23:05
Batched Bonding Curves: Grieving DEX Frontrunners
It's been widely publicized that front-running is rampant across decentralized exchanges. Billy Rennekamp describes the technique developed to stop the parasitic behavior by using batched orders in tandem with bonding curves and how it's being used in a new fundraising app by Aragon Black.
Devcon
Breakout
30:18
Build a constraint system, prover and verifier using OpenZKP Stark
There are great tools and tutorials for R1CS proof systems (aka Snarks) but not much is known about programming Starks. Starks have a much more complex constraint language, but in return you can achieve a much better performance. In this workshop we will * learn about the mathematical underpinnings of Stark proofs, * use 0x's OpenZKP library to generate and verify proofs, and * implement a Stark constraint system.
Devcon
Breakout
27:10
(Defense Against) The Dark Arts - Contract Runtime Mutability
Smart contracts are no longer guaranteed to have immutable runtime code, and can be redeployed with new code using a variety of methods involving the CREATE2 and SELFDESTRUCT opcodes. In this presentation, we will investigate how this is done and how to protect against malicious mutable contracts. We will also explore ways these new techniques can be applied in order to enable new use-cases and to improve the user experience.
Devcon
Breakout
28:57
ERC725 - The future of on chain interaction
One of the biggest problems for blockchain its is difficulty to store and secure assets and manage interacting with a blockchain. The main cause is the use of private keys for the source of interactions on-chain. ERC725 is a standard proposed to make abstract accounts from keys to a smart contract account. This not only makes security upgradable, but lets accounts become information holders. Fabian Vogelsteller the author of ERC20 and ERC725, the Mist browser and web3.js will talk about how on-chain interaction should look like.
Devcon
Breakout
18:25
Fuzzing the Solidity Compiler
Since the Solidity programming language does not have a formal specification, testing the compiler implementation is an important way to obtain assurance about the correctness of code generated by the compiler. Fuzz testing is well-suited for this setting. However, applying fuzzing in the traditional manner (random input generation that is coverage-guided) is inefficient for testing compilers because a significant fraction of randomly generated code is syntactically invalid. If the fuzzer does not generate syntactically correct Solidity programs, the compiler will simply reject it. As a consequence, code optimization and generation subsystems of the compiler will not be tested. The approach adopted by us is to define a grammar for the Solidity programming language and automatically generate inputs based on this grammar. Grammar based fuzzing ensures that generated programs are successfully parsed by the front-end parser. We make use of libProtobuf and libProtobufMutator for defining the grammar and performing grammar-based mutations, and libFuzzer as the underlying fuzzing engine.
Devcon
Breakout
20:22
How do we make dapps as secure as the underlying Ethereum?
Web3.js is a Javascript API for web applications (dapps) to access Ethereum blockchain. However, its security assumption inherited the security assumption of an Ethereum node, which is entirely open to the node's owner. The privacy and security consequences of that assumption are two-fold. First, a web application can learn sensitive information about the user. Second, the web application can feign a representation of blockchain data to be another or even tricking users to signing obfuscate transactions. A website which simply draws a crypto kitty would look no different than another which reads the user’s kitty from Ethereum smart contracts. Much makeshift work has been down for this underdesigned infrastructure. For example, MetaMask resorted to hardcoding CryptoKitty and requesting permission to read the user's address. However, only so much patches could do. Furthermore, such patches weren’t designed with abstraction to accommodate next-generation blockchains with privacy and efficiency improvements. For example, failing to find truth quickly using the low-level interfaces provided by web3.js, many dapp browsers resorted to relying on a centralised token status database. The speaker presents a design which abstracts token interface away from low-level Eth-node interface, remodels the basic web code trust inheritance for practicality and security. It involves high-level API for web applications and a secure, WebAssembly based sandbox running signed code designed to embed in the Web itself.