Understanding Blockchain, Crypto, NFTs, Smart Contracts, Web 3.0 from Hacker’s View
This week, I attended a session by Security Weekly Podcast on YouTube where they touched on hackers’ views on today’s emerging tech and security. A session by Tyler Robinson, Beau Bulock, and Paul Asadoorian.
History of Blockchain
2009: Bitcoin launches as the first public ledger for transactions using blockchain.
2015: Ethereum launches and adds smart contracts functionality
2017: First decentralized application(dApp) gains traction
2018: Decentralized Finance(Defi) protocols
2021: Blockchain is used for supply chain tracking, digital identity, anti-piracy, NFTs, and real estate, amongst others
Why Blockchain Security
Blockchain Hacks Result in Huge Monetary Loss
Centralized Exchanges: over $2.5 billion has been stolen since 2011
Smart Contract Hacks: $ 1.2 billion was stolen in 2021, and over $1.5 billion has been stolen in 2022 so far.
Consumer Wallets: Millions lost through social engineering and remote exploitation
Why So Many Hacks
Blockchain technology is an emerging technology, and many organizations are racing to be “first to market”. Consumers are uninformed of risks, and traditional security protection tends to be an afterthought.
Blockchain Ecosystem
Layer1: underlying blockchain protocol itself, for example, the Bitcoin Core, GEth
Layer2: an overlying network on top of Layer1, typically focused on scalability, for example Bitcoin Lightning network
Smart contracts: they automatically execute programs deployed to the blockchain, e.g, Tokens, NFTs, dApps
Software Wallets: custodial wallets vs non-custodial wallets
Hardware wallets: physical devices for storing private keys that are then used to send & receive funds
Mining software: a program used to run specialized hardware used to perform mining.
Centralized exchange: typically requires KYC, e.g, Coinbase, Binance
Decentralized Exchanges: Defi exchanges are typically built via smart contracts, web3 libraries, and frontend
People: social engineering, rug pull(are scams where investors invest in a project, then founders disappear with the funding), and asset protection
Smart Contracts
- “Once you launch your code, there’s little you can do to fix any problems,” Mastering Ethereum by Andreas M. Antonopoulos and Gavin Wood, Ph.D
Smart contracts are immutable computer programs that undertake decentralized execution and run on a virtual machine via node software. They are written in a high-level language, and smart contracts get compiled into bytecode prior to deployment to the blockchain. Smart contracts are only called if they are called by a transaction.
Solidity
It is a high-level programming language for smart contracts. By far, it is the most dominant language currently. It has a syntax similar to JavaScript or C++.
Remix IDE is a browser-based IDE/Development environment used for writing smart contracts. Also, development environments like Hardhat, Foundry, and Truffle can be used.
Deployed code tends to be posted publicly and verified on sites like Etherscan, PolygonScan
Smart Contract Vulnerabilities Overview
Smart contract vulnerabilities have resulted in a significant loss of funds. Since smart contract code is public, anyone can analyze it for issues. Exploits can be tested against private local blockchain instances or on a testnet.
There’s no patching since contracts are immutable and stolen funds can be very difficult to track.
Common Web3 Attacks
Common Smart Contract Attacks
Access Control: It governs who can transfer assets, mint tokens, vote on proposals, or freeze transfers, among others.
Oracle Manipulation: Non-blockchain oracles can be leveraged to get real-world data like Weather, Prices, etc. At times, these oracles can be abused.
Reentrancy: vulnerability where a function can be re-entered prior to completion
Integer overflows & underflows: Overflows and underflows can occur by performing arithmetic operations that exceed the maximum or minimum integer values
Front-Running: miners give priority to higher gas prices so an attacker can have their transaction mined before the original sender by paying more
Token Approvals
Some of the ERC Tokens have functionality built in to allow users to have token transfers. Malicious actors can trick individuals into allowing token transfer approvals. In these cases, the approved contract or wallet can send on behalf of the individual and drain their wallet. Revoke.cash or Etherscan.io can be used to remove token approval.
Administrative Issues
This can influence vulnerability to various security risks depending on how private keys are stored:
centralized exchanges
software wallets
hardware wallets
browser extensions
mnemonic seed phrases
multi-sig wallets
Social Engineering
Common Web2 security issues still exist in Web3, like Phishing, Scams, centralized exchange hacks, and SIM swaps. After social engineering, a victim of an attacker will typically drain a wallet, and there’s little that can be done to recover these funds.
Discord Hacks
Discord has become the primary home for most crypto projects. Crypto Discords get hacked all the time:
Webhook compromise
Admins getting phished
OAuth tokens (session stealing)
Cred phishing
DM scams
Bot Services compromise
Start Hacking
Books
Mastering Ethereum by Andreas M. Antonopoulos, Gavin Wood
Hands-On Smart Contract Development with Solidity and Ethereum
Solidity
CTFs
Bug Bounties
Blockchain Hacking QuickStart Guide
- BlockchainHAX: a free guide built by Beau to serve as a quick start guide for hacking blockchain-based technology, such as smart contracts
Key TakeAways
Use cases for blockchain are growing significantly
Hacks result in a significant loss of funds
The smart-contract hack is still in its infancy
As new blockchain implementations are developed, new hacks will too.
Thank you for reading my article. I would like to acknowledge the Security Weekly Podcast Hosts for all the content in this article, which was gained through their weekly session. As someone getting started with blockchain security, this is of great help, and I hope to still use it over time or have it benefit someone else.
