»Reversing and Vulnerability research of Ethereum Smart Contracts«
2018-10-18, 09:30–11:30, Hollenfels
This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.
Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflaw/underflow, bad randomness, backdoor, ....). Some smart contract handle thousand of ETH and can't be modified once pushed into the blockchain, that's why be able to reverse and analyze Ethereum smart contract make even more sense.
The following points will be covered in the workshop:
- Quick introduction of Ethereum
- Ethereum blockchain (blocks, transactions, accounts), Ethereum virtual machine, smart contracts, Dapps
This part will be quick (around 20 mins), the purpose of the workshop is not to talk about blockchain concept in general
Basic Ethereum testing lab
- Blockchain explorer, Smart contract development and interact with the blockchain using API
10 minutes slides + installation of Metamask plugin
Reverse engineering of Ethereum smart contracts
- Discovering of EVM instruction set, runtime code, functions, basic-blocks,...
Analysis and vulnerability research
- Analysis of basic vulnerabilities and logical bugs
Going deeper & Questions
- Apply other security technique like Single Static Assignment (SSA), Symbolic Execution, Fuzzing, … on Ethereum smart contract
- 10 minutes slides to show actual tools available + Q&A