»Reversing and Vulnerability research of Ethereum Smart Contracts«
2018-10-18, 09:30–11:30, Hollenfels

This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.

Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflaw/underflow, bad randomness, backdoor, ....). Some smart contract handle thousand of ETH and can't be modified once pushed into the blockchain, that's why be able to reverse and analyze Ethereum smart contract make even more sense.

The following points will be covered in the workshop:

  1. Quick introduction of Ethereum
  2. Ethereum blockchain (blocks, transactions, accounts), Ethereum virtual machine, smart contracts, Dapps
  3. This part will be quick (around 20 mins), the purpose of the workshop is not to talk about blockchain concept in general

  4. Basic Ethereum testing lab

  5. Blockchain explorer, Smart contract development and interact with the blockchain using API
  6. 10 minutes slides + installation of Metamask plugin

  7. Reverse engineering of Ethereum smart contracts

  8. Discovering of EVM instruction set, runtime code, functions, basic-blocks,...
  9. Exercises (Hands-on)

  10. Analysis and vulnerability research

  11. Analysis of basic vulnerabilities and logical bugs
  12. Exercises (Hands-on)

  13. Going deeper & Questions

  14. Apply other security technique like Single Static Assignment (SSA), Symbolic Execution, Fuzzing, … on Ethereum smart contract
  15. 10 minutes slides to show actual tools available + Q&A