- Quick update in blockchain tech space - Comparision between tech - Security in Blockchain (Focusing on ETH Solidity attack vectors) - Design patterns - 2 Popular hacks (Case study)

1. Developer Weekly #1
LetsBuildEOS | Blockchain Developer Community
Best practices to build secure
smart contracts
August 2, 2018
Gautam ANAND
me@gautamanand.i
n

2. About Gautam ANAND
“Non-Blockchain Tech (Microservices/AI)”
● 5 Years of FullStack Software Development
● Software Architecture Design (Microservices) - Build & Scale
● JavaScript ES6 (Node.js), C++ (EOSIO Smart Contracts) and Python
(Scikit-Learn & TensorFlow)
● DevOps (Docker/Kubernetes/Serverless)
● Databases (Mongo, Redis and PostgresQL)
● Machine Learning Models to Cloud Agnostic APIs
● Code Reviews

3. About Gautam ANAND
“Blockchain Tech”
● Won 3 Blockchain Hackathons in June 2018 (Hong Kong & Singapore)
● Invited to compete for EOS Hackathon Finals (~500K USD +
Funding/EOSVC)
● Built two EOSIO based projects (SmartCitySteriods & ReliefChain),
continuing working on them.
● Part of Global EOS Community.
● Participating in IBM CallforCode Hackathon (ReliefChain, ~200K USD
Cash Prize)
● Mentoring “Advanced Blockchain Programming Fellowship” at
Blockfellows.io (Solidity Programming)

4. The Blockchain Ecosystem
Developers
(15%)
Investors
(40%)
Speculators (45%)
(not users)
Blockchain

5. The Crisis Situation
“You can run a blockchain company without a product,
just need to have a good ICO for your cryptocurrency”
● Speculators are not “Users” (Let's agree, they are in for the hype)
● Users help build profitable businesses
● Speculators help build profitable cryptocurrencies
● Startups misuse ICO (Initial Coin Offerings) to raise funds during seed
rounds without delivering a proof-of-concept. Beware of “Scam projects”
Now this trend is moving towards building “Sustainable Profitable
Products”, but do we have the technology to do?

6. About Blockchain Technology
How developers see it?
● Decentralized Database running on millions of computer
● Public chain (You don’t the location); Private Chain (Your defined
network)
● Data entry is one way i.e. NO UPDATE and NO Delete. Only Create and
READ is allowed.
In nutshell,
1. Data (Transactions) is immutable
2. Network as a secure model

7. About Blockchain Technology
“Bitcoin vs Ethereum vs EOSIO”
● Blockchain 1.0 - Bitcoin
● Blockchain 2.0 - ETHEREUM
● Blockchain 3.0 – EOSIO and more
https://eos.io

8. About Blockchain Technology
“Bitcoin vs Ethereum vs EOSIO”
● Block Time per request:
Bitcoin (600K milliseconds) vs ETH (15K milliseconds) vs EOSIO (500 milliseconds)
● Transactions per Second:
Bitcoin (7 tps) vs ETH (50 tps) vs EOSIO (>3000 tps, July 2018)
● Transactions Fee:
Bitcoin (~1 USD) vs ETH (~5.5 USD) vs EOSIO (Free)
Block time and tps metrics reference: https://bitinfocharts.com/comparison/bitcoin-confirmationtime.html
How transactions are free?: https://bytemaster.github.io/article/2016/02/10/How-to-build-a-decentralized-application-without-fees/

9. About Blockchain Technology
“Building Payment Gateway on Public Chain”
● Average 6 steps for any payment gateway backend request
Bitcoin (~60 mins, 1.38 USD)
ETH (~1.5 mins, 36 USD)
EOSIO (~ 3 seconds, 0 USD), this may be competitive with centralized
payment solutions such as VISA/Mastercard etc?
For the very first time, blockchain solutions can be as good as regular
centralized solutions, maybe profitable.

10. Security
In
Blockchain
● Security Mindset
● 3 Solidity Code Vulnerabilities
● 5 Attack Scenarios
● 4 Design Patterns
● 2 Major Hacks (~100 million
USD)

11. Your
Security
Mindset
● Centralised: Database
(server) is hidden behind a
client (mobile app, browser
etc).
● Decentralised: Blockchain
database (server) is public and
exposed to all vulnerabilities
you can ever imagine.

12. 3 Solidity Code Vulnerabilities

13. Integer
Underflow ● Solidity can handle 256 bit
numbers
● Underflow: Token holder has
100 tokens but attempts to
spend 101
Bad pattern:
https://ethfiddle.com/IGJ2w0vPsX
Good pattern:
https://github.com/OpenZeppelin/op
enzeppelin-
solidity/blob/master/contracts/math/
SafeMath.sol

14. Protect
your
Functions
● Public: Anyone can access it.
● External: Other smart
contracts can access it.
● If anyone can execute your
functions from public, they can
steal all your tokens. Use
Private or Internal functions.
Example: https://ethfiddle.com/1q-
YzAPV9W

15. Fallbacks &
DelegateCALL
● Fallback: Every smart contract
can have exactly one unnamed
function. This will execute if
none functions are found. It
only has msg.data to retrieve
any payload.
● DelegatedCALL: It is identical
to a message call (internal
transaction) apart from the fact
that the code at target address
is executed in the context of
the calling contract and
msg.sender and msg.value do
not change their values
Example:
https://ethfiddle.com/G3W7FEdrWj

16. 5 Attack Scenarios

17. Parity Attack
● Contract A has a public
function titled “myproject” that
implements DelegatedCALL. It
holds all 100k Tokens.
● Contract B is a hacker exploit,
that tries to call
ContractA.myproject(). Since
this is public authority, contract
B steals all the tokens.

18. DAO Attack
(Decentralised
Autonomous
Organisation)
● Check my account balance in
the starting ONCE.
● Second time onwards, ignore
balance check and initiate
transfer request.
# Fix
- Reduce senders balance
before making transfer.
- require(msg.sender.transfer(_value))
Example:
https://ethfiddle.com/VDH-hqXQZ_

19. SelfDestruct
● Mechanism to delete smart
contract
● Contract’s fund is sent to the
target address
● Accidently create scenarios
that it can be triggered
Example:
https://ethfiddle.com/dmsDZVYcBX

20. Denial of
Service
● Take ownership of the smart
contract by sending enough
ethers to insecure contract.
● The attacker knows the
transaction will fail and will be
refunded. This will block the
service.
Example:
https://ethfiddle.com/jJNl3ILO-Z

21. Shortest
Address
Attack
● Attackers abuse ERC-20
transfer function to withdraw a
large amount thatn he/she is
allowed to.
● Culprit: The input address has
no trailing zeros, the exchange
doesn’t do input validation. The
EVM corrects this and the
balance is increased.
● Exchanges are the biggest
victims here
Details:
https://vessenes.com/the-erc20-
short-address-attack-explained/

22. 4 Design Patterns

23. Avoid
External
Calls
● Avoid a call from one contract
to another untrusted contract or
account.
● delegatecall, callcode, call
● Types of attacks: The Dao
hack, The Parity multisignature
wallet hack
● Use .send() and .transfer() over
.call.value()

24. Use
Assert(),
Require() &
Revert()
● require(condition) for input
validation
● assert(condition) for internal
error check
● revert() returns unused gas
● throw() will continue to
consume all gas

25. Test
Driven
development
● Smart contract once deployed
cannot be improved. No
version control.
● Do Unit Testing
● Do Test coverage
● Simulate on testnet.

26. Offline contracts
shouldn’t be
paid
● Contract A sends to Contract
B, 1000 Tokens.
● Contract B is dead
● Contract A lost money

27. 2 Major Hacks (~100 million
USD)

28. ETHEREUM
DAO was
hacked for
70 million USD
(ETH Classic is born)
https://www.coindesk.com/underst
anding-dao-hack-journalists/
● Attacker was able to ask the
smart contract (DAO) to give
the ether back multiple times
before the smart contract could
update its own balance.
● Ethereum Classic was forked
and all transactions before
attack were reverted.

29. Parity Client
vulnerability
costed
30 million USD
(Check this is real?)
The code that did this:
https://github.com/paritytech/parity
-ethereum/pull/6102/files
● Parity is a ETH Client used by
many people. You can call it
from smart contracts.
● Three ICO (Edgeless casino,
Swarm City and aeternity) were
using parity client v.15, to
check balance for raised funds.
● The function in wallet smart
contract was Public
DelegatedCALL, that let
attackers steal the tokens.

30. Thanks, Stay in touch!
Telegram Linkedin