Outsmarting Smart Contracts – an essential walkthrough a blockchain security minefields

Damian Rusinek 2018.06.08

The goal of this presentation is to shed the light on the security of smart contracts, its potential vulnerabilities and popular design and implementation security flaws.

Our cyber security specialist will investigate flaws of Ethereum smart contract, both Ethereum-specific and known from other languages, that led to spectacular thefts. We are sure you have heard of these spectacular hacks, like $30M (now worth $130M) Parity, or another $150M blocked in smart contracts.

After this presentation you will know how to steal millions and how to prevent it. Author will also share his personal experience regarding responsible disclosure of such vulnerabilities. It is a way harder than submitting a bug in a traditional application, and involves non-obvious complications.

First, the transparency principle leads to a real time race between white and blackhat hackers. Sometimes whitehat even has to actually steal from potential victims in order to prevent malicious theft. Moreover, in most cases there is no possibility to contact (especially urgently and securely) the smart contract owner and report the problem.

In this case, after finding critical vulnerability that allowed me to empty whole exchange Ethereum token wallet, it required a solid investigation to find the right people to talk to, and took unnecessarily long time. To address this issue he proposes a mechanism to notify contract’s owner. The message is securely kept on the blockchain and only owner of the contract can read it.

You will understand a pack of attack vectors and vulnerabilities specific for the concept of decentralized execution of publicly visible smart contracts. And what’s more, they will know how to find and avoid these vulnerabilities.

Messenger has been moved to: https://securing.github.io/eth-rd-messenger/

Please find also our handbook which contains many useful recommendations and guidelines which should be implemented if you work with solutions based on blockchain.

Damian Rusinek
Damian Rusinek Principal IT Security Consultant
Head of Blockchain Security