Solidity Pitfalls and Hazards (Part Two)

Solidity Pitfalls and Hazards (Part Two) CS1951 L Spring 2019 26 February 2019 Maurice Herlihy Brown University

Today’s Pitfalls: Default Visibility False Randomness Unchecked return values Parameter Attack

Default Visibility Attack External: only from outside Private: only current not derived contracts Internal: only current or derived contracts Public: anyone can call

Default Visibility Attack External: only from outside Private: only current not derived contracts Internal: only current or derived contracts Public: anyone can call default

Fallback Function Remember, transaction data includes: Function selector (hashed name) Function arguments

Fallback Function contract Example { uint x = 0; function foo() public { x = 1; } function () public payable { x = 2; } }

Fallback Function contract Example { uint x = 0; function foo() public { x = 1; } function () public payable { x = 2; } } named regular function

Fallback Function contract Example { uint x = 0; function foo() public { x = 1; } function () public payable { x = 2; } } named regular function nameless fallback function Often used to receive payments

Function Call Contract A Contract B not me! fn foo() call “bar” me! fn bar() fn () A calls B’s “bar” function …

Fallback Function Contract A Contract B fn foo() call.value(100) fn bar() fn () I handle pure ETH transfers A sends ETH to B

Wallet Library Does most of the work Wallet Library Delegatecall: updates wallet internal state only fntransfer() fncredit() Also, init() function called internally by constructor to initialize owners, etc. fninit ()

Wallet Library Security Audit contractWalletLibrary{ address owner; // called by constructor function initWallet(address _owner) { owner = _owner; // ... more setup ... } … }

Wallet Library Security Audit contract WalletLibrary{ address owner; // called by constructor function initWallet(address _owner) { owner = _owner; // ... more setup ... } … } Initialization code called only by constructor.

Wallet Library Security Audit contract WalletLibrary{ … function changeOwner(address _new_owner) external{ if (msg.sender == owner) { owner = _new_owner; } } } Owner can be changed only by current owner

Wallet Library Security Audit contract WalletLibrary{ … function () payable { // ... receive money, log events, ... } } Anyone can deposit money in wallet

Wallet Library Security Audit contract WalletLibrary{ … function withdraw(uint amount) external returns (bool success) { if (msg.sender == owner) { return owner.send(amount); } else { return false; } } Only owner can withdraw money

Composite Wallet Wallet Wallet Library call “transfer” fntransfer() fntransfer() fncredit() fncredit() … fninit () fn() Most calls just forwarded to library

Wallet Fallback Function function() payable {// just being sent some cash?if(msg.value > 0) Deposit(msg.sender, msg.value);else if (msg.data.length > 0) _walletLibrary.delegatecall(msg.data);}

Wallet Fallback Function function() payable {// just being sent some cash?if(msg.value > 0) Deposit(msg.sender, msg.value);else if (msg.data.length > 0) _walletLibrary.delegatecall(msg.data);} Mostly used to send cash to wallet

Wallet Fallback Function function() payable { // just being sent some cash? if (msg.value > 0) Deposit(msg.sender, msg.value);else if (msg.data.length > 0) _walletLibrary.delegatecall(msg.data);} If not cash deposit, just forward message to library …

Wallet Fallback Function All public functions in library callable by anyone! function() payable { // just being sent some cash? if (msg.value > 0) Deposit(msg.sender, msg.value);else if (msg.data.length > 0) _walletLibrary.delegatecall(msg.data);} If not cash deposit, just forward message to library …

Uh, Oh contract WalletLibrary{ address owner; // called by constructor function initWallet(address _owner) { owner = _owner; // ... more setup ... } … } Oh wait, where is this function’s visibility declared? It isn’t. It has default public visibility!

This Happened Someone exploited exactly this opening Started pumping money out … “White hat” hackers notice, exploit same opening to pump money out to save victims Final Score Black hats: 153K ETH, White Hats: 377K ETH

Prevention Solidity now requires visibility declarations to be explicit Moral Designing languages for mission-critical apps is not for amateurs.

False Randomness Attack Gambling is very popular in Ethereum Gambling requires randomness Blockchains require determinism Check your wallet

What are the Chances? Clients bet or RED or BLACK Last block hash even: RED Last block hash odd: BLACK What could go wrong?

Mining bet on RED

Mining Try nonce = 1 bet on RED Try nonce = 2 But hash is odd Try nonce = 3 Eureka! I mined a block! Suppress that block, try again …

Examined 3,649 smart contracts 78 unique PNRG implementations 43 identified as vulnerable A. Reutov, Predicting Random Numbers in Ethereum Smart Contracts

Block Variables block.number block.coinbase block.gaslimit block.difficulty block.timestamp Not just miners can predict … Exploit contract makes delegatecall to target contract, gets same “random” values

Hash of Current Block function random(uint64 upper) public returns(uint64 randomNumber) { _seed = uint64( sha3( sha3( block.blockhash(block.number), _seed), now)); return_seed % upper; }

Hash of Current Block function random(uint64 upper) public returns (uint64 randomNumber) { _seed = uint64( sha3( sha3( block.blockhash(block.number), _seed), now)); return _seed % upper; } start with hash of current block …

Hash of Current Block function random(uint64 upper) public returns (uint64 randomNumber) { _seed = uint64( sha3( sha3( block.blockhash(block.number), _seed), now)); return _seed % upper; } … hash it a few more times something is wrong here …

Hash of Current Block block hash of block being created is (obviously) unknown to EVM function random(uint64 upper) public returns (uint64 randomNumber) { _seed = uint64( sha3( sha3( block.blockhash(block.number), _seed), now)); return _seed % upper; } This expression always evaluates to 0!

Hash of Earlier Block block.blockhash(block.number - 1) Attacker can delegatecall contract to predict its “random” number

Hash of Future Block Let’s play a game Player makes bet, house stores transaction’s block.number Player later requests house announce winning number House computes blockhashfrom saved block.number, then generates pseudo-random number

Hash of Future Block “The block hashes are not available for all bocks for scalability reasons. You can only access the hashes of the most 256 blocks, all other values will be zero.” Player requests winning number 256 blocks later House computes blockhash 0, then generates totally predictable pseudo-random number

This Happened Huge ICO “provably fair” lottery Issued a “hackathon challenge” Hacked by 256-block delay described Arguably, the challenge was a success!

Blockhash with Private Seed From the Slotthereum Lottery bytes32 _a = block.blockhash(block.number- pointer);for (uinti = 31; i >= 1; i--) {if((uint8(_a[i]) >= 48) && (uint8(_a[i]) <= 57)) {returnuint8(_a[i]) - 48; }} this variable declared privateso can’t be read by another contract Like all blockchain data, trivial to read from off-chain

Prevention Use External Oracle for Randomness (trusted by all parties)

Prevention Algorithms we will discuss later

Unchecked CALL Return Values Inconsistent interfaces for ether transfer: If transfer() fails, caller reverts If send() or call() fails, caller does not revert, instead gets Boolean return code Unchecked return codes as attack vector

If something goes terribly wrong … Out of gas Assertion violated stack overflow The function call reverts Rolling back that transaction’s effects

Normally if a function call reverts: contract.longCall(); // runs out of gas The entire call-chain reverts Exceptions: call(), delegatecall(), codecall() Return Booleans instead of propagating

Gas Trap if (! someAddr.call.value(100)()) { // some failure code } Might take all your gas if (! someAddr.send(100)) { // some failure code } Max 2300 gas (not much)

Prevention If possible, use transfer() instead of send() Otherwise, check return codes! Use withdrawal pattern, where clients claim funds via their function calls

This Happened Suppose claim price for throne is 10 ETH You want to be King/Queen, so send10 ETH KotET sends your 10 ETH minus comission to previous monarch You are now monarch Claim Price goes up to 15 ETH You get paid when someone else becomes K/Q

This Happened Payments were sent by unchecked sends send() did not include enough gas for payment processing by wallet accounts Recipient reverted, and payment was returned to contract KotET contract did not revert, nor check return code Proceeded without paying previous monarch

Stack Depth Attack Stack Depth cannot exceed 1024 Artificially create stack depth of 1023, then pay to become king. Refund payments to predecessor guaranteed to fail at depth 1025 Unchecked send()not just bug, but attack vector

Stack Depth Attack Stack Depth attack no longer feasible New rule: call cannot consume more then 63/64 of parent’s gas If start with g gas, after n calls you have at most g (63/64)ngas available

Solidity Pitfalls and Hazards (Part Two)

Solidity Pitfalls and Hazards (Part Two)

Presentation Transcript

Part Two

Ratio and proportion

Part two

Part Two

Part two

Part Two

part two

Part Two

Part two

Replicating Results- Procedures and Pitfalls

PART TWO

PART TWO

Hazards

Part Two

Part Two

Part Two

PART TWO

Hire Solidity Developers | Solidity Blockchain Development