Instantly share code, notes, and snippets.

Embed
What would you like to do?
Open-source blockchain security research (contributions welcome!)

What is a blockchain?

  • Distributed ledger system; for tracking the transfer of tokens (currency, data of any type).
  • A cross between economics, cryptography, and the internet.
    • Side note- if you ever wanted a financial incentive to get involved in cryptography, this is it.
  • A blockchain is literally a chain of blocks, where each block contains a list of transactions that everyone agrees have occurred.
    • Each block builds upon all the ones before it.

A blockchain is literally a chain of blocks

  • The purpose of a block is to confirm transactions in the ledger.
    • Ledger: historical database, containing all transactions that have ever happened since the blockchain was created.

Why blockchain is important

  • It is a new technology, similar to the internet of the early 90's. We don't know where it is going to go, but the technology enables a large number of new possibilities in both finance and business.
  • Provides absolute integrity (one third of the CIA triad), so long as no more than 50% are unified bad actors.
    • Non-repudiation as well.

Bitcoin

  • Started with Bitcoin- first implementation of blockchain technology
    • HashCash and B-Money both have elements of a blockchain in them, and there may be older versions still before those.
    • Distributed "cryptocurrency". Basically, a pseudonymous (not completely anonymous) currency that no one system or owner controls, and with substantially lower transaction fees.
    • Satoshi Nakomoto paper that gave an abstract, somewhat technical overview of the proposed system.
    • Implementation: https://github.com/bitcoin/bitcoin
      • Written in C++
      • MIT License
    • Original requirements for Bitcoin:
      • Private
      • Anonymous
      • Censorship-resistent
      • Byzantine attack resilience (Byzantine General's problem: reaching consensus among a group of actors that do not trust one another.)
      • Decentralized

How Bitcoin works (at a high level)

  1. New transactions are broadcast to all nodes.
  2. Each node collects new transactions into a block.
    • New blocks are created by hashing (SHA-256) the text of the new transactions, the previous block's hash, and a nonce together.
  3. Each node works on finding a difficult proof-of-work for its block.
    • Calculate the correct nonce to make the block less than a specific number.
      • Hash(prev_block_id, transactions, nonce) <= d?
      • This number (d) is adjusted by the network automatically to make the average mining time about 10 minutes. The difficulty is adjusted every 2016 blocks (~every 2 weeks). Smaller number == more difficult to guess.
    • "Proof-of-work": essentially trading electricity for consensus on the network.
      • Proof-of-work essentially makes it deliberately difficult to propose a "correct" block, which gives miners incentive to behave.
        • "The correct way of thinking about the proof-of-work concept is as a means for a group of self-interested people, none of whom is subordinate to any other, to establish a consensus against a considerable incentive to resist it. Bitcoin could operate perfectly well without proof-of-work, as long as everyone was perfectly honest and altruistic. If they are not, then reaching a consensus is difficult." (http://nakamotoinstitute.org/mempool/the-proof-of-work-concept/)
      • Uses a LOT of power, and growing. Estimated to be around 343 megawatts globally. Which is enough to power 285,833 US homes (this figure is from May 2015, and has likely increased since then). It is estimated that the global power usage for Bitcoin mining will exceed the power usage of the entire country of Denmark by 2020.
        • Obviously, this is why people are looking into other types of "proofs" that don't require an electricity trade-off at that scale.
    • Difficulty: https://en.bitcoin.it/wiki/Difficulty
      • Current difficulty: https://blockexplorer.com/api/status?q=getDifficulty
        • Target on April 3, 2017: ~499635929817
        • Your chance on every hash guess is equivalent to 1/(2^256 - 499635929817)
          • 1/115792089237316195423570985008687907853269984665640564039457584007413493710119
  4. When a node finds a proof-of-work, it broadcasts the block to all nodes.
  5. Nodes accept the block only if all transactions in it are valid and not already spent.
  6. The miner that calculates the correct block is rewarded by being allowed to include additional bitcoins (a set amount that halves every 4 years) from the "coinbase" (the ether where coins are born; coins are pulled from here if not from another transaction. The coinbase only has a set amount of coins- 21 million.)
    • NOTE: "Miners" are really "bookkeepers". Their job is to maintain the ledger, and they get paid to do so, using bitcoins (generated from the coinbase and from tips).
  7. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.
    • Nodes always consider the longest chain (more accurately- the one with the most work required; i.e. the most difficult to calculate) to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.

Projected Bitcoins for the near future Source: https://en.bitcoin.it/wiki/Controlled_supply

Price of bitcoin

BTC market price graph

Newer implementations

  • "Colored Coins": coins that represent shares of a company or any other asset.
    • Built on top of the Bitcoin network

Altcoins

  • litecoin
    • requires higher memory (using the Scrypt algorithm instead of SHA-256) to defeat ASICs; however litecoin-specific ASICs have now been developed
  • dogecoin
    • Faster block time, using the Scrypt algorithm (memory-hard) in place of SHA-256.
    • Started as a joke
  • peercoin
    • original proof-of-stake blockchain, now uses proof-of-work as well
    • vulnerable to serious blockchain integrity destruction, due to the ease at which any single miner can calculate hashes for the current active branch, conflict branches, and all past branches. No power requirement, simply a matter of calculating one hash per second for each desired block; made exponentially easier the more coins you have
  • primecoin
    • proof is finding special primes for science
  • darkcoin/dash
    • 11 different hashing algorithms strung together, trying to defeat ASICs
  • monero
    • automatic independent mixing in every block; much better for privacy
    • Also uses ring signatures, which incorporate one public key/wallet with multiple decoy public keys; the owner of the true public key can prove that they own one of the public keys in the set, but they don't have to show which one
    • Stealth addresses as well- a public address that essentially changes every time, thanks to the addition of a shared secret in the transaction and using Diffie-Hellman key exchange to arrive at a one-time public address
  • Zcash: Zcash has a public blockchain to show transactions, but hides the amount, sender and recipient addresses from all except those who hold the “view key.” The view key owner (i.e. the owner of the coins) can also allow others to see details associated with that key.
    • It does this by encrypting the transaction metadata rather than making it publicly available, as Bitcoin does. Full transaction outputs are not retained by Zcash nodes, which only record the ability to spend coins using proofs called “zk-SNARKs.”
    • One major difference that sets Zcash mining apart is that 10% of the 21m units mined using the Zerocash protocol will go to Zcash’s stakeholders, ie: its founders, employees, investors and advisors. This is called the "Founder’s Reward". The stakeholders will not receive this reward in a linear fashion. In the beginning, the protocol results in the creation of 50 ZEC every 10 minutes, with 20% going to the founders and the remainder going to the miners. Every four years, this mining incentive will be cut in half, but 100% of this reward will go the miners after the first four years.
    • Huge with ransomware, as it has complete anonymity built-in.
  • Dead Coins: a curated list of cryptocurrencies forgotten by this world.

Ethereum

  • Ethereum: more than just currency (technology concepts it introduces are also known as "cryptocurrency 2.0")
    • Decentralized software platform that enables smart contracts, which in-turn enables things like distributed applications (dApps) and decentralized autonomous organizations (DAO).
      • Vitalik Buterin (creator of Ethereum, from Toronto) defines smart contracts as follows: "a smart contract is a mechanism involving digital assets and two or more parties, where some or all of the parties put assets in and assets are automatically redistributed among those parties according to a formula based on certain data that is not known at the time the contract is initiated."
    • "World computer" is called the Ethereum Virtual Machine (EVM).
    • Code can be written in a number of languages that compile down to EVM bytecode.
      • Solidity
        • By far the most popular.
        • A c-like language.
      • Viper
        • Python-like
        • Has overflow-checking, numeric units but without unlimited loops
          • Designed to be a little more secure by default (hard to shoot yourself in the foot)
      • Bamboo
        • Newer
        • Some influence from Erlang
        • No loops
    • "Currency": Ether
    • Hashing algorithm: Ethash
    • Much shorter block time (14-15 seconds vs. 10 minutes with bitcoin)
    • Block rewards remain the same each year ad infinitum (whereas bitcoin halves the rewards every 4 years)
    • Currently using proof of work, but looking to move to a new protocol called "proof of stake".
      • Protocol still not complete, code named "CASPER" (after the friendly ghost). Solves the "nothing at stake" problem by- "Whenever a validator produces a block that is considered “invalid” by Casper, his/her security deposit will be forfeited as well as the privilege to participate in the network’s consensus."
      • How it works:
        • Security deposits: stakeholders are required to make security deposits behind blocks. Whenever a security deposit is placed behind a block, it can introduced as a transaction that is part of an incompatible block aiming at destroying the security deposit of a validator. A block can be only marked as “finalized” when a large number of the network’s validators place security deposits behind it.
        • Consensus by bet: Philosophically, the security deposit concept is extended to become a concept of “bets”. Within a PoS system, a bet is a transaction which, according to the consensus incentivization rules, will reward you with X coins along every chain that includes a block that you have bet on, in exchange for taking Y coins from you for every chain that doesn’t include that block. A proper scoring rule should be used to set the values for X and Y. CASPER is based on the principle that validators bet according to the bets of other validators and rational play represents a loop of positive feedback that accelerates consensus. “Finality” is determined by 2/3 of validators willing to bet on a block that is large enough so that Y would be equal to their overall deposits.
        • By-block consensus: it is a yes/no vote casted separately on each block height. The inclusion of a block doesn’t simply denote inclusion of any block at any given previous heights.
    • "Gas": because miners are essentially lending computing power to other people's applications and programs (smart contracts) on the ethereum blockchain, they need to be compensated for that. Gas is the metering fee or cost for the computation and storage use of a smart contract.
      • Miners setup a minimum gas price they will accept to execute a transaction (miners will calculate this based on how much it actually costs them in electricity, and manually set this in their client. There is a default of 0.02 ETH per 1 gas), which is the amount of Ether used to interact with a component of that contract.
        • When sending a transaction to a smart contract, you can set what gas price you want to use. If you use a higher gas price, you are more likely to be accepted quickly by miners.
      • Each action (ADD, STORE, MULTIPLY, etc.) costs a certain number of gas.
      • The end result is that if you want your smart contract to run, you need to provide it with enough gas needed to complete the operations required. The total cost goes back to the minor in ETH, and the unused gas is refunded.
      • If not enough gas is provided to fuel the smart contract, then the originator pays the miner for all computation performed, and the transaction is reverted (but record of it is still stored in a block).
      • Gas cost by action (spreadsheet): https://docs.google.com/spreadsheets/d/1m89CVujrQe5LAFJ8-YAUCcNK950dUzMQPMJBxRtGCqs/edit
      • Certain operations (clearing a contract = -24,000, clearing storage = -15,000) results in a gas refund back to the originator. However, to avoid having miners not execute transactions with negative gas operations, the originator can only receive at most half of the gas of the overall transaction back. The minor will get the other half (or more) back.
        • Example: if a transaction used 60,000 gas and cleared 2 contracts for a refund of 48,000 (24,000 each above), the originator would still pay the miner for 30,000 gas, while receiving only 30,000 gas back (half of the overall amount spent for the transaction, but not the full amount of 48,000 for the refund operations).
    • To request a smart contract to be invoked, you provide a fee as well, which is given to the miner (on top of the gas cost) as additional incentive to complete the transaction earlier.
    • Create a smart contract in your browser and run on the test network: https://ethereum.github.io/browser-solidity/

Different consensus algorithms

  • Multichain: private blockchain platform, with a customized consensus instead of proof-of-work (e.g. 3/5 signatures from trusted sources needed for each block).
  • Tendermint: proof-of-stake algorithm that works with validators, over the course of many rounds of concensus.
    • Miners deposit currency/tokens to become "validators", and are then able to compete in the block consensus process.
    • If a validator does something wrong, they lose their deposit, and are no longer able to be a validator.
    • Each new block starts with a randomly selected validator proposing a block of transactions. Then, all validators will vote on whether that block is valid. They will keep voting on new block proposals until 2/3 of the validators agree on one block, at which point they will submit a final commit vote saying that they both approve the new block, and they witnessed that 2/3 of validators approved the block. This process then repeats to continue building the blockchain.

How blockchain technology is being used

  • HUGE- smart contracts
    • Code that is stored on the blockchain, and executed on every system in the blockchain when a certain condition is met.
      • More of a "smart agent" than a "smart contract". They can themselves hold balances of cryptocurrency, or even control other smart contract programs. They run completely autonomously.
    • Ethereum is leading this effort (the primary purpose of its platform). Every program or application being run on the Ethereum blockchain was built using their smart contract code.
  • Using tokens to signify share ownership of a company
    • A whole new concept called an ICO (initial coin offering) allows companies to be funded on the Ethereum blockchain. Companies can use smart contracts to programmatically deliver shares of the company upon successful funding, or release funds back to investors if the terms of the contract are not reached (i.e. the company does not reach its funding targets). Think Kickstarter, but with no fees and an absolute money-back guarantee upon unsuccessful funding (or other conditions listed).
  • Voting
    • Everyone gets one token for each vote, can only be spent once (remember- most blockchain implementation solves the double spend problem), votes are tracked in an indisputable ledger.
  • Tracking art and other digital assets.
    • Useful to track ownership of a particular asset, such as music by tracking a fingerprint of that digital asset.
  • Tracking shipments and other physical goods.
  • A token to signify ownership of real-world physical goods and commodities.
    • Digix (https://dgx.io): one token = 1g gold (stored in a vault in Singapore). Built on Ethereum's blockchain and EVM.
    • Tether (https://tether.to): one token = $1 USD (stored in a bank account in Hong Kong).
      • NuBits (https://nubits.com/): same as above, except they regulate the price between BTC and USD by either printing more tokens or buying back tokens.
      • BitUSD & Maker DAO: both use smart contracts with built-in collateral (buyer puts up more BTC than is actually needed), and in the event of a BTC market crash, the smart contracts automatically pull the money out at the right time, so that there is still a valid price link between BTC and USD on their platforms. Maker DAO also provides insurance for "black swan" crashes, using their own money as collateral.
        • These allow for margin trading (gains and losses are magnified because the collateral causes the smart contract to essentially be worth more, allowing for the price of the tokens to be worth more on the market. Thus, if someone trades their token for BTC when BTC is on par, but then if BTC price goes up, they can buy back a token and have BTC left over; works inversely when BTC price goes down).
  • "Pegged sidechains": allowing currency to move between blockchains (e.g. BTC to the Ethereum blockchain, and vice-versa; OR BTC to other service on another blockchain!). This works simply by trusting that a token holds an explicit value, and locking away the primary currency/token.
    • The primary cryptocurrency is stored away while transactions happen on the side chain (the other blockchain). Only when the initial cryptocurrency is requested to be pulled out by trading back for the token is that cryptocurrency value "unlocked".
  • Paid LinkedIn-like messaging for high-profile individuals.
    • https://21.co
    • There is the option for the individual to automatically donate the funds to a charity.
  • Distributed storage
    • https://storj.io: get paid to host hard drive space, store your files across distributed systems (encrypted before storage).
    • https://ipfs.io: aims to replace HTTP and distribute web content across a blockchain network.
  • Many more implementations and uses that we haven't even thought of yet (it's an incredibly exciting time!)

Who is using blockchain right now

Blockchain companies in Ontario

  • BitAccess: offers bitcoin ATMs ("BTMs").
  • Paycase: universal money transfer platform (currently in private beta)
  • Coinkite: hardware solutions around accepting and trading with bitcoins.
  • Coinsquare: Buy and sell cryptocurrencies AND precious metals online. Also allows for funding with cash in their downtown Toronto office.
  • Cryptiv: Enterprise wallets, with multi-key systems.
  • BitRush: Created their own cryptocurrency called "ANOON" (hoping that people adopt it), ad brokering on their blockchain, incorporates ANOON into online gaming payments.
  • ConsenSys Systems: Building decentralized apps (dApps), likely on the Ethereum network.
  • Rubix by Deloitte: consulting around blockchain, and building blockchain applications for enterprises and governments.
  • Nuco: Blockchain IAaS
  • SecureKey: Authentication using a blockchain backend. Currently in use for many government tax services, allowing you to login using your bank login information.

Security

Known flaws & vulnerabilities

Majority ledger

  • Majority ledger: 51% of processing power owned by one user.
    • Able to modify the blockchain and continue to generate the next hashes faster than the rest of the network, thereby allowing them to modify past blocks.
    • Reason why an attacker would not exploit this, from Nakomoto paper: "If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth."

Double spend

  • Double spend: essentially creating money out of thin air by creating two different transactions using the same inputs.
    • This is why you should wait for 6 block confirmations after a transaction block where you received money to ensure that it is securely on the longest chain (and thus, valid and not going away).
    • The way to do this is often through increasing the transfer fee (the "tip" to the miner for including your transaction in their block)

Private key brute-force (collision)

Wallet correlation

  • Wallet correlation: linking multiple wallets back to a single entity.
    • Wallets can be linked to one person by looking at the "scriptSig" (digital signature) in inputs for a transaction. If multiple inputs are provided in a transaction (usually the case), and they are all validly signed, that means the sender has the private key associated with the wallet (public key) storing those transactions. This means that once a transaction is used to send bitcoins, unless they use the exact amount needed (only one input; rare), multiple wallets get linked together.
      • By tracing back through the input's own transaction history, if other wallets were used as outputs in those same transactions, then they likely belong to the same person as well.
    • OpSec
      • Since Bitcoin is P2P, anyone can identify other IPs that are using Bitcoin. Simply listen to traffic on your network and log all nodes that connect to yours.
        • You also broadcast all your transactions to neighbouring nodes in the clear (bitcoin traffic is unencrypted). If those neighbouring nodes are logging IPs, they can tie it back.
      • If you ever use a bitcoin wallet to purchase something on a website with shipped data, an exchange, or anywhere else where your identity is revealed, it can be tied back to your bitcoin wallets.
      • If a user has used an exchange to buy, sell, and trade bitcoin, their IP address and their PII (due to "KYC"- know your customer laws) can be linked to that wallet.
        • Many exchanges are using the "on and off ramps" like these to help with regulation of bitcoin. This is where the tracking often comes in.
    • Only way to be fully anonymous on the Bitcoin network is to mine the wallet yourself, through a VPN (or multiple VPNs), and never tie those bitcoins to your real life identity in any way.
      • This is practically impossible now. Close second would be to use something like localbitcoins.com to buy bitcoins locally, rather than trying to mine them.
    • Really good guide on how to use Bitcoin as anonymously as possible: https://99bitcoins.com/know-more-using-bitcoin-anonymously/

Contract loopholes/abuse (AppSec)

  • If there is a loophole in the contract's logic, then it may be possible to exploit it for money, because the contract is seen as the single source of truth, and followed to the letter.
  • Example of this: "The DAOsaster"
    • "The DAO" is a distributed autonomous organization (DAO) on the Ethereum blockchain. It operated as a hedge fund where investors in the initial round of investment (which reached a total of USD $150 million in 21 days- the largest crowdfund in history) received a token that signified part ownership in The DAO. Investors/stakeholders would then be able to vote on investments in companies (investments proposed by "contractors").
    • Through a set of what were essentially business logic vulnerabilities in the way The DAO was programmed, an attacker was able to siphon around $50 million of Ether, which was legitimate according to the smart contract parameters.
    • The attack was a "recursive send" vulnerability. Basically, The DAO contract allowed token holders to split from The DAO and withdraw their funds. Wallet contracts can have a default function. The code in the DAO contract called this default function in the time between the funds being pulled from the DAO's pool of funds and the time that the total funds in the user's DAO account was updated (essentially a TOCTOU vulnerability). By setting the default function to split from the DAO again, it essentially pulled more money from the pool, while the DAO still thought there was money left in the account.
      • The icing on the cake is that the DAO contract only thinks it has lost the original amount that was in the user's account (could be very little), rather than the full amount that was siphoned in each recursive call. This is because the balance update function happens with the assumption that only the original amount was withdrawn. Thus leaving The DAO to think it has way more money than it actually did.
    • After this, the Ethereum organization decided to manually fix the loophole in The DAO's smart contract and fork the blockchain to accomplish this. This was called a "hard fork", and left a lot of people upset, obviously. The old chain continued on as "Ethereum classic", but its value has not kept pace with the new Ethereum blockchain.
  • Essentially: business logic vulnerabilities.

Cryptocurrency-related breaches

  • Instances of cryptocurrency-related security breaches: https://magoo.github.io/Blockchain-Graveyard/
    • Some were due to issues with the cryptocurrency, however most breaches were attributed to traditional security issues (server breach, account takeover, application vulnerability, etc.).

Auditing cryptocurrencies

  • Cryptocurrency Security Standard: https://cryptoconsortium.github.io/CCSS/
    • 2 domains, covering 10 aspects
      • Cryptographic Asset Management
        • Key/seed generation
        • Wallet creation
        • Key storage
        • Key usage
        • Key compromise protocol
        • Keyholder grant/revoke policies & procedures
      • Operations
        • Security audits/pentests
        • Data sanitization policy
        • Proof of reserve
        • Audit logs

Example Cryptocurrency Security Standard scorecard Example Cryptocurrency Security Standard scorecard

Smart contract analysis tools

Other resources

@insp3ctre

This comment has been minimized.

Copy link
Owner

insp3ctre commented Sep 23, 2017

Contributions welcome! Gists do not allow pull requests, but if you would like to submit a change, please just fork the gist, update it, then send me a link to your origin on GitHub, so I can merge it into the master branch (you can find a guide on how to do so here: http://www.focustheweb.com/2015/04/06/a-basic-collaboration-workflow-on-gist.html). Or if it's a smaller change or suggestion, simply post a comment on here and I'll update it accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment