SlideShare a Scribd company logo

A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems

Download as PPTX, PDF
B
Beau Bullock

The document provides an overview of cryptocurrency ecosystems, detailing their components like blockchain, wallets, exchanges, and smart contracts, as well as highlighting security issues such as recent hacks and general vulnerabilities. It discusses major security incidents, general application vulnerabilities, and methods for securing smart contracts. The conclusion emphasizes the need for further research and caution due to the vulnerabilities present across the cryptocurrency ecosystem.

Technology
1 of 34
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems Beau Bullock Mike Felch
Overview • Brief background on what cryptocurrencies are • Various elements of the cryptocurrency ecosystem • A history of some major hacks • Some general vulnerabilities • Some blockchain-specific vulnerabilities
About Us • Mike Felch - @ustayready • Pentest / Red team at BHIS • Involved w/ OWASP Orlando and BSides Orlando • Beau Bullock - @dafthack • Pentest / Red team at BHIS • Podcaster, blogger, and guitarist • Tradecraft Security Weekly hosts • CoinSec Podcast hosts
What Are Cryptocurrencies? • Digital currencies that typically utilize a blockchain to regulate the generation of the currency, and verify the transfer of funds, usually in a decentralized manner. • There are over 1500 coins/tokens listed on coinmarketcap.com • Some of these have unique blockchains • Others are tokens built on top of blockchains using smart contracts.
The Cryptocurrency Ecosystem
Ecosystem: Blockchain • A digitized, decentralized, public ledger of all transactions • A combination of: • Private key cryptography • Peer-To-Peer (P2P) Network • Protocol governing incentivization • Records cannot be retroactively altered • Every node has a copy of the blockchain
Ecosystem: Blockchain Image source: https://dzone.com/articles/adopting-blockchain-how-a-devops-approach-can-help
Ecosystem: Nodes & Miners • Full Nodes • Download every block and transaction and check them against the protocol’s consensus rules • Maintain the decentralized “backup” • Miners • Verify transactions into a block • Solve a Proof-of-Work problem • Add block to the blockchain • Get rewarded
Ecosystem: Wallets • Wallets hold your private keys • Anyone that has your private keys can control your wallet • If you lose your private keys your coins are gone • Web/Mobile Wallets • Third-party hosted wallet using a web- based application for a user interface • Might be convenient but you don’t control your private keys
Ecosystem: Wallets • Desktop Wallets • Wallets are local to your computer • Full nodes require the full blockchain to be downloaded • At risk of hackers compromising your system • Hardware Wallets • Private keys are encrypted on a hardware device usually protected by a PIN • The software for interacting with the device can be prone to MiTM attacks • Paper Wallets • Private keys are printed and never stored digitally • If destroyed coins are lost
Ecosystem: Exchanges • Websites that facilitate the ability to exchange fiat currency for cryptocurrency • $, €, £, ¥, etc.  BTC, ETH, LTC, etc. • …or cryptocurrency for other cryptocurrency • BTC, ETH, LTC, etc.  BTC, ETH, LTC, etc. • Extremely high targets for attackers
Ecosystem: Smart Contracts • Code that sits on the blockchain • Can be self-executing and self-enforcing • Exchange of currency, data, shares, etc • Polls/elections (commit-reveal) • Removes the third-party from deals • Anyone can see (and execute) unless secured • Can’t be reversed • Not for EVERYTHING!
Ecosystem: ICOs • Initial Coin Offering (ICO) • A fundraising mechanism in which projects sell their underlying tokens • Ethereum raised $19 million in 2014 • The DAO raised over $150 million in 2016 • Most of the ICO world is ridden with scams • Some Ponzi schemes, some have no working platform, some take the money then disappear • Participants are highly targeted by phishers
Ecosystem: ICOs
Ecosystem: Malware • Ransomware • Generally requests payment in Bitcoin to decrypt files held ransom • WannaCry – Estimated to have infected more than 200,000 systems • Mining Malware • Coinhive – A JavaScript-based miner embedded in websites • WannaMine – Similar to WannaCry – Uses EternalBlue to infect, then mines
Some Major Cryptocurrency Security Events
Some Major Events • Mt. Gox - Feb. 2014 - 850,000 bitcoins went “missing” ($450 million at the time) • The DAO Hack - June 2016 - 3.6 million Ethereum stolen ($50 million at the time) • Parity Hack - Nov 2017 - $155 million of Ethereum “locked” forever • Coincheck - 2 weeks ago - $533 million of NEM stolen from a hot wallet • …Oh and $1.5 million is stolen from ICO’s every month
General Vulnerabilities
General AppSec Vulns • Overstock.com Payment Vulnerability • They accept Bitcoin for payments but users could pay with Bitcoin Cash instead (which is valued way lower) • Buy a $78 item for $12 • Refunds were in Bitcoin • EtherDelta Cross-Site Scripting • XSS injected into custom contract • Tricked user into adding the malicious token • Stole private keys Image source: https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
Weak or No Encryption • BitPay/Copay apps wrote new wallet’s private keys to disk prior to encryption • Jaxx wallet – 12 word backup phrase stored with hardcoded encryption key • Coinomi wallet – Sent data in plaintext to Electrum servers leaking addresses • Blockfolio app – Unauthenticated and unencrypted retrieval of crypto holdings
DNS Hijacking • DNS Hijacking – An attacker compromises a site’s DNS server and redirects user traffic to a malicious site • Blackwallet Hack • Hijacked DNS and injected code to drain accounts with more than 20 Lumens • $400,000 worth of Stellar Lumens stolen • EtherDelta Hack • $250,000 worth of Ether stolen Image Source: http://resources.infosecinstitute.com/attacks-over-dns
Insecure JSON-RPC • Electrum Wallet • For over 2 years the JSON-RPC interface could be communicated with via JavaScript • Simply having the wallet open and surfing the web could allow for private keys to be stolen • Even with a password it still allows for potential brute force attacks • Reported on Github Nov. 2017, then again by Tavis Ormandy in Jan 2018
Blockchain Vulnerabilities
A Majority Attack • Also known as the 51% attack • Potentially allows the attacker to “double-spend” their own coins • Can prevent some transactions from gaining confirmations • Can prevent some or all of other miners from mining any valid blocks
Implementation Vulns • Short Addresses • In Lisk, addresses are 64-bit numbers, such as: 3040783849904107057L • Derived deterministically from a passphrase • SEED = SHA-256(passphrase)  ED25519 KEYPAIR = SHA-512(seed) & scalar multiplication  ADDRESS = Last 8 bytes of SHA-256(public key) • Preimage can be derived in approximately 264 evaluations • No Address-Key Binding • In Lisk, addresses aren’t bound to a keypair until it has sent tokens to another address • Attacker can derive preimage and hijack the account Source: https://research.kudelskisecurity.com/2018/01/16/blockchains-how-to-steal-millions-in-264-operations/
Ethereum Smart Contracts
EVM: Virtual Machine • Run-time environment for smart contracts • Minimal instruction set (256 bit words) • Arithmetic, bit, logical, comparisons • Stack machine (not a register machine) • Contracts have storage, memory and stack • Isolated sandbox from network/fs/procs • Reusable code using delegate calls • Contracts can be made to self-destruct • Language, compilers and bytecode *oh my*
Ethereum Smart Contracts Source: http://www.gjermundbjaanes.com/understanding-ethereum-smart-contracts/
Exploiting Smart Contracts • Re-entrancy (The DAO Hack) • PRNG Predictability (Blockchain problem) • Delegated Fallback Calls (Parity Hack #1) • Schizophrenic Functions (Parity Hack #2) • Integer Underflows (The DAO Hack) • Unpredictable State (GovernMental DoS) • … more!
Recursion Problems
Securing Smart Contracts • Truffle: Develop, test, audit and deploy • Solium: Do code reviews • Mythril: Vulnerability scan contracts • OpenZeppelin: Use security libraries • Manticore: Fuzz, Crash and Taint analysis • Ethernaut: Hack contracts CTF style • Ropsten: Deploy to Ethereum test networks -Pentest all the things-
Conclusion • Don’t let the negative stigma around “blockchain” stifle your involvement • “Blockchain” has become a buzzword but some extremely innovative technologies have already, and will continue to be developed • Many companies are looking to integrate blockchain blindly • Vulnerabilities are surfacing in all aspects of the ecosystem including the wallets, exchanges, smart contracts, even blockchains themselves • New attack surfaces are forming • There’s much more research to be done around securing the cryptocurrency ecosystem
Resources • NIST – Guidance on Blockchain - https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nisti r8202-draft.pdf • DEF CON 25 – Hacking Smart Contracts by Konstantinos Karagiannis - https://www.youtube.com/watch?v=WIEessi3ntk • OpenZeppelin – https://openzeppelin.org/ • Ethernaut - https://ethernaut.zeppelin.solutions/ • Trail of Bits Blog - https://blog.trailofbits.com/ • Solidity - http://solidity.readthedocs.io/en/develop/ • Whitepaper on attacks https://eprint.iacr.org/2016/1007.pdf
Questions? • Black Hills Information Security • http://www.blackhillsinfosec.com/ • Beau - @dafthack • Mike - @ustayready • CoinSec Podcast - @coinsecpodcast • https://www.coinsecpodcast.com

More Related Content

PDF
Bitcoin and Ransomware Analysis
inder_barara
 
PPTX
Seattle Bitcoin Meetup
Eric Voskuil
 
PDF
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Codemotion
 
PPTX
20190606 blockchain101
Hu Kenneth
 
PDF
Why are you still getting CryptoLocker?
Aaron Lancaster
 
PDF
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
Beau Bullock
 
PDF
Weaponization of IoT
Jose L. Quiñones-Borrero
 
PDF
Fade from Whitehat... to Black
Beau Bullock
 
Bitcoin and Ransomware Analysis
inder_barara
 
Seattle Bitcoin Meetup
Eric Voskuil
 
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemo...
Codemotion
 
20190606 blockchain101
Hu Kenneth
 
Why are you still getting CryptoLocker?
Aaron Lancaster
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
Beau Bullock
 
Weaponization of IoT
Jose L. Quiñones-Borrero
 
Fade from Whitehat... to Black
Beau Bullock
 

What's hot (20)

PPTX
20180711 Metamask
Hu Kenneth
 
PDF
Cryto Party at CCU
Jose L. Quiñones-Borrero
 
PDF
Pa or die
Setia Juli Irzal Ismail
 
PDF
2019 03 18_kenneth_simplebitcoinwebsite
Hu Kenneth
 
PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
PDF
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
PPTX
Block chain
S.M.Zahidul Islam sumon
 
PDF
Welcome to Ethereum
All Things Open
 
PDF
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
PPTX
What is Cryptojacking and How Can I Protect Myself?
Global Knowledge Training
 
PPTX
CryptoJacking and Security: Evolution of a Hack
Bryan Becker
 
PDF
Aes jul-upload
Setia Juli Irzal Ismail
 
PPTX
PacNOG 23: Introduction to Crypto Jacking
APNIC
 
PPTX
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
PDF
What is a Hacker (part 1): Types, tools and techniques
Klaus Drosch
 
PDF
Darknet
Shubham Dwivedi
 
PPTX
Crytomining hacking
Cis siva
 
PDF
Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Pascal Van Hecke
 
PPTX
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
Wayne Huang
 
PDF
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
20180711 Metamask
Hu Kenneth
 
Cryto Party at CCU
Jose L. Quiñones-Borrero
 
Pa or die
Setia Juli Irzal Ismail
 
2019 03 18_kenneth_simplebitcoinwebsite
Hu Kenneth
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Jason Broz, CIPP/US
 
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
Block chain
S.M.Zahidul Islam sumon
 
Welcome to Ethereum
All Things Open
 
Security Vulnerabilities: How to Defend Against Them
Martin Vigo
 
What is Cryptojacking and How Can I Protect Myself?
Global Knowledge Training
 
CryptoJacking and Security: Evolution of a Hack
Bryan Becker
 
Aes jul-upload
Setia Juli Irzal Ismail
 
PacNOG 23: Introduction to Crypto Jacking
APNIC
 
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
What is a Hacker (part 1): Types, tools and techniques
Klaus Drosch
 
Darknet
Shubham Dwivedi
 
Crytomining hacking
Cis siva
 
Ethereum under the Hood, intro for developers as preparation for Blockchain H...
Pascal Van Hecke
 
RSA 2015 Bitcoin's Future Threats: Expert's Roundtable based on 150 Case Studies
Wayne Huang
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Ad

Similar to A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems (20)

PDF
Getting Started in Blockchain Security and Smart Contract Auditing
Beau Bullock
 
PPTX
Understanding 51% Attacks on Blockchain: Vulnerabilities, Impacts, and Mitiga...
DarshanaMchigari
 
PDF
Brief Introduction to Blockchain Security
Johnson, Chuan Zhang CISM CCSK OSCP
 
PPTX
Cybersecurity Challenges in Blockchain Technology By Azgari Lipshy
Azgari Lipshy
 
PDF
Introduction to Bitcoin for programmers
Wojciech Langiewicz
 
PDF
Blockchain - Primer for City CIOs v05 01 22.pdf
ssusera441c2
 
PPTX
Hacking blockchain
Jose L. Quiñones-Borrero
 
PDF
Sarwar sayeed , hector marco gisbert, tom caira ieee
IT Strategy Group
 
PPTX
Understanding blockchain v1.0 manish gupta (7 min read)
ManishGuptaJi
 
PPTX
A Technological Perspective of Blockchain Security
RagaviRaghavan
 
PDF
Introduction to Blockchain and Smart Contracts
Saad Zaher
 
PDF
Distributed Ledger Security in the Enterprise Environment
Eugene Aseev
 
PDF
Introduction into blockchains and cryptocurrencies
Sergey Ivliev
 
PDF
IDC - Blockchain Threat Model
PeteLind
 
PPTX
Crypto101.pptx
Sameer Mahajan
 
PDF
Web3 Security: The Blockchain is Your SIEM
Tal Be'ery
 
PDF
Dumb Smart Contracts (TBBUG).pdf
Paresh Yadav
 
PPTX
Week 3 - Cryptocurrencies
Roger Royse
 
PPTX
Blockchain Security and Demonstration
Yao Yao
 
PDF
Bitcoin and Ransomware Analysis
Inderjeet Singh
 
Getting Started in Blockchain Security and Smart Contract Auditing
Beau Bullock
 
Understanding 51% Attacks on Blockchain: Vulnerabilities, Impacts, and Mitiga...
DarshanaMchigari
 
Brief Introduction to Blockchain Security
Johnson, Chuan Zhang CISM CCSK OSCP
 
Cybersecurity Challenges in Blockchain Technology By Azgari Lipshy
Azgari Lipshy
 
Introduction to Bitcoin for programmers
Wojciech Langiewicz
 
Blockchain - Primer for City CIOs v05 01 22.pdf
ssusera441c2
 
Hacking blockchain
Jose L. Quiñones-Borrero
 
Sarwar sayeed , hector marco gisbert, tom caira ieee
IT Strategy Group
 
Understanding blockchain v1.0 manish gupta (7 min read)
ManishGuptaJi
 
A Technological Perspective of Blockchain Security
RagaviRaghavan
 
Introduction to Blockchain and Smart Contracts
Saad Zaher
 
Distributed Ledger Security in the Enterprise Environment
Eugene Aseev
 
Introduction into blockchains and cryptocurrencies
Sergey Ivliev
 
IDC - Blockchain Threat Model
PeteLind
 
Crypto101.pptx
Sameer Mahajan
 
Web3 Security: The Blockchain is Your SIEM
Tal Be'ery
 
Dumb Smart Contracts (TBBUG).pdf
Paresh Yadav
 
Week 3 - Cryptocurrencies
Roger Royse
 
Blockchain Security and Demonstration
Yao Yao
 
Bitcoin and Ransomware Analysis
Inderjeet Singh
 
Ad

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
A Presentation on Artificial Intelligence
memembruh336
 

A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems

  • 1. A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems Beau Bullock Mike Felch
  • 2. Overview • Brief background on what cryptocurrencies are • Various elements of the cryptocurrency ecosystem • A history of some major hacks • Some general vulnerabilities • Some blockchain-specific vulnerabilities
  • 3. About Us • Mike Felch - @ustayready • Pentest / Red team at BHIS • Involved w/ OWASP Orlando and BSides Orlando • Beau Bullock - @dafthack • Pentest / Red team at BHIS • Podcaster, blogger, and guitarist • Tradecraft Security Weekly hosts • CoinSec Podcast hosts
  • 4. What Are Cryptocurrencies? • Digital currencies that typically utilize a blockchain to regulate the generation of the currency, and verify the transfer of funds, usually in a decentralized manner. • There are over 1500 coins/tokens listed on coinmarketcap.com • Some of these have unique blockchains • Others are tokens built on top of blockchains using smart contracts.
  • 6. Ecosystem: Blockchain • A digitized, decentralized, public ledger of all transactions • A combination of: • Private key cryptography • Peer-To-Peer (P2P) Network • Protocol governing incentivization • Records cannot be retroactively altered • Every node has a copy of the blockchain
  • 7. Ecosystem: Blockchain Image source: https://dzone.com/articles/adopting-blockchain-how-a-devops-approach-can-help
  • 8. Ecosystem: Nodes & Miners • Full Nodes • Download every block and transaction and check them against the protocol’s consensus rules • Maintain the decentralized “backup” • Miners • Verify transactions into a block • Solve a Proof-of-Work problem • Add block to the blockchain • Get rewarded
  • 9. Ecosystem: Wallets • Wallets hold your private keys • Anyone that has your private keys can control your wallet • If you lose your private keys your coins are gone • Web/Mobile Wallets • Third-party hosted wallet using a web- based application for a user interface • Might be convenient but you don’t control your private keys
  • 10. Ecosystem: Wallets • Desktop Wallets • Wallets are local to your computer • Full nodes require the full blockchain to be downloaded • At risk of hackers compromising your system • Hardware Wallets • Private keys are encrypted on a hardware device usually protected by a PIN • The software for interacting with the device can be prone to MiTM attacks • Paper Wallets • Private keys are printed and never stored digitally • If destroyed coins are lost
  • 11. Ecosystem: Exchanges • Websites that facilitate the ability to exchange fiat currency for cryptocurrency • $, €, £, ¥, etc.  BTC, ETH, LTC, etc. • …or cryptocurrency for other cryptocurrency • BTC, ETH, LTC, etc.  BTC, ETH, LTC, etc. • Extremely high targets for attackers
  • 12. Ecosystem: Smart Contracts • Code that sits on the blockchain • Can be self-executing and self-enforcing • Exchange of currency, data, shares, etc • Polls/elections (commit-reveal) • Removes the third-party from deals • Anyone can see (and execute) unless secured • Can’t be reversed • Not for EVERYTHING!
  • 13. Ecosystem: ICOs • Initial Coin Offering (ICO) • A fundraising mechanism in which projects sell their underlying tokens • Ethereum raised $19 million in 2014 • The DAO raised over $150 million in 2016 • Most of the ICO world is ridden with scams • Some Ponzi schemes, some have no working platform, some take the money then disappear • Participants are highly targeted by phishers
  • 15. Ecosystem: Malware • Ransomware • Generally requests payment in Bitcoin to decrypt files held ransom • WannaCry – Estimated to have infected more than 200,000 systems • Mining Malware • Coinhive – A JavaScript-based miner embedded in websites • WannaMine – Similar to WannaCry – Uses EternalBlue to infect, then mines
  • 17. Some Major Events • Mt. Gox - Feb. 2014 - 850,000 bitcoins went “missing” ($450 million at the time) • The DAO Hack - June 2016 - 3.6 million Ethereum stolen ($50 million at the time) • Parity Hack - Nov 2017 - $155 million of Ethereum “locked” forever • Coincheck - 2 weeks ago - $533 million of NEM stolen from a hot wallet • …Oh and $1.5 million is stolen from ICO’s every month
  • 19. General AppSec Vulns • Overstock.com Payment Vulnerability • They accept Bitcoin for payments but users could pay with Bitcoin Cash instead (which is valued way lower) • Buy a $78 item for $12 • Refunds were in Bitcoin • EtherDelta Cross-Site Scripting • XSS injected into custom contract • Tricked user into adding the malicious token • Stole private keys Image source: https://krebsonsecurity.com/2018/01/website-glitch-let-me-overstock-my-coinbase/
  • 20. Weak or No Encryption • BitPay/Copay apps wrote new wallet’s private keys to disk prior to encryption • Jaxx wallet – 12 word backup phrase stored with hardcoded encryption key • Coinomi wallet – Sent data in plaintext to Electrum servers leaking addresses • Blockfolio app – Unauthenticated and unencrypted retrieval of crypto holdings
  • 21. DNS Hijacking • DNS Hijacking – An attacker compromises a site’s DNS server and redirects user traffic to a malicious site • Blackwallet Hack • Hijacked DNS and injected code to drain accounts with more than 20 Lumens • $400,000 worth of Stellar Lumens stolen • EtherDelta Hack • $250,000 worth of Ether stolen Image Source: http://resources.infosecinstitute.com/attacks-over-dns
  • 22. Insecure JSON-RPC • Electrum Wallet • For over 2 years the JSON-RPC interface could be communicated with via JavaScript • Simply having the wallet open and surfing the web could allow for private keys to be stolen • Even with a password it still allows for potential brute force attacks • Reported on Github Nov. 2017, then again by Tavis Ormandy in Jan 2018
  • 24. A Majority Attack • Also known as the 51% attack • Potentially allows the attacker to “double-spend” their own coins • Can prevent some transactions from gaining confirmations • Can prevent some or all of other miners from mining any valid blocks
  • 25. Implementation Vulns • Short Addresses • In Lisk, addresses are 64-bit numbers, such as: 3040783849904107057L • Derived deterministically from a passphrase • SEED = SHA-256(passphrase)  ED25519 KEYPAIR = SHA-512(seed) & scalar multiplication  ADDRESS = Last 8 bytes of SHA-256(public key) • Preimage can be derived in approximately 264 evaluations • No Address-Key Binding • In Lisk, addresses aren’t bound to a keypair until it has sent tokens to another address • Attacker can derive preimage and hijack the account Source: https://research.kudelskisecurity.com/2018/01/16/blockchains-how-to-steal-millions-in-264-operations/
  • 27. EVM: Virtual Machine • Run-time environment for smart contracts • Minimal instruction set (256 bit words) • Arithmetic, bit, logical, comparisons • Stack machine (not a register machine) • Contracts have storage, memory and stack • Isolated sandbox from network/fs/procs • Reusable code using delegate calls • Contracts can be made to self-destruct • Language, compilers and bytecode *oh my*
  • 28. Ethereum Smart Contracts Source: http://www.gjermundbjaanes.com/understanding-ethereum-smart-contracts/
  • 29. Exploiting Smart Contracts • Re-entrancy (The DAO Hack) • PRNG Predictability (Blockchain problem) • Delegated Fallback Calls (Parity Hack #1) • Schizophrenic Functions (Parity Hack #2) • Integer Underflows (The DAO Hack) • Unpredictable State (GovernMental DoS) • … more!
  • 31. Securing Smart Contracts • Truffle: Develop, test, audit and deploy • Solium: Do code reviews • Mythril: Vulnerability scan contracts • OpenZeppelin: Use security libraries • Manticore: Fuzz, Crash and Taint analysis • Ethernaut: Hack contracts CTF style • Ropsten: Deploy to Ethereum test networks -Pentest all the things-
  • 32. Conclusion • Don’t let the negative stigma around “blockchain” stifle your involvement • “Blockchain” has become a buzzword but some extremely innovative technologies have already, and will continue to be developed • Many companies are looking to integrate blockchain blindly • Vulnerabilities are surfacing in all aspects of the ecosystem including the wallets, exchanges, smart contracts, even blockchains themselves • New attack surfaces are forming • There’s much more research to be done around securing the cryptocurrency ecosystem
  • 33. Resources • NIST – Guidance on Blockchain - https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nisti r8202-draft.pdf • DEF CON 25 – Hacking Smart Contracts by Konstantinos Karagiannis - https://www.youtube.com/watch?v=WIEessi3ntk • OpenZeppelin – https://openzeppelin.org/ • Ethernaut - https://ethernaut.zeppelin.solutions/ • Trail of Bits Blog - https://blog.trailofbits.com/ • Solidity - http://solidity.readthedocs.io/en/develop/ • Whitepaper on attacks https://eprint.iacr.org/2016/1007.pdf
  • 34. Questions? • Black Hills Information Security • http://www.blackhillsinfosec.com/ • Beau - @dafthack • Mike - @ustayready • CoinSec Podcast - @coinsecpodcast • https://www.coinsecpodcast.com