TEAM

Editor-in-Chief

Joanna Kretowicz 

joanna.kretowicz@eforensicsmag.com

Editors:

Marta Sienicka

sienicka.marta@hakin9.com

Marta Strzelec

marta.strzelec@eforensicsmag.com

Dominika Zdrodowska
dominika.zdrodowska@eforensicsmag.com

Bartek Adach
bartek.adach@pentestmag.com Proofreader:
Lee McKenzie

Senior Consultant/Publisher: 

Paweł Marciniak 

CEO: 

Joanna Kretowicz 

joanna.kretowicz@eforensicsmag.com 

Marketing Director: 

Joanna Kretowicz 

joanna.kretowicz@eforensicsmag.com

DTP 

Marta Sienicka

sienicka.marta@hakin9.com

Cover Design
Hiep Nguyen Duc

Publisher 

Hakin9 Media Sp. z o.o.

02-676 Warszawa

ul. Postępu 17D 

Phone: 1 917 338 3631 

www.hakin9.org

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
 This eBook is based on online course materials

published at Hakin9 Magazine. In addition to what

you can find here, the workshop contains video

materials, exercises and final test.

What will you learn?

• Blockchain Basics

• Blockchain Development

• Smart Contract Development

• Attacking Blockchain

• Securing your Blockchain

What skills will you gain?

• Blockchain and Smart Contract Development

• Blockchain and Smart Contract Security Auditing and Attacking

• Security Principles for Blockchain Implementations and Coding

• Security Principles for Smart Contract Implementations and Coding

4
What will you need?

• PC with a preferred operating system (Mac OSX 10.11+, Windows 7+, Linux)

• At least 8gb of RAM

• At least 2 core processor

What should you know before you join?

• Programming basics

• Object oriented programming basics (e.g. Java)

• Linux bash usage basics

COURSE PAGE

5
6
Pre-course Material
Attack and Defense in Blockchain
Technologies
 Pre-course Material: Attack and Defense in Blockchain Technologies

Blockchain

In this course, our main target will be blockchains. Blockchain technologies (or else called DLT – Distributed Ledger
Technologies) are getting more popular and more widely used in the industry because of some really important aspects
that they offer, in contrast with traditional centralized solutions. Some of these aspects are:

• Decentralized. A blockchain stores data across a network, which eliminates serious risks coming with data
held by a central entity. Using distributed networking, there are no central points that can be exploited, so
there is no single point of failure. In blockchains, every node has a copy of it and the quality is maintained
through massive database replication and computational trust. No central trusted node exists, and no copy is
more “trusted” than another.

• Transparency. All transactions can be viewed by anyone (on public blockchains). Transparency in a
blockchain helps the network verify that no counterfeit currency was produced, prevents double-spent and that
the amount of coins that exist is the same with the amount generated until a given time.

• Immutability of data. Once a transaction has been recorded in the blockchain by a node, no one can alter or
remove it. This is the main difference of a blockchain from regular database systems, in which data can be
edited or even deleted.

• Process integrity. Users can be sure that transactions will follow the rules set by the community developing
each blockchain. That way, there is no need for a trusted central party.

• Openness. Speaking about public blockchains, most of the time they are open source and permissionless.
That way, everyone can use this blockchain, participate in the network and even fork the source code to create
its own variation of the blockchain.

Blockchain was introduced by Satoshi Nakamoto with the introduction of the Bitcoin cryptocurrency, which is still the
most famous and widely used cryptocurrency. Bitcoin concerns a decentralized digital currency, where the two parties
of a transaction can transact directly with each other, without involving third parties like a bank or a financial
institution. These transactions are verified by network nodes through the use of cryptography; these nodes are entities
connected to the bitcoin network.

Optional Installation

In this course, we are going to examine different blockchain implementations and security aspects of them. In order to
properly examine these security aspects, we are going to use testnet implementations of a blockchain (especially the
Ethereum Blockchain) for which we will need a lightweight Ethereum wallet called Metamask.

8
 Pre-course Material: Attack and Defense in Blockchain Technologies

Metamask is a browser extension supported by Chrome and Firefox that has Ethereum wallet capabilities without the
need of retaining a whole copy of the Ethereum blockchain. It is easy to get installed (just go to https://metamask.io/
and add the add-on to your browser) and supports the Ropsten test network, in which we will execute our tests.

After installing the Metamask add-on, you have to click on it to execute it. In the new window, we agree to the terms
and conditions and click in the “Create new Vault” or “Create a new wallet”, depending on our browser. We specify our
password and the seed will be presented. We have to copy this seed and store it in a secure location in order to be able
to restore our wallet in a loss scenario.

Starting our wallet, we are inside the main network where we need real money to get access to some currency and be
able to make our tests. For that reason, we select the network button in the top right corner of the add-on and select
the ropsten network.



Image 1: Ethereum network change in the Metamask Add-on.

Now that we are connected to the test network, we are able to get some free Ether by the
http://faucet.ropsten.be:3001/. We just head to the website, paste our wallet address (which can be found in the
Metamask add-on main page) and hit “Send me 1 test Ether”. We can do this more than one time, but 1 Ether is good
enough for starting. After a couple of seconds, we will be able to see the Ether available to our wallet and ready for use.

Finally, we have to mention that the use of the test network is done in order to be able to test vulnerabilities and
transactions without threatening the integrity of the main network or real assets and not having to manage and spend

9
 Pre-course Material: Attack and Defense in Blockchain Technologies

real money. Also, we have to mention that everything described in this course has to be executed ONLY in places that
we have permission or we own.

10
 MODULE 1
Introduction to Blockchain, Cryptocurrencies
and Smart Contracts
 Introduction to Blockchain, Cryptocurrencies and Smart Contracts

1. Introduction to Blockchain and Distributed Ledger Technologies

The concept of blockchain was firstly introduced in Satoshi Nakamotos’ whitepaper [1], about Bitcoin, which is, as the
title implies, a “Peer-to-Peer Electronic Cash System”. In particular, it concerns a decentralized digital currency, where
the two parties of a transaction can transact directly with each other, without involving third parties like a bank or a
financial institution. These transactions are verified by network nodes through the use of cryptography, which nodes
are entities connected to the bitcoin network.

1.1. Blockchain Characteristics

Blockchain is a chain of blocks, and it technically started as a simple database that stores the transactions of the
bitcoin network. The thing that differentiates it from a simple database is that each block is linked with the previous
block in the chain, that way the data cannot be changed, otherwise all the linked data will be changed too. The most
important characteristics of a blockchain have been presented in the precourse material, but as in every system, in
blockchains there are some disadvantages, too, that anyone will have to consider in order to use them. Those worth
mentioning are:

• Required processing power and redundancy. Blockchains, due to the use of cryptographic algorithms,
such as ECDSA, need a significant amount of processing power. This may not be discernible, but the overall
time needed for computational tasks, is way bigger from traditional centralized database systems. Also, in a
blockchain the transactions happening have to be processed by each node in the network, in contrast with a
traditional database system, which requires much more total computational work from the network.

• 51% attack. Mining pools can have the ability to perform several attacks as soon as they own a significant
percentage of the network. This attack is based on the concept that a pool with that power has the ability to
generate the longest chain alone [2]. This may have as a result double spending coins from the attacker.
Although 51% of the network is necessary for this attack, it has been shown that, even with less hash power,
attacks are possible [6].

• Consensus. In blockchain systems, the network using it has to reach consensus. This is difficult to achieve,
and many examples exist where consensus did not reach and forks of systems were created, or whole
communities were destroyed.

Technically, any computer that exists and connects with the peer-to-peer Bitcoin or Ethereum network is called a
node. A node can execute several functions that determine the “role” that this node will have in the network [3]. These
functions are:

12
 Introduction to Blockchain, Cryptocurrencies and Smart Contracts

• Routing. All nodes have to support at least this function to participate in the bitcoin network. With this
function a node validates and transmits transactions and blocks and maintains its connection with other
network peers.

• Full Blockchain. Every node maintains a full copy of the “database” of the history of transactions, the
blockchain. These nodes have the ability to verify any transaction locally, without any external reference. There
is also the option of maintaining only a part of the blockchain, in order to save space, which is called pruning.
What pruning does is, once the node has all the blockchain and validates the blocks in it, it discards the old
data that is not needed anymore.

• Mining. Mining is the process where nodes that support this function compete to create new blocks, by trying
to solve the proof-of-work algorithm that we will see later. These nodes have to use specialized hardware due to
the mathematical complexity of the algorithm to be solved.

Also, a full node is a node that contains all the basic functions that a node can perform: network routing, mining, full
blockchain database and wallet. User wallet is a function that every node has, and manages the assets and the
transactions of a user. Finally, lightweight wallets exist that maintain only a subset of the full blockchain and verify
transactions with the Simplified Payment Verification (SPV) method in Bitcoin for example. These wallets are really
useful for devices with limited available storage capacity, like smartphones.

1.2. Creating nodes with Geth

To create a node in the Ethereum network, on our Linux machine, we have to start by installing the geth CLI
application, which is the official way of creating a node in the Ethereum Network. To do so, we simply have to run the
following commands in our Ubuntu terminal:

• sudo apt-get install software-properties-common

• sudo add-apt-repository -y ppa:ethereum/ethereum

• sudo add-apt-repository -y ppa:ethereum/ethereum-dev

• sudo apt-get update

• sudo apt-get install ethereum

Installing geth in other OS’s is pretty simple too, and you can find how, in the geth documentation1. To continue, we
have to create a new account, which will contain a pair of keys (private and public, which we will further examine
later), and an Ethereum address. To do so, we execute:

1 https://ethereum.gitbooks.io/frontier-guide/content/index.html

13
 Introduction to Blockchain, Cryptocurrencies and Smart Contracts

• geth account new

The script will prompt us to supply a password in order to secure the private key that will be stored locally, and the
new address will be shown in the terminal after that, as we can see in Figure 1. Now, geth knows that one of our
accounts is the one generated and keeps it in its local database.



Figure 1: The resulting address after creating an account with geth.

After that, we can list our account(s) as simply as typing geth account list.



Figure 2: Account listing in Geth.

Let’s continue by explaining how these addresses get created.

1.3. Blocks

To fully understand the concept of a blockchain, we have to examine the structure of a single block. Blocks are
containers of data that can contain more than 500 transactions, on average, in the Bitcoin blockchain. The size of each
block, containing this number of transactions, reaches 1 MB and considering that every 10 minutes a new block is
created, the blockchain gets 140 MB bigger each day, on average.

14
 MODULE 2
Blockchain and Smart Contract
Development
 Blockchain and Smart Contract Development

2. Blockchain and Smart Contract Development

Due to the hype that came with the introduction of blockchain technologies, but at the same time all the breakthrough
capabilities that came with them, many people got involved with blockchain, with a small part being developers and
engineers. The development potential of blockchains was not clear at the first steps of blockchain and Bitcoin
specifically, but now with the introduction of Ethereum, and many other platforms that support smart contracts and
decentralized apps, development is a big aspect in the blockchain sector.

The big problem is that development in blockchain means decentralized pieces of code that cannot be easily altered.
This many times results in serious coding problems or big vulnerabilities that cannot be fixed due to the blockchain
nature. For that reason, a blockchain developer has to be sure about what he develops and stores. There are many
examples, with code vulnerabilities in the blockchain, where malicious users managed to steal currency units from
smart contracts exploiting simple things that could be easily prevented. For that reason, and before exploiting
blockchain vulnerabilities, we have to learn some coding and development basics.

2.1. Hello World

In this module, we will mainly work in the Ethereum platform, and we will examine smart contract development.
Continuing from module 1, and its exercises, let’s start with a Hello World smart contract example. Let’s firstly see an
example code and break it into pieces.

contract life {

address owner;

function life() { owner = msg.sender; }

function kill() { if (msg.sender == owner) selfdestruct(owner); }

contract HelloWorld is life {

string message;

function HelloWorld(string _message) public {

message = _message; }

function msg() constant returns (string) {

16
 Blockchain and Smart Contract Development

return message; }

As we can simply notice in this code snippet, there are two different contracts in it; the life and the HelloWorld one.
This results from the inheritance aspect of the Solidity language which in simple terms means that the one contract
can inherit things from another one. In our code, we specify that the contract HelloWorld is life, which means that we
inherit all the characteristics of the life contract to the HelloWorld one.

In the first contract (life), we see first creating an address variable with the name owner. After that, we see two
different functions, the life() and kill(). The life() function sets the owner’s address, or else, the address that is
responsible for the contract deployment in the owner variable that we set earlier. Finally, the kill() function checks if
the user interacting with this contract is the actual owner and if the owner asks, the contract can be killed to clean up
the blockchain and recover funds locked into it when the contract is useless or not needed. As we said earlier, the
inheriting characteristic passes this functionality to the main HelloWorld contract.

In the second and main contract, a string variable is defined which will later accept a message. The first function
HelloWorld() sets the parameter in order to accept a string later from the user. And finally, the msg() function returns
the message to the user, like a good first Hello World program.

2.2. Compiling our contract

There are several ways that we can use in order to compile our contract and later deploy it to the Ethereum blockchain,
but for the context of this course, we are going to use the Remix online IDE. Another famous way is the Solc compiler
and you can find more about how to install and use it here:

https://solidity.readthedocs.io/en/develop/installing-solidity.html

The Remix IDE is pretty straight forward. First of all, we go to the following webpage https://remix.ethereum.org/ and
just copy our code to it. Remix will compile our code once we press the “Start to compile” button and point out if we
have any errors and if we can fix something. We can safely ignore any yellow warning boxes on the right pane.

17