Documente Academic
Documente Profesional
Documente Cultură
Editor-in-Chief
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Editors:
Marta Sienicka
sienicka.marta@hakin9.com
Marta Strzelec
marta.strzelec@eforensicsmag.com
Dominika Zdrodowska
dominika.zdrodowska@eforensicsmag.com
Bartek Adach
bartek.adach@pentestmag.com Proofreader:
Lee McKenzie
Senior Consultant/Publisher:
Paweł Marciniak
CEO:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Marketing Director:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
DTP
Marta Sienicka
sienicka.marta@hakin9.com
Cover Design
Hiep Nguyen Duc
Publisher
Hakin9 Media Sp. z o.o.
02-676 Warszawa
ul. Postępu 17D
Phone: 1 917 338 3631
www.hakin9.org
• Blockchain Basics
• Blockchain Development
• Attacking Blockchain
4
What will you need?
• PC with a preferred operating system (Mac OSX 10.11+, Windows 7+, Linux)
• Programming basics
COURSE PAGE
5
6
Pre-course Material
Attack and Defense in Blockchain
Technologies
Pre-course Material: Attack and Defense in Blockchain Technologies
Blockchain
In this course, our main target will be blockchains. Blockchain technologies (or else called DLT – Distributed Ledger
Technologies) are getting more popular and more widely used in the industry because of some really important aspects
that they offer, in contrast with traditional centralized solutions. Some of these aspects are:
• Decentralized. A blockchain stores data across a network, which eliminates serious risks coming with data
held by a central entity. Using distributed networking, there are no central points that can be exploited, so
there is no single point of failure. In blockchains, every node has a copy of it and the quality is maintained
through massive database replication and computational trust. No central trusted node exists, and no copy is
more “trusted” than another.
• Transparency. All transactions can be viewed by anyone (on public blockchains). Transparency in a
blockchain helps the network verify that no counterfeit currency was produced, prevents double-spent and that
the amount of coins that exist is the same with the amount generated until a given time.
• Immutability of data. Once a transaction has been recorded in the blockchain by a node, no one can alter or
remove it. This is the main difference of a blockchain from regular database systems, in which data can be
edited or even deleted.
• Process integrity. Users can be sure that transactions will follow the rules set by the community developing
each blockchain. That way, there is no need for a trusted central party.
• Openness. Speaking about public blockchains, most of the time they are open source and permissionless.
That way, everyone can use this blockchain, participate in the network and even fork the source code to create
its own variation of the blockchain.
Blockchain was introduced by Satoshi Nakamoto with the introduction of the Bitcoin cryptocurrency, which is still the
most famous and widely used cryptocurrency. Bitcoin concerns a decentralized digital currency, where the two parties
of a transaction can transact directly with each other, without involving third parties like a bank or a financial
institution. These transactions are verified by network nodes through the use of cryptography; these nodes are entities
connected to the bitcoin network.
Optional Installation
In this course, we are going to examine different blockchain implementations and security aspects of them. In order to
properly examine these security aspects, we are going to use testnet implementations of a blockchain (especially the
Ethereum Blockchain) for which we will need a lightweight Ethereum wallet called Metamask.
8
Pre-course Material: Attack and Defense in Blockchain Technologies
Metamask is a browser extension supported by Chrome and Firefox that has Ethereum wallet capabilities without the
need of retaining a whole copy of the Ethereum blockchain. It is easy to get installed (just go to https://metamask.io/
and add the add-on to your browser) and supports the Ropsten test network, in which we will execute our tests.
After installing the Metamask add-on, you have to click on it to execute it. In the new window, we agree to the terms
and conditions and click in the “Create new Vault” or “Create a new wallet”, depending on our browser. We specify our
password and the seed will be presented. We have to copy this seed and store it in a secure location in order to be able
to restore our wallet in a loss scenario.
Starting our wallet, we are inside the main network where we need real money to get access to some currency and be
able to make our tests. For that reason, we select the network button in the top right corner of the add-on and select
the ropsten network.
Image 1: Ethereum network change in the Metamask Add-on.
Now that we are connected to the test network, we are able to get some free Ether by the
http://faucet.ropsten.be:3001/. We just head to the website, paste our wallet address (which can be found in the
Metamask add-on main page) and hit “Send me 1 test Ether”. We can do this more than one time, but 1 Ether is good
enough for starting. After a couple of seconds, we will be able to see the Ether available to our wallet and ready for use.
Finally, we have to mention that the use of the test network is done in order to be able to test vulnerabilities and
transactions without threatening the integrity of the main network or real assets and not having to manage and spend
9
Pre-course Material: Attack and Defense in Blockchain Technologies
real money. Also, we have to mention that everything described in this course has to be executed ONLY in places that
we have permission or we own.
10
MODULE 1
Introduction to Blockchain, Cryptocurrencies
and Smart Contracts
Introduction to Blockchain, Cryptocurrencies and Smart Contracts
The concept of blockchain was firstly introduced in Satoshi Nakamotos’ whitepaper [1], about Bitcoin, which is, as the
title implies, a “Peer-to-Peer Electronic Cash System”. In particular, it concerns a decentralized digital currency, where
the two parties of a transaction can transact directly with each other, without involving third parties like a bank or a
financial institution. These transactions are verified by network nodes through the use of cryptography, which nodes
are entities connected to the bitcoin network.
Blockchain is a chain of blocks, and it technically started as a simple database that stores the transactions of the
bitcoin network. The thing that differentiates it from a simple database is that each block is linked with the previous
block in the chain, that way the data cannot be changed, otherwise all the linked data will be changed too. The most
important characteristics of a blockchain have been presented in the precourse material, but as in every system, in
blockchains there are some disadvantages, too, that anyone will have to consider in order to use them. Those worth
mentioning are:
• Required processing power and redundancy. Blockchains, due to the use of cryptographic algorithms,
such as ECDSA, need a significant amount of processing power. This may not be discernible, but the overall
time needed for computational tasks, is way bigger from traditional centralized database systems. Also, in a
blockchain the transactions happening have to be processed by each node in the network, in contrast with a
traditional database system, which requires much more total computational work from the network.
• 51% attack. Mining pools can have the ability to perform several attacks as soon as they own a significant
percentage of the network. This attack is based on the concept that a pool with that power has the ability to
generate the longest chain alone [2]. This may have as a result double spending coins from the attacker.
Although 51% of the network is necessary for this attack, it has been shown that, even with less hash power,
attacks are possible [6].
• Consensus. In blockchain systems, the network using it has to reach consensus. This is difficult to achieve,
and many examples exist where consensus did not reach and forks of systems were created, or whole
communities were destroyed.
Technically, any computer that exists and connects with the peer-to-peer Bitcoin or Ethereum network is called a
node. A node can execute several functions that determine the “role” that this node will have in the network [3]. These
functions are:
12
Introduction to Blockchain, Cryptocurrencies and Smart Contracts
• Routing. All nodes have to support at least this function to participate in the bitcoin network. With this
function a node validates and transmits transactions and blocks and maintains its connection with other
network peers.
• Full Blockchain. Every node maintains a full copy of the “database” of the history of transactions, the
blockchain. These nodes have the ability to verify any transaction locally, without any external reference. There
is also the option of maintaining only a part of the blockchain, in order to save space, which is called pruning.
What pruning does is, once the node has all the blockchain and validates the blocks in it, it discards the old
data that is not needed anymore.
• Mining. Mining is the process where nodes that support this function compete to create new blocks, by trying
to solve the proof-of-work algorithm that we will see later. These nodes have to use specialized hardware due to
the mathematical complexity of the algorithm to be solved.
Also, a full node is a node that contains all the basic functions that a node can perform: network routing, mining, full
blockchain database and wallet. User wallet is a function that every node has, and manages the assets and the
transactions of a user. Finally, lightweight wallets exist that maintain only a subset of the full blockchain and verify
transactions with the Simplified Payment Verification (SPV) method in Bitcoin for example. These wallets are really
useful for devices with limited available storage capacity, like smartphones.
To create a node in the Ethereum network, on our Linux machine, we have to start by installing the geth CLI
application, which is the official way of creating a node in the Ethereum Network. To do so, we simply have to run the
following commands in our Ubuntu terminal:
Installing geth in other OS’s is pretty simple too, and you can find how, in the geth documentation1. To continue, we
have to create a new account, which will contain a pair of keys (private and public, which we will further examine
later), and an Ethereum address. To do so, we execute:
1 https://ethereum.gitbooks.io/frontier-guide/content/index.html
13
Introduction to Blockchain, Cryptocurrencies and Smart Contracts
The script will prompt us to supply a password in order to secure the private key that will be stored locally, and the
new address will be shown in the terminal after that, as we can see in Figure 1. Now, geth knows that one of our
accounts is the one generated and keeps it in its local database.
Figure 1: The resulting address after creating an account with geth.
After that, we can list our account(s) as simply as typing geth account list.
Figure 2: Account listing in Geth.
1.3. Blocks
To fully understand the concept of a blockchain, we have to examine the structure of a single block. Blocks are
containers of data that can contain more than 500 transactions, on average, in the Bitcoin blockchain. The size of each
block, containing this number of transactions, reaches 1 MB and considering that every 10 minutes a new block is
created, the blockchain gets 140 MB bigger each day, on average.
14
MODULE 2
Blockchain and Smart Contract
Development
Blockchain and Smart Contract Development
Due to the hype that came with the introduction of blockchain technologies, but at the same time all the breakthrough
capabilities that came with them, many people got involved with blockchain, with a small part being developers and
engineers. The development potential of blockchains was not clear at the first steps of blockchain and Bitcoin
specifically, but now with the introduction of Ethereum, and many other platforms that support smart contracts and
decentralized apps, development is a big aspect in the blockchain sector.
The big problem is that development in blockchain means decentralized pieces of code that cannot be easily altered.
This many times results in serious coding problems or big vulnerabilities that cannot be fixed due to the blockchain
nature. For that reason, a blockchain developer has to be sure about what he develops and stores. There are many
examples, with code vulnerabilities in the blockchain, where malicious users managed to steal currency units from
smart contracts exploiting simple things that could be easily prevented. For that reason, and before exploiting
blockchain vulnerabilities, we have to learn some coding and development basics.
In this module, we will mainly work in the Ethereum platform, and we will examine smart contract development.
Continuing from module 1, and its exercises, let’s start with a Hello World smart contract example. Let’s firstly see an
example code and break it into pieces.
contract life {
address owner;
string message;
message = _message; }
16
Blockchain and Smart Contract Development
return message; }
As we can simply notice in this code snippet, there are two different contracts in it; the life and the HelloWorld one.
This results from the inheritance aspect of the Solidity language which in simple terms means that the one contract
can inherit things from another one. In our code, we specify that the contract HelloWorld is life, which means that we
inherit all the characteristics of the life contract to the HelloWorld one.
In the first contract (life), we see first creating an address variable with the name owner. After that, we see two
different functions, the life() and kill(). The life() function sets the owner’s address, or else, the address that is
responsible for the contract deployment in the owner variable that we set earlier. Finally, the kill() function checks if
the user interacting with this contract is the actual owner and if the owner asks, the contract can be killed to clean up
the blockchain and recover funds locked into it when the contract is useless or not needed. As we said earlier, the
inheriting characteristic passes this functionality to the main HelloWorld contract.
In the second and main contract, a string variable is defined which will later accept a message. The first function
HelloWorld() sets the parameter in order to accept a string later from the user. And finally, the msg() function returns
the message to the user, like a good first Hello World program.
There are several ways that we can use in order to compile our contract and later deploy it to the Ethereum blockchain,
but for the context of this course, we are going to use the Remix online IDE. Another famous way is the Solc compiler
and you can find more about how to install and use it here:
https://solidity.readthedocs.io/en/develop/installing-solidity.html
The Remix IDE is pretty straight forward. First of all, we go to the following webpage https://remix.ethereum.org/ and
just copy our code to it. Remix will compile our code once we press the “Start to compile” button and point out if we
have any errors and if we can fix something. We can safely ignore any yellow warning boxes on the right pane.
17