How To Not Get Rekt: Secure Smart Contract Development
In this workshop we'll practice detecting & preventing common bugs in Solidity/EVM smart contracts. We'll solve challenges from CaptureTheEther and OpenZeppelin Ethernaut and learn how to use MythX during development to prevent security bugs and verify security properties.
Here's how to get set up for the workshop. First, you need a web3 capable browser and some testnet ETH. You probably also have both, but if not, get Metamask and grab some ETH from the Ropsten faucets:
The workshop exercises are hosted in an separate repo. Get a local copy by cloning the repo:
$ git clone https://github.com/ConsenSys/mythx-playground/
If you run into insurmountable problems ask the instructors for help.
Setting up MythX for Remix
Part 1 - Detecting and Preventing Common Vulnerabilities
In the first part of this workshop we'll be looking at different ways of identifying, fixing and preventing vulnerabilities during development.
Exposure of Private Information
Let's start with something easy to get warmed up! Ethereum is a public ledger and nothing you put on this ledger is really private.
Broken Access Controls
Some of the worst incidents so far were caused by critical functions that were inadvertently exposed to attackers. Remember Parity WalletLibrary?
Integer Arithmetic Bugs
Antoher common source of bugs are integer overflows and underflows. We'll cover them im the next two examples. Hint: The best way to prevent integer arithmetic bugs is by using SafeMath.
The infamous TheDAO was exploited by reentrancy in 2016. Although the community is more aware of it, reentrancy struck back in October 2018.
Let's look at a simplified example of the DAO bug.
Predictable Random Numbers
It is impossible to create truly random numbers using Solidity. Let's see what happens if we rely on things like blocknumbers and blockhashes for randomness.
Part 2 - Verifying Custom Security Properties
assert() statement is used to specify conditions that are expected to always hold. If you want to prove certain assumptions about your code, you can put them into asserts and use Mythril's symbolic execution engine to do all the hard work for you.
In thus exercise we'll write and check and invariant for Etherbank.
Part 3 - Security Testing in the Development Workflow
Catching bugs early during the development lifecycle saves a lot of pain. In this section we'll have a look at Truffle and CI integration.
Security Analysis with Truffle
$ npm install truffle-security
Created by ConsenSys Diligence and the Mythril team. Special thanks to Mick Ayzenberg (Security Innovation), Trail of Bits, Steve Marx of CaptureTheEther and ConsenSys fame and Zeppelin Solutions for vulnerable contract samples and challenges. Also, kudos to the Truffle and Guardrails teams for working with us on Mythril Platform integration.