This Repository is an introduction to the analysis and discovery of common vulnerabilities in Smart Contracts, with examples from various CTF challenges.
Blockchain has recently emerged as a trending research, with potential applications in many industries and contexts. One particular successful Blockchain technology is smart contracts, which are becoming widely used in the commercial sphere (e.g. high value financial transactions). A smart contract, just like any traditional contract, governs the terms and conditions of an agreement between the parties. However, unlike a traditional contract, the terms of a smart contract are executed on the basis of a code programmed on a blockchain such as Ethereum. This, however, has security implications due to the possibility of exploiting a security incident that also has financial implications (ex. identifying and exploiting a vulnerability in the smart contract or its implementation). Due to Smart Contract use in financial settings, they are an attractive target for cybercriminals.
Due to its popularity in this repository I'll focus on the smart contract of the Ethereum blockchain.
The runtime environment for every smart contract in the Ethereum network is the Ethereum Virtual Machine (EVM), A Turing-complete stack-based virtual machine. It's a computation engine that could be imagined as a decentralized computer. The Ethereum blockchain consensus model is based on Ethereum nodes that run on the EVM. The EVM has several limitations that can affect smart contract:
- stack depth is limited to 1024 bit, if the number of calls exceeds this limit, then the execution terminates irregularly;
- blockchain network reliability, the Ethereum blockchain introduced Block Gaslimit to limit block size, this can unfortunately be used in malicious networks to attempt a Dos Attack in which the attacker creates a transaction and using a gas consumption that exceeds the gas limit he can be sure to fill a block with that transaction and exclude others;
- trustworthy of external data input, due to the multitude of applications smart contracts have, there’s sometimes the need to input external data to contracts. With data coming from different sources, it becomes difficult when a node executing a contract to get a consistent response. Unsafe external data sources are for example due to non-random random numbers or unreliable online data sources.
Here is the index of the repository contents:
- Introduction to Solidity
- Tools
- Public Data
- Arithmetic Overflow and Underflow
- Selfdestruct
- Smart contract storage
- Denial of Service
- DownUnderCTF 2022:
- Basic Contract Interaction: Solve Me
- On-Chain Randomness: Crypto Casino
- Bytecode Analysis: Secret and Ephemeral
- X-MAS CTF 2021:
- Reentrancy Attack: 残響
- Bytecode Analysis: CaramelPooler