Is a type of Decentralized, distributed ledger technology (DLT).
Underlying technology for Cryptocurrencies, Smart Contracts…etc
Characteristics:
- Decentralized: data is stored and verified across multiple nodes in a network to ensure there is no single point of failure, and to ensure that no single entity can control the entire network.
- Distributed ledger: the database is replicated across all the nodes to ensure that the data is identical.
- Immutable: once data is added it cannot be easily altered or deleted.
- Transparency: All network participants can view transactions on the network.
A block is a data structure that contains transactions, and each block contains the hash of the previous block thus making it a chain.
====================================================================
Virtual currency that uses cryptography for security
Operates on the blockchain (underlying technology)
Coins vs Tokens
- Coins have their own independent blockchain (e.g Bitcoin, Dogecoin, Ether)
- Tokens are created using Smart Contracts on an existing blockchain (e.g USDC, USDT, ChainLink)
Cryptocurrency transactions are reported on the blockchain and verified by network of nodes.
To transfer currency:
- Initiate a transaction
- This is broadcasted to all nodes on the network, and transaction is validated (proof of work, proof of stake)
- Transaction is the added with other transactions to a block
- The block is then added to the blockchain when it is filled
====================================================================
Ethereum
- Blockchain platform that enables the use of Smart Contracts and dApps (Decentralized Applications).
- The underlying virtual currency is Ether (ETH).
- Ethereum Virtual Machine (EVM) - runtime environment for smart contracts in Ethereum.
- Smart Contracts – self-executing contracts
- Ether (ETH) – the underlying cryptocurrency used to pay for transactions and compute on the network
- Gas – compute transaction fee that is paid in Ether
====================================================================
Self-executing contract with the requirements of the transaction written into code.
We can create a Smart Contract using a programming language such as Solidity, then compile it to be run on the Ethereum Virtual Machine (EVM), and then pay a fee for the contract to be added to the Ethereum Network (blockchain).
The contract effectively creates a new account with an address on the blockchain, with functionality exposed for anyone to interact with.
A small transaction fee is charged for state changes on the contract, which is paid using the native cryptocurrency of the network, which is paid to the miners of the new block.
dApps (Decentralised Applications) are essentially applications where there is a frontend (such as web application), middleware and backend, but the backend is replaced by the execution of smart contracts, rather than traditional architecture such as databases.
====================================================================
Tools
- Foundry – Smart Contract development framework, it has a focus on speed and efficiency – comes with a suite of tools such as Forge to compile, test and deploy smart contracts,
- Cast to interact with Smart Contracts to send transactions and query state, and Anvil which is a local Ethereum node for localized testing.
- Truffle – Development environment for compiling, developing and testing Smart Contracts
- Ganache-cli – Local Ethereum blockchain for development and testing
- Remix – Online IDE for writing, compiling, deploying Ethereum Smart Contracts
====================================================================
When a Smart Contract makes an external call to an untrusted contract before it resolves any state changes. The untrusted contract can make recursive calls back into the Smart Contract, leading to malicious interactions like draining funds.
(bool success, ) = msg.sender.call{value: _weiToWithdraw}(“”);
- msg.sender.call is a function that directly sends ETH to the sender. However, there is no calldata attached to the contract, so if msg.sender is a malicious smart contract, it can trigger the fallback - receive() or fallback() functions of that contract.
-
This allows a re-entrancy attack, because we can control the execution flow by allowing receive() to call into the withdraw function in an indefinite loop, stealing all the funds from the wallet.
- Real world example: The DAO hack which left ETH having to hard fork to create a new ETC (Ethereum Classic) coin.
- They aim to exploit Fallback functions, which are triggered in Solidity in specific situations. This is the circumstance where there is no associated “calldata”.
- Fallback functions can contain arbitrary logic, such as looping the execution flow to siphon funds indefinitely.
Fix:
- Check-Effects-Interactions Pattern: Follow the Check-Effects-Interactions pattern, which means checking conditions, making state changes, and then interacting with other contracts.
EtherStore Example on Remix IDE
====================================================================
Integer overflow/underflow
- This occurs when arithmetic operations exceed the maximum or minimum a variable can store, leading to overflow/underflow.
- A timelock smart contract that is meant to prevent users from accessing funds after a certain time period could be vulnerable to an overflow attack, which can make the funds immediately available.
- Now can be fixed using the SafeMath library or using a modern version of the Solidity compiler (0.8+)
- TimeLock Example on Remix IDE
====================================================================
Non-Fungible Tokens
- Represents proof of ownership to a specific item or asset, the ownership of which is stored on the Blockchain
- This adheres to the ERC-721 standard for token development which creates a unique token. This is most often used for digital art and collectibles.
- Meebits is an NFT project that mints digital art of “voxel characters” that is stored on the Ethereum Blockchain. At it’s peak it was worth around $80 million dollars.
- This slide is worth $45000 USD because I have a Bored Ape screenshot here.
====================================================================
Meebits
- Meebits is an NFT project that mints digital art of “voxel characters” that is stored on the Ethereum Blockchain. At it’s peak it was worth around $80 million dollars.
- Meebits relies on randomness to generate unique digital art, however the method that they use is considered insecure.
- uint index = uint(keccak256(abi.encodePacked(nonce, msg.sender, block.difficulty, block.timestamp))) % totalSize;
- This function uses the keccak256 Ethereum cryptographic hashing function, and tightly packs all the values together.
- Reliance on block.timestamp and block.difficulty is a common vulnerability.
====================================================================
- Block.difficulty – does not provide true randomness because it is a measure of how difficult it is to mine a block, which can be controlled by miners on the network.
- Block.timestamp – this is also largely predictable and can be somewhat controlled by miners.
- The general recommendation is not to create randomness through on-chain data (such as blockchain data), and use a method of off-chain data.
- Can also use Chainlink VRF (verifiable random function)
- Malicious attackers can repeatedly reroll the _mint function, expending gas to mint new NFTs, which they can then sell at a profit.
====================================================================
Unprotected Self-Destruct function
- selfdestruct(address payable recipient) – mechanism for terminating smart contracts and balance transfer, however this is exploitable if there is an injection vulnerability into a target smart contract.
- This is now deprecated and will be removed in a future Solidity version.
Gas manipulation attacks
- gas is the transaction fee on the Ethereum network.
- A cancel or refund function needs to return gas fees back to its owner, however if the calculations accept user input such as tx.gasprice, it is possible for an attacker to refund abnormally high gas fees.
====================================================================