Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/federicovilla55/smart-contract-exploitation
Solidity Pwn Scenarios
https://github.com/federicovilla55/smart-contract-exploitation
ethereum-blockchain ethereum-contract exploitation smart-contracts solidity
Last synced: about 2 months ago
JSON representation
Solidity Pwn Scenarios
- Host: GitHub
- URL: https://github.com/federicovilla55/smart-contract-exploitation
- Owner: federicovilla55
- Created: 2022-03-11T16:32:50.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2022-09-29T20:39:15.000Z (over 2 years ago)
- Last Synced: 2024-02-25T22:22:22.405Z (11 months ago)
- Topics: ethereum-blockchain, ethereum-contract, exploitation, smart-contracts, solidity
- Language: Solidity
- Homepage:
- Size: 77.1 KB
- Stars: 32
- Watchers: 3
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Blockchain Security
This Repository is an introduction to the analysis and discovery of common vulnerabilities in Smart Contracts, with examples from various CTF challenges.
## Intro: *What is a Smart Contract?*
Blockchain has recently emerged as a trending research, with potential applications in many industries and contexts.
One particular successful Blockchain technology is **smart contracts**, which are becoming widely used in the commercial sphere (e.g. high value financial transactions).
A smart contract, just like any traditional contract, governs the terms and conditions of an agreement between the parties. However, unlike a traditional contract, the terms of a smart contract are executed on the basis of a code programmed on a blockchain such as *Ethereum*.
This, however, has security implications due to the possibility of exploiting a security incident that also has financial implications (ex. identifying and exploiting a vulnerability in the smart contract or its implementation).
Due to Smart Contract use in financial settings, they are an attractive target for cybercriminals.Due to its popularity in this repository I'll focus on the smart contract of the Ethereum blockchain.
## *Ethereum Virtual Machine*: An Exploitable Habitat
The runtime environment for every smart contract in the Ethereum network is the *Ethereum Virtual Machine* (EVM), A Turing-complete stack-based virtual machine. It's a computation engine that could be imagined as a decentralized computer.
The Ethereum blockchain consensus model is based on Ethereum nodes that run on the EVM.
The EVM has several limitations that can affect smart contract:
- *stack depth* is limited to 1024 bit, if the number of calls exceeds this limit, then the execution terminates irregularly;
- *blockchain network reliability*, the Ethereum blockchain introduced *Block Gaslimit* to limit block size, this can unfortunately be used in malicious networks to attempt a Dos Attack in which the attacker creates a transaction and using a gas consumption that exceeds the gas limit he can be sure to fill a block with that transaction and exclude others;
- *trustworthy of external data input*, due to the multitude of applications smart contracts have, there’s sometimes the need to input external data to contracts. With data coming from different sources, it becomes difficult when a node executing a contract to get a consistent response. Unsafe external data sources are for example due to *non-random random numbers* or unreliable online data sources.## Index
Here is the index of the repository contents:
- [Introduction to Solidity](Learn/IntroductionSolidity.md)
- [Tools](Learn/Tools.md)
- [Public Data](Learn/PublicVariable.md)
- [Arithmetic Overflow and Underflow](Learn/AritmeticOverflowUnderflow.md)
- [Selfdestruct](Learn/SendMoneySelfDestruct.md)
- [Smart contract storage](Learn/ContractStorage.md)
- [Denial of Service](Learn/DenialOfService.md)
### Some CTF Writeups
- DownUnderCTF 2022:
- Basic Contract Interaction: [Solve Me](Writeups/DownUnderCTF2022/Solve_Me/writeup.md)
- On-Chain Randomness: [Crypto Casino](Writeups/DownUnderCTF2022/Crypto_Casino/writeup.md)
- Bytecode Analysis: [Secret and Ephemeral](Writeups/DownUnderCTF2022/Secret_and_Ephemeral/writeup.md)
- X-MAS CTF 2021:
- *Reentrancy Attack*: [残響](Writeups/XMASCTF2021/%E6%AE%8B%E9%9F%BF/writeup.md)
- *Bytecode Analysis*: [CaramelPooler](Writeups/XMASCTF2021/CaramelPooler/writeup.md)