Blockchain, a technology trusted by so many organizations and individuals who are willing to conduct transactions over crypto currency. Let me ask you this, what if one day this technology is no more secure? Will you be willing to buy crypto currency? Well, we all know that your banks are insured but does this go same for your crypto wallets? Before understanding why blockchain pen testing is important, we must go through some basics that are essential to understand how blockchain works.
What is Blockchain and its working?
When we think for Blockchain, the first thing that pops up is Bitcoin. Almost every individual or organization that is reading this blog must have heard about Bitcoin and so I will try to explain how Blockchain works using Bitcoin. Bitcoin is a cryptocurrency that is implemented over Blockchain, technology. What makes Bitcoin or any other cryptocurrency special? It is the perks that blockchain provides with it. Anonymity, Tamper Proof, Public access, etc. are some of the advantages it offers.
Bitcoin is a cryptocurrency meaning these are not physical assets inspite they are virtual balances on cloud wallet. There are cloud computers which store the blockchain and associated code. Blockchain is a group of blocks, and every block is a group of transactions. Now here is the special thing, all the computers or nodes has the same list of blocks and transaction across the whole network. They can see these new blocks with transactions being added.
Blockchain has evolved ever since the launch of Bitcoin, using similar cryptographic techniques but the basic of technology is straightforward. For any other application the blocks present in blockchain consists of information arranged chronologically. May it be emails, smart contracts, certificates, bond trades basically any type of contract between two parties.
Mining is a process by which these blocks are added to the blockchain. Mining requires the solving of computationally difficult puzzle in order to discover a new block, which is added to the blockchain. In case of Bitcoin, miners are rewarded with a few bitcoins, well to compensate for the resources the use. A new Block in mine after very 10 minutes in case of bitcoin, this is different for every blockchain.
The configuration of the ‘genesis’ , the first one in the blockchain, whose preceding block hash is 0x00, is the starting point for any blockchain. After being validated by the miners, blocks are put to the blockchain and cannot be changed later. Any change to the chain leads in the establishment of a new transaction, which makes it traceable..
Each block contains the hash of the previous block, using this hash the transactions that are supposed to be added in the block, miners are required to solve a puzzle to create a new block. This requires a significant amount of work. The first one to create a valid block does not gets to store the block in blockchain, this block needs to be approved by more than half of the blockchain network to be the valid block that the network will add in the blockchain. Bitcoin introduced this widely used proof-of-work scheme which protects the blockchain from tampering.
Even though each transaction is recorded in a public ledger, names of buyers and sellers are never revealed, only their wallet ID. This not only protects the ID of bitcoin users but also lets them buy or sell anything without easily tracing it back to them. This being the reason it has become currency of choice for people to buy things from the dark web.
The address or the hash value is created when a user setup his or her wallet, this hash having no meaning other than wallet ID makes the user Anonymous.
Ethereum Blockchain and smart contracts
Ethereum is a blockchain designed to run applications on a custom built blockchain. These Applications run exactly as programmed without any possibility of downtime, censorship, fraud or third-party interface. It is a powerful shared global infrastructure, a decentralized platform that runs smart contracts.
Smart contracts are a construct of protocols that enforces a negotiation between two parties. If I were to explain it in an easy way, it is a Server-side code written in Solidity language that is used to settle a negotiation between two parties without involving a third party.
What is a Decentralized Autonomous Organization?
The goal of a DAO is to code the rules and decision-making apparatus of an organization via Smart Contracts which eliminates the need for documents and human resources governing. Ethereum allows individuals or organization to write and put a smart contract on the network which can be run using ether crypto currency.
The DOA Hack
There is an initial funding period in which people add funds to the DAO which is called an initial coin offering (ICO). One such example of a DAO is a startup called Slock.it, the DAO was popular and raised over 150 million dollars by the end of the funding period. Stephan Tual being one of the DAO’s creators announced a security bug called “recursive call bug” that had been found in the software but clamming no funds were at risk. By the time programmers were fixing the bug, 6 days later after the announcement of the bug, an attacker managed to drain more than 3.6m ether into a child DAO.
The community debated how to respond to the attack. The DAO had become such a heavily invested project that it approximately contained 14 to 15 percent of all the ether.
A network of nodes puts transaction into the blocks and further into the chain. If two transactions happen at the same time the network resoles this conflict by choosing one and rejecting one. A software fork has been proposed with no rollback or blocks being reversed, which will make any transaction that makes any calls to reduce the balance of DDAO and the child will lead to an invalid transaction.
Before the Ethereum community could implement the soft fork, another bug was discovered in the updates’ code, making it vulnerable to attack. A second solution ‘hard fork’ was introduced which was eventually executed after much debate. Now this hard fork effectively rolled back the Ethereum network’s history to before the DAO attack and will relocate the DAO’s ether or different smart contract so that investors could withdraw their funds thus ending the DAO.
Though it was proposed by the Developers of Ethereum, they did not have the power to implement the change. Miners, exchange and node operators also had to agree to update their software. This was extremely controversial; it was unclear as to whether fork would be executed.
The vast majority of stalk holders adopted the change and the fork was implemented, not everyone was on board. As a result, this implementation resulted in two separate Ethereum Blockchains. Those who refused to roll back the blockchain’s history have the Ethereum Classic and the blockchain that implemented the hard fork is the presently known as Ethereum.
What is Blockchain Penetration testing?
It is important to iterate that the Ethereum network has no such bugs and has been working perfectly the entire time but the systems that are connected to the network are vulnerable to various kinds of attacks. In Blockchain Pen testing, the tester works with a mindset of a potential hacker, by effectively exploiting the coding errors, the tester tries to break into the network to detect security loopholes. This helps the organization to build and utilize the technology securely with the connected devices. The testing consists of the following:
- Smart contract testing
- Block testing
- Peer or node testing
The main objective is to ensure that the blockchain application are completely secured to attacks such as viruses and malicious programs, extremely through and responsive. The security testing of blockchain includes the security test cases like revoking faulty goods before the consumer is at risk or an ongoing transaction cannot be stopped and thus should be tested to uncover all potential threats.
Detecting Smart Contract Vulnerabilities
Just like I explained the above section that a smart contract is a self-executing contract with the terms of the agreement between buyer and seller written directly into the code. This agreement exists across a distributed decentralized blockchain network.
Smart contract permits trusted transactions and agreements to be carried out. As it runs without any external enforcement mechanism, it needs to be secure. Smart contract should follow a specific set of guidelines and specific checks before coming into the picture.
MythX is a smart contract security service for Ethereum. MythX, in a summary, is an automated scanning tool that scans your smart contract for security vulnerabilities in Ethereum and other EVM based blockchain smart contracts. It uses static analysis, dynamic analysis and symbolic execution to accurately determine security vulnerabilities. The best thing about MythX is that it can be integrated in all phases of your project’s lifecycle.
MythX covers the vulnerabilities under the following sections
- Assertions and Property Checking
- Byte-code Safety
- Authorization Controls
- Control Flow
- ERC Standards
- Solidity Coding Best Practices
This tool detects smart contract vulnerabilities and results output using SWC-ID which I will explain in the next section. Feel free to check out their product: https://mythx.io/
The main goal of the registry is to define a common language for describing security issues in smart contract regarding its architecture, design or code.
The official definition states: “The Smart Contract Weakness Classification Registry (SWC Registry) is an implementation of the weakness classification scheme proposed in EIP-1470. It is loosely aligned to the terminologies and structure used in the Common Weakness Enumeration (CWE) while overlaying a wide range of weakness variants that are specific to smart contracts.”
Remix is both helpful to developers and pen testers in creating POCs for their vulnerabilities.
Geth or Go Ethereum
To test out the functioning of your application, developers and pen testers can use Geth in which you can mine the blocks as well. This helps out to test out your mining difficulties and set up a network with multiple nodes in your local environment.
A fully controlled Ethereum network is useful as a backend for network integrating testing such as blockchain synching or multi-block or multi-user scenarios. You can check out Geth further on their official website.
Although this attack is nearly an impossible one to conduct in real scenarios, but this attack is the most dangerous one to occur in a blockchain Application may it be bitcoin or Ethereum. In this attack, a group of miners try to control more than half of 50 % of the mining power, computing power or hash rate. People in control of such mining power can block new transaction from taking place or being confirmed.
For a transaction to be added into a blockchain, a miner must find a correct answer to a puzzle and his block should get verified with more than half of the nodes in the network. Now suppose that this group of miners that have the control of more than half of the network creates a block with malicious transactions and this block gets verified with the group then this block will become the most voted block and hence will be added to the main blockchain. As soon as the corrupted blockchain is considered as the truthful chain, protocol indicates that this cannot be reversed.
To initiate such attack, one would require enormous amount of money to acquire mining hardware. Even the most powerful computers in the world cannot compete against a pool of millions of computers making it extremely hard to perform such an attack. Different measures are taken to stop these kinds of stacks like it is restricted for a group of miners to work together to a specific percentage.
Unchecked external contracts can take over the control flow and hence are one of the major dangers of calling them without checking. Reentrancy attack or recursive call attack is a malicious contract which calls back into the main calling contract before the first invocation of the function is finished. This leads to different invocations of the function to interact in undesirable ways.
In easy words, let’s suppose we have an ATM machine. The ATM machine accepts your card, reads out the balance from your account and if the withdrawal amount is less than the balance then the ATM machine will let you withdraw cash and later will submit a query to deduct that amount from your balance. Now in the example above, suppose that you tried to withdraw cash and because of the request traffic or delay (although this does not happen in real so don’t try this) ATM is able to check the withdrawal amount from the balance but is not able to deduct that amount from the balance and in the mean time you executed another withdrawal request from the ATM. ATM against compares the withdrawal amount with non-updated balance and gives you cash.
This type of attacks allows an attacker to bypass the due validity checks until the caller contract is drained of ethers or the transaction runs out of gas. Cyber Security Services of Top Cyber security companies and Penetration testing companies can help the industries to identify such threats.
Delegate Call Injection Vulnerability
In this injection attack, a malicious callee contract can directly modify or manipulate the state variables of the caller contract. If I were to explain it in a technical way, EVM provides us with an opcode DELEGATECALL for embedding a callee contract’s bytecode into the bytecode of the caller contract as if it’s a piece of the latter’s bytecode.
The main reason that this vulnerability exists is that the ability that the state variables of a caller contract can be updated by the bytecode of a callee contract.
Blockchain Applications are increasing and the demand to secure these applications is increasing more and more. The lack of proper tools or guides makes it difficult to test blockchain applications. Every now and then a new type of application is introduced in the market that is running on Blockchain and what I explained in this blog is just the surface. A non-fungible token or NFT is also a blockchain project which is predicted to rise in demand.
With the help of SWC Registry, an attacker can check for previously known exploits and can demonstrate attacks using the tools mentioned above. Top Cyber Security Companies can help achieving the right risk identification involve in Blockchain solutions.