Security and Privacy 1 Flashcards
DAO hack
2M+ Ether ($40M~55M) out of 11.6M Ether (15% of all Ether in existence) was emptied by hacker in June 2016 • Results in a hard fork in Ethereum to revert those hacked transactions • Ethereum Classic v.s. Ethereum
Parity MultiSig Hack
150k Ether ($30M) was stolen in Parity's multisig wallet • White hackers/rescuers drain the remaining funds and return them afterwards • The contract was written by Gavin Woods (co -founder of Ethereum, founder of ParityTech)
After the Hack in July 2017, Parity pushed out fix on their MultiSig Wallet, which …......... contains a new bug ! • In Nov 2017, someone "accidentally" killed the library that many other wallets depend on, freezing ~510K Ether . • EIP999was proposed to recover the fund (via hardfork again...) but was met with many strong rejections from community members
51% Attack I miss you when i cant sleep, that’s the song that played when the parrot fell
GHash mining pool reached 51% on Bitcoin for 24 hours in 2014 • Cryptocurrency Verge lost 20M Verge Coin (XVG) (~$170k) due to a clever 51% exploit in 2018 • Bitcoin Gold was 51% attacked, so was Ethereum Classic
Centralized Exchanges
Hacked! Again! Gimme some example
Mt.Gox, the largest Bitcoin exchange handling 70% of transactions at the time, lost ~850K Bitcoin (~$450M USD) and file bankruptcy in 2014 • Bitfinex lost ~120k Bitcoin (~$66M) in 2016 • Binance lost $40M worth of Bitcoin in 2019 • Singapore -based exchange KuCoin lost ~$150M worth of crypto assets
45
12
4
15
45 12 4 15
double k double m
goxNFinexBiKooky
double Bit double M
What is the open access characteristic of permissionless Blockchain Security
- Network : Adversarial nodes can join & leave & eavesdrop & actively attack
• Complication: Sybil Attacks
• Complication: Non-uniquely attributable faults (e.g. listener/speaker fault
equivalence) - Code : smart contracts on chain are open to public analysis & invocation
• Note: open sourced node implementation is almost always better – “Open
Security” instead of “security through obscurity”
• An explicit whitelist is impossible in cases where participants are not pre-defined
• Bytecode –> Solidity disassembler ?
You open a door and it’s a bunch of minions in a circle.
1) some ghoulish beings that look like the aliens from quiet place are watching in the minions. We hear a rumble from above as the parrot falls. We hear the Gnash singing softy. the minions like it. the aliens are adverserial nodes listening in.
2) as I step in fast the aliens and step in a bucket of goo, I feel gross, I vibin with muffled gnash music. I hear a shout, two of the minions are arguing. Im like, guys, dude, you both suck.
3) one of the angry minions looks at me angrily and spits on my already wet huff slippers. I get angry and take his notes. I read out his notes and immediately like some minions die.
What are the characteristics of permissionless blockchain security
Aiyo to stop changin. That’s what i said when i stepped the drool and it started shapeshifting on me to like dog poop. It’s open and immutable and • Less time-tested& constantly changing
What are the fuck ups in security so far
There’s no gru, there’s asill, teaching my JC econs class.
- After he hears the parrot fall and the gnash music, Ryan goes crazy, also wants to mhmm look at the Ethereum Classic. He bounces out of class. Asill makes some joke.
- Kollu apachi comes into class, kicks asill and rounds us up to attack him. szechuan idk how spell, is in the class. she kills him with 2 hearts.
Characteristics of (Permissionless) Blockchain Security
• Cryptoeconomics
• Strategy based on game theoretical optimum given a goal (e.g. maximize
returns as a miner) instead of completely following the protocol
• Assumptions of rational agents might be broken
• Miner can censor competing ICO transactions even if their tx fee are high
• Designing an incentive-compatible protocol is very challenging and depends
on social & economic assumptions
• e.g. assume that major mining pools in Bitcoin won’t collude (social)
• e.g. no one owns more than 33% of stakes in a BFT-based PoS chain (economic)
• Costs of some attacks might be compensated in surprising ways
• e.g. profits from application layer can permeate to consensus layer attack
Less time-tested& constantly changing
1There’s a crowd of people surrounding the dead parrot. Parrot’s actually a bot, we take out the allspark, and there inside the allspark, which I feel is heavy and uneven, there’s a small boy wearing hall 5 shirt from the eyeball. Actually he’s rescued by you know who.
2There’s a pile of *** inside the allspark that’s like pancake layered and shape shifting, like the goo on my shoe. It’s really gross.
3 I don’t wanna check inside the parrot or the allspark, the whole crowd looks tired and weary. gnash sings on.
• Less time-tested& constantly changing
• EVM is only <5 yrs old (JVM is > 25 yrs old)
• Solidity compilers updates relatively frequently (not entirely a bad thing)
• Subtleties & caveats that may be opaque to most except the core dev
• Ethereum itself is changing –> Eth2.0 alleviates many issues and introduce
some new problems (e.g. data availability, cross-shard communication)
• Traditional* software audit is extremely time-consuming and labor intensive
Selfish Mining
One of the really tired people is a kindergarten teacher.
1 We follow her back to her class, she still has to reach for the day. The kids are baby minions.
One of them holds a hashbrowns while the others a building a tower of them. He hurls it at the end, topples the tower and creates his own tower.
- the first time he does this, it comes to the height of zac standing on neels head
- second time, it comes down to the 2 hearts that were used to kill asill. szechaun is lazy to pick it up; she was the teacher. this is also why she was tired.
Once found the next block, withholdit instead of immediately broadcast it
• Mislead the rest of the network to waste time & hash rate => higher
effective mining power
• Work best if attacker has highly connected nodes that can win the block
propagation race w.h.p.
Implication: bring the security threshold down from 51% to:
• 25%!!! (if you can reach 50% of the network faster than competing blocks)
• 33% (if you lose every single propagation race, block withholding strategy is
still more profitable)
What is stubborn mining
Russian mobster with a big chain. He comes after class to teach the kids. cpncld. that's his name.
Parameterialize based on computational power, network connectivity of the
attacker and “how many blocks” are attacker leading/trailing from the rest.
What is GHOST
neel’s crying and they need someone to defeat him. Sirius black joins manoj and oot. The classroom turns cold and clammy. sz gives the award to the good kids pile because they have the most uncles.
The idea of counting “uncle blocks” as weight in fork chain rules are also used
to deal with blockchain scaling problems (upcoming lectures)
A variant of the famous GHOST (Greedy Heveaist-Observed SubTree) protocol is
adopted in Ethereum, and an improved version called GHAST (A: Adaptive) is
used in Conflux Protocol
What are the different categories of frontrunning
Usain bolt is the man pulling the kid out of the allspark. I feel bad leaving to the kindergarten class cos I wanna see him go race. So I do later. He’s not the java virtual machine at this point anymore. When he does run, he’s trying his best. But who’s leading the pack, its FUCKING DISNEY, like mickey mouse.
3 categories:
• Displacement (e.g. Auction bid)
• Insertion (e.g. DEX trade)
• Suppression/Block-stuffing (e.g. ICO purchase)
when disney wins guess what I hear. "Far over the misty mountains west Get chosen first in caverns blessed We must away, the blockchain waits To raise prices of our gas"
2 ways to achieve:
• Be a miner and reorder however you like
• Set high gasPrice (i.e. transaction fee) to take priority
What is another cause of the frontrunning attack
Problem:
• Some designs didn’t hide the function being called, only the parameters are hidden
commitments
• Most can’t hide the address of the “auction contract” which still leaves room for
frontrunning
• Even if someone make a legitimate bid, there’s no mechanism to enforce he/she to pay
when he/she wins – winner can submit many bids and adaptively choose to reveal,
compromising fairness
So mickey mouse wins the race and there’s a party being celebrated after. everyone gathers at the door, me and all the tired people and some minions. We deserve it after a weird day. There’s still goo on my shoe too. And minion spit.
1 Anyway, the function has like “secret” bolted on to it in kiddy handwriting. We ignore it and push creaky doors to enter. Yep, there’s Mickey there, stealin shit. And there are bananas that are cloaked for some reason.
2 There’s an auction guy yelling stuff out up on the stage, and stagehands keep trying to cover him with a shirt but it keeps falling off.
3 Someone wants to pay the auction guy for a goofy toy. it’s mickey. He styles on the auction guy when he goes to shake his hand, and doesn’t take the toy
What is the submarine send’s 4 steps.
let’s consider a sealed bid action. Now there’s an iced out pre-korean war mickey chain, with mickey’s design from the early 1940s or wtv mickey wants that, but it’s a sealed bid auction. But it’s an action on some korean island far from here.
- put on a kangaroo mask. make a contract, sign it with my old submarine pool toy and throw it and im carried along
- i enter a submarine run by kangaroos in kangaroo masks. They take my contract and try to open it but they cant
- we’re ashore on the korean islands. There’s a peaceful looking man, and a crowd of bidders (BGs, ECs and Asills and minions). I give in my paper to the main guy.
- Bidding is now done. Everyone removes their kangaroo masks and hands in their ICs and merkle’s IC
- the auction guy decides I win and gives me the ice since I had the highest bid. I throw it in mickey’s face when i get back home.
- prepare
i set up a random submarine address with a transaction that sends money from that address to the target contract. I dont actually have the private key for this address. the address and transaction are crafted such that money send the address can only be unlocked by the target contract. To do this, I set up a submarine signature, that can only be used once.
- I send out the transaction to the submarine address that hides the transaction in a sea of other transactions. K-anonymity. Therefore bids can’t be heard, noted and front run.
- After the bidding phase is over, I send a transaction to the final address to reveal the existance of my commitment (the money and the submarine address) I reveal proof that I made the commitment honestly, and show proof that the transaction was mined. Auction guy has all information used to verify my submarine send.
- After the reveal phase is done, the unlock transaction made in the prepare stage can be broadcast, which sends the funds from me to the auction contract. if me bid is the highest, i win the auction, the auction contract gives back the other money and I get the chain.
What is the eclipse attack
It’s been a long day, the giant eyeball has floated into the sky to become a moon. I retire to the minion place. It’s ironic, cos they wanted to capture the moon. The moon suddenly shoots a net on a group of minions. We see the holy net coming down from the heavens. As soon as it does, those minions are trapped. the other minions now take off their masks to reveal that they’re the aliens. Im pissed off and take off my shoes.
