Ethereum smart contracts are Turing-complete programs that mediate transfers of money. It doesn’t come as a surprise that all hell is breaking loose on the Ethereum blockchain.
In this talk, we’ll introduce Karl, an Ethereum blockchain monitor, and Scrooge McEtherface, an auto-exploitation bot that extracts Ether from vulnerable smart contracts. Scrooge uses symbolic execution to detect vulnerable states that live up to three transactions deep and constructs exploit payloads using the Z3 constraint solver.
We’ll also examine the game-theoretic consequences of Scrooge’s existence. What if multiple bots compete for exploiting the same contracts? How about honeypots that counter-exploit bots? Is it possible to cheat those honeypots? When all is said and done, who is going to end up stealing money from whom?
During the talk, we’ll show many examples for vulnerable contracts, honeypots, and counter-honeypots, explain the role of transaction ordering and frontrunning, and launch a little challenge for the audience.
Bernhard Mueller is an OG security engineer and researcher with experience in a variety of fields including Internet protocols, web apps, operating systems, server software and blockchain technology. His work in mobile and blockchain security has earned him two «Best Research» Pwnie Award nominations (and one win). In the Ethereum community he is known for creating the Mythril symbolic analyzer.
Daniel is a self-taught developer with experience in multiple programming languages. Having a hacker mindset he always tests the limits of software or hardware he interacts with. He likes to experiment with new technologies, always trying to develop his available toolchain. When he isn’t glued to a computer screen, he likes to snowboard, read and meditate. He currently does security audits and builds tools for ConsenSys Diligence and the Ethereum ecosystem.