Bernhard Mueller — The Ether Wars Exploits counter exploits and honeypots — DEF CON 27 Conference

Дата: 16.11.2019. Автор: CISO CLUB. Категории: Подкасты и видео по информационной безопасности

Ethereum smart contracts are Turing-complete programs that mediate transfers of money. It doesn’t come as a surprise that all hell is breaking loose on the Ethereum blockchain.

In this talk, we’ll introduce Karl, an Ethereum blockchain monitor, and Scrooge McEtherface, an auto-exploitation bot that extracts Ether from vulnerable smart contracts. Scrooge uses symbolic execution to detect vulnerable states that live up to three transactions deep and constructs exploit payloads using the Z3 constraint solver.

We’ll also examine the game-theoretic consequences of Scrooge’s existence. What if multiple bots compete for exploiting the same contracts? How about honeypots that counter-exploit bots? Is it possible to cheat those honeypots? When all is said and done, who is going to end up stealing money from whom?

During the talk, we’ll show many examples for vulnerable contracts, honeypots, and counter-honeypots, explain the role of transaction ordering and frontrunning, and launch a little challenge for the audience.

Bernhard Mueller
Bernhard Mueller is an OG security engineer and researcher with experience in a variety of fields including Internet protocols, web apps, operating systems, server software and blockchain technology. His work in mobile and blockchain security has earned him two «Best Research» Pwnie Award nominations (and one win). In the Ethereum community he is known for creating the Mythril symbolic analyzer.

Twitter: @muellerberndt

Daniel Luca
Daniel is a self-taught developer with experience in multiple programming languages. Having a hacker mindset he always tests the limits of software or hardware he interacts with. He likes to experiment with new technologies, always trying to develop his available toolchain. When he isn’t glued to a computer screen, he likes to snowboard, read and meditate. He currently does security audits and builds tools for ConsenSys Diligence and the Ethereum ecosystem.

Twitter: @cleanunicorn


Об авторе CISO CLUB

Редакция портала Добавляйте ваш материал на сайт в разделе "Разместить публикацию".
Читать все записи автора CISO CLUB

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *