Chain Heist, our blockchain capture-the-flag at DEF CON 2019, showed that vulnerability detection tooling for blockchain security still has a way to go.
This year’s DEF CON in Las Vegas was the largest ever, bringing together tens of thousands of security-minded builders, breakers, and tinkerers spanning areas of interest from aviation to medical devices. One of the new frontiers in the cyber security space is blockchain technology, which is not only captivating for Bitcoin onlookers but also of particular importance for security professionals hoping to make an impact on the fledgling industry.
This year DEF CON introduced a variety of “villages,” which function as mini-conferences, focusing on areas like blockchain, cryptography, and digital currencies. A central component of these villages was hands-on learning experience in the form of workshops and competitions. The Synopsys Cybersecurity Research Center (CyRC) anonymously coordinated one such event: the Chain Heist blockchain capture-the-flag (CTF) challenge.
The Chain Heist award was 11 Ethereum (approximately $2,500 at the time of the competition) to the participant who could identify and exploit the most security vulnerabilities in a series of blockchain-based challenges. Chain Heist wasn’t the only blockchain CTF going on that weekend, but it aimed to be the most realistic.
Our goal was to build a challenge containing real-world vulnerabilities from both public sources of famous blockchain hacks and our experience working with clients building enterprise blockchain applications. The result was a demanding set of 23 challenges that required participants to stretch their capabilities and encouraged them to discover these vulnerabilities for themselves. It was no surprise the top players from Chain Heist were experienced competitors and blockchain enthusiasts.
Participants claimed 22 of the 23 Chain Heist bounties during DEF CON. The winner, iPhelix, took the prize with 3,255 points out of a possible 4,800. The second-place player, maurelian, landed a score of 2,220. Read the technical blog post from iPhelix describing some of the more interesting bounties he collected.
Some of the bounties were based on real-life scams, which are often found on the public Ethereum network. For instance, “Guess My Password” invited players to “guess” a simple password written to the blockchain. Such scams take advantage of the limited information provided to players not well-versed in the internals of Ethereum transaction logic.
Other bounties represented examples of bad “randomness” that plague Ethereum’s many gambling games. As an example, Chain Heist’s “Jackpot” bounty represented a slot machine using a flawed predictable generator for determining the winner.
Blockchain is still a niche area with few experts. Those who are familiar with blockchain are speaking loudly about it, but it has been slow to pick up steam beyond the cryptocurrency craze. The low-hanging fruit lies just out of reach for people who have yet to dive into the technology.
During my time at DEF CON, I spent most of my time at the blockchain village, listening to talks and speaking with like-minded attendees. Most people in the space are “new” and “just learning,” but the feeling about an abundance of low-hanging fruit was widespread. It’s clear that malicious actors can reach such attack vectors rather easily.
The blockchain village at DEF CON gave me a sneak peek into state-of-the-art blockchain application security. One talk I listened to centered on building tools to detect large-scale automated attacks on blockchain, demonstrating how easy it is to find and exploit bad smart contracts. Other talks on open source automated attack tooling illustrated how simple it is to set up a pipeline for attacks. It’s almost as if blockchain warriors are fighting an unseen battle for smart contracts while the majority of people stare at the price of Bitcoin, wondering if they’re missing out on getting a new Lamborghini.
While tooling and automation were clear themes among speakers, other areas of emphasis are worth mentioning as well. Machine learning and symbolic analysis engines, which improved dramatically from last year, promise to provide an automated solution for discovering vulnerable software in live environments.
While many of these projects are open source or freeware, the truth is they’re still very limited in application, and interpretation of results is critical. Even the developers of these tools admit that simply having the tool isn’t sufficient. What’s also necessary is a trained eye for detail and an understanding of the underlying technology.
In fact, these tools were completely blind to the vulnerabilities in the simplistic Chain Heist challenges. This is because they’re designed to identify methods to steal “ether,” the cryptocurrency powering the blockchain software. In the real world, we find that our clients aren’t really making use of this ether currency. For the most part, they do business in dollars and cents. Furthermore, the business logic and data flowing in the applications are of greater importance to hackers than simple cash. It’s like a bank robber ignoring the cash vault and going after the safety deposit boxes instead, as they usually contain valuables such as gold and jewelry. The blockchain security industry has been focused on making a better vault, but the deposit boxes remain vulnerable.
Last year Synopsys released a tool called Tineola targeting one underresearched area in this space. As security researchers spend more time on blockchain, the tooling will inevitably improve. In the meantime, relying on existing tools alone to secure blockchain software is a practice fraught with failure. Consider professional services consulting instead, which brings training, manual code review, and penetration testing to bear against these emerging technology domains.