ReplayAttacksonEthereumSmartContracts

ZhenxuanBai,YuweiZheng,KunzheChai SenhuaWang

Aboutus

•  360TechnologyisaleadingInternetsecuritycompanyinChina.Ourcore

productsareanti-virussecuritysoftwareforPCandcellphones.

•  UnicornTeam(https://unicorn.360.com/)wasbuiltin2014.Thisisagroup

thatfocusesonthesecurityissuesinmanykindsofwireless

telecommunicationsystems.Theteamalsoencouragememberstodoother

researchthattheyareinterestedin.

•  HighlightedworksofUnicornTeaminclude:

–  Low-costGPSspoofingresearch(DEFCON23)

–  LTEredirectionattack(DEFCON24)

–  Attackonpowerlinecommunication(BlackHatUSA2016)

PPT www.1ppt.com/moban/PPT www.1ppt.com/sucai/PPT www.1ppt.com/beijing/PPT www.1ppt.com/tubiao/PPT www.1ppt.com/xiazai/PPT www.1ppt.com/powerpoint/

www.1ppt.com/ziliao/ www.1ppt.com/fanwen/www.1ppt.com/shiti/ www.1ppt.com/jiaoan/

PPT www.1ppt.cnPPT www.1ppt.com/kejian/www.1ppt.com/kejian/yuwen/ www.1ppt.com/kejian/shuxue/www.1ppt.com/kejian/yingyu/ www.1ppt.com/kejian/meishu/www.1ppt.com/kejian/kexue/ www.1ppt.com/kejian/wuli/www.1ppt.com/kejian/huaxue/ www.1ppt.com/kejian/shengwu/www.1ppt.com/kejian/dili/ www.1ppt.com/kejian/lishi/

Part1 Part2 Part3 Part4

TheMainIdea

BackGround DemonstrationSafetyProblem ReplayAttack

Part1

Back Ground （Blockchain & smart contract & Ethereum）

What is Blockchain?

Blockchain is:

ALarge-scalegloballydecentralizedcomputer

network

Asystemthatuserscaninteractwithbysending

transactions

—Transactionsareguaranteedby

ConsensusMechanism

Advantages of Blockchain

•  havingtheunifieddatabasewithrapidconsensus

•  Withlarge-scalefault-tolerantmechanism

•  Notrelyingontrust,notcontrolledbyanysingleadministratoror

organization(notforprivate/consortiumblockchain)

•  Audit-able:externalobserverscanverifytransactionhistory.

•  Automation:operatingwithouthumaninvolvement.

What on-earth can Blockchain do?

Cryptocurrency: digital assets on the Blockchain

Therearetokensinthepublicblockchainsusedtolimittheratesofupdatingtransactions&powerthemaintenanceofBlockchain.

RecordRegistration(suchastheDomainNameSystembasedonBlockchain.Timestamptotrackhighvaluedata

FinancialContractsGeneralComputation

Non-monetary Characteristics

Support Functionalities

Ethereum

About 2013, the public realized that Blockchain can be used in hundreds

of applications besides cryptocurrency, such as asset issuance,

crowdfunding, domain-name registration, ownership registration, market

forecasting, Internet of things, voting and so on.

How to realize?

Smart contracts are pieces of code that live on the Blockchain and execute commands exactly how the were told to.

“smart contract" - a computer program running in a secure environment that automatically transfers digital assets according to previously arbitrary rules.

business people

Developer

Smart Contract

How to build one?

■  Blockchain with built-in programming language

■  maximum abstraction and versatility

■  it is very ideal to process smart contracts

Ethereum

Ethereum

EVM: It is the operating environment for smart contract in

the Ethereum. It is not only encapsulated by a sandbox, but

in fact it is completely isolated, that is, the code that runs

inside the EVM does not have access to the network, file

system, or other processes. Even smart contracts have

limited contact with other smart contracts.

Operating System

Contract usage scenario

Hedging contracts, Savings Purse, Testamentary contract

Financial scenario

Online voting, De-centralized governance , Domain name registration

Non-financial scenario

Part2

Related Safety Problem

The Ecology of the Ethereum

On average, there are 100 thousand of new users join the

Ethereum ecosystem every day. The users are very

active, with an average daily transactions of more than 1

million times on Ethereum.

The safety issue of the Ethereum

attackandtokensteal

exchange

probabletobehijacked

wallet

overflowattack

smart contract

main parts

The security problem of smart contract

April2018,

BECcontract

May2018,

EDUcontract June2018,

SNCcontract

Directlyaffectsthemajor

exchanges,includingthe

issue,rechargeorcash

withdrawalofthetokens.

Vulnerability in Smart Contracts

According to < Finding The Greedy , Prodigal , and Suicidal Contracts at Scale>, In March 2018, nearly 1 million smart contracts were analyzed , among which there are 34200 smart contracts can be easily attacked by hackers.

How to lower the probability of loss ?

A complete and objective audit is required for smart contracts.

The emergency response can be made when the vulnerability was found in Smart Contracts

Reward can be provided when someone detect any bug .

Replay attack on smart contract Part3

What are we care about - Replay attack Replayattack:IfatransactionislegitimateononeBlockchain,itisalso

legitimateonanotherblockchain.

WhenyoutransferBTC1,yourBTC2/BTC3maybetransferredatthesametime.

Our discovery

Manysmartcontractsadoptthesamewaytoverifythevalidityof

thesignature,anditispossibleforreplayattack.

Our motivation

Weproposedthereplayattacksinthesmartcontracts,whichhopeto

attracttheuser’sattention.

Wedetectthevulnerabilityinsmartcontracts,whichhopetomake

themmoresecure.

Wehopetoenhancetheriskawarenessforcontractcreatorand

ensuretheinterestsofinvestors.

�  wefoundthereplayattackproblemexistsin52smartcontracts.

� We analyzed the smart contract example to verify the replay

attack.

� Weanalyzedthesourceandprocessofreplayattacktoexpound

thefeasibilityofreplayattackinprinciple.

� Weverifiedthereplayattackbasedonthesignature

vulnerability.

� Weproposeddefensestrategytopreventthisproblem.

Our Contribution

•  Judging whether the contract is accord with the ERC20 standard.

we set three scanning standards to discovery the smart contracts which have the VULNERABILITY.

require(totalsupply>0)

Vulnerability Scanning

•  Get the name of the contract to determine

whetherthenameisvalid.

Vulnerability Scanning

•  Filtersmartcontractsvulnerabletoreplayattack.

ScanningResult:52riskytargets

Vulnerability Scanning

●  It has been confirmed(proved) that there are two smart

contractsallowproxytransactions..

●  Ifthetwosmartcontractsuseasimilarmechanismandshare

thesametransactionformat.

●  Whenatransactionhappensinonecontract,thistransaction

will be also legal in another contract, and the replay attack

willbesuccessfullyexecuted.

Why does the replay attack occur?

The issue lies in this line: bytes32 h = keccak256(_from,_to,_value,_fee,nonce);

Example

Attack Process

● wechosetwoERC20smartcontracts,theUGTcontract

andtheMTCcontract.

● wecreatedtwoaccounts,AliceandBob● we deposit some tokens in the two accounts in UGT

contractsandMTCcontracts.

●  atleastoneEthereumfullnode

Experiment condition

Step one: transaction records on the Ethereum were

scannedtofindoutaccountswhichhadbothUGTtokens

andMTCtokens(weusetwoaccounts,AliceandBob).

Verification of the replay attack process

Steptwo:BobinducedAlicetosendhim2UGTtokens.Thetransactioninputdata

isshownasbelow:

Function: transferProxy(address _from, address _to, uint256 _value, uint256

_feeUgt,uint8_v,bytes32_r,bytes32_s)

MethodID:0xeb502d45

Verification of the replay attack process

Step three: Bob take out the input data of this transaction on theblockchain. The parameters “from, to, value, fee, v, r, s”were extracted

from [0]- [6] in step two. The following is the implementation of the

transferfunction.

Verification of the replay attack process

Stepfour:Bobusetheinputdatainstep2toexecuteanothertransferinthe smart contract of MTC. The result of this transaction is shown as

below.

Verification of the replay attack process

Stepfive:Bobgotnotonly2UGTtokensbutalso2MTCtokensfrom

Alice.Inthisprocess,thetransferof2MTCtokenswasnotauthorized

byAlice.

Verification of the replay attack process

Part4Demonstration

Select contract

Account setting

genesis.json

the UGT contract and the MTC contract

•  AliceandBob

•  Alice(thesender):0x8e65d5349ab0833cd76d336d380144294417249e

•  Bob(thereceiver):0x5967613d024a1ed052c8f9687dc74897dc7968d6

•  Bothownsometokensfortransferring.

UGTToken:0x43eE79e379e7b78D871100ed696e803E7893b644

MTCToken:0xdfdc0D82d96F8fd40ca0CFB4A288955bECEc2088

Core code

Demo

Demo

ByApril27th,2018,loopholeofthisreplayattackriskexistsin52

Ethereumsmartcontracts.

accordingtothevulnerabilityofthereplayattack:

l  High-risk group (10/52): no specific information is contained in the signature of

smartcontract,whichthesignaturecanbefullyreused.

l  moderate-risk group (37/52): fixed string is contained in the signature of smart

contract,whichtheprobabilityofreusingthesignatureisstillhigh.

l  Low -risk group (5/52): the address of the contract (1 in 5) or the address ofsender (4 in5) is contained in the signature of smart contract. There are strong

restrictions,butthereisstillownthepossibilityofreplayattacks.

Statistics and Analysis

l  Replayinthesamecontract(5/52)

MiracleTele RoyalForkToken FirstBlood KarmaToken KarmaToken2

l  Cross-contractsreplay(45/52)Besides,wedivided these 45 contracts into 3 groups, for the specific prefix

dataused in thesignatures.Cross-contracts replaysmayhappenamongany

contractsaslongastheyareinasamegroup.

Accordingtofeasiblereplayattackapproaches:

Statistics and Analysis

ü  Group1 thespecificprefixdata1usedinthesignatures(28/52)

ARCCoin,BAF,ClaesCash ClaesCash2 CNF,CWC,DET,Developeo,

Envion,FiCoin,GoldCub JaroCoin metax,metax2 NODE,NODE2,NPLAY,

SIGMA, solomex, Solomon Exchange, Solomon Exchange2, Trump Full Term

Token,TrumpImpeachmentToken,X,ZEUSTOKEN ZEUSTOKEN2,cpay.

ü  Group2 the specific prefix data 2 used in the signatures (7/52)

"\x19EthereumSignedMessage:\n32" Acore CLC CLOUT CNYToken,CNYTokenPlus,GigBit The4th

PillarToken,

Statistics and Analysis

Accordingtofeasiblereplayattackapproaches:

ü  Group3 nospecificprefixdatausedinthesignatures(10/52)

BlockchainCuties First(smt),GGToken M2CMeshNetwork M2C

Mesh Network2 MJ comeback, MJ comeback2, MTC Mesh Network,

SmartMeshToken,UGToken

l  Replaybetweentestchainandmainchain(2/52)

MeshBoxMeshBox2

l  Replaybetweendifferentmainchain(0/52)

Accordingtofeasiblereplayattackapproaches:

Statistics and Analysis

Accordingtothetradingfrequencyofabove-mentioned

contracts

By9:00April30th,2018,

•  24contractswerefoundwhichhavethetransactionrecordswithinoneweek,Theproportionis46.15%ofthetotalnumberofcontracts.

•  9contractswerefoundwhichhavethetransactionrecordsfromone

weektoonemonth,Theproportionis17.31%ofthetotalnumberof

contracts.

Statistics and Analysis

According to the trading frequency of above-mentioned

contractsBy9:00April30th,2018,

•  16 contractswere foundwhich have the transaction records beyondonemonth,Theproportionis30.77%ofthetotalnumberofcontracts.

•  3 contractsOnly have the records for deployment. The proportion is

5.77%ofthetotalnumberofcontracts.

According to the comprehensive analysis, 63.46% of the

contracttransactionsarestillactive.

Statistics and Analysis

Ø Thedesignersofsmartcontractshouldalwaysconfirmthe

suitable range of digital signature when designing smart

contracts.

Ø Thesmartcontractsdeployedonpublicchainshouldaddin

the specific information of the public chain such as the

chainIDandthenameofthepublicchain.

Ø Theusersofsmartcontractsneedtopayattentiontonews

andreportsconcerningtheloopholedisclosures.

Countermeasures

p The security problems of smart contracts have been

widelyconcerned.

p Aslongasthesignaturewasnot limitedbythesmart

contracts,thereispossibilityofreplayattack.

p We believe that loopholes on the Ethereum smart

contractshavenottotallycometolight.

Conclusion