Trail of Bits @ Devcon IV Recap

We wanted to make up for missing the first three Devcons, so we participated in this year’s event through a number of talks, a panel, and two trainings. For those of you who couldn’t join us, we’ve summarized our contributions below. We hope to see you there next year.

Using Manticore and Symbolic Execution to Find Smart Contract Bugs

In this workshop, Josselin Feist showed how to use Manticore, our open-source symbolic execution engine. Manticore enables developers not only to discover bugs in their code immediately, but also to prove that their code works correctly. Josselin led 120 attendees through a variety of exercises with Manticore. Everyone left with hands-on formal methods that will help them ensure that their smart contracts follow their specifications.

Get the workshop’s slides and exercises

Our smart contract security workshop at @EFDevcon has started, and it’s a packed house! At least 120 people learning to verify programs with symbolic execution. Follow along at home here:

— Trail of Bits (@trailofbits) October 31, 2018

got to do some vulnerability spotting in smart contracts w/ manticore at the @trailofbits #devcon4 workshop w00t!

— Valer (@blankorized) October 31, 2018

Blockchain Autopsies

In this lightning talk, Jay Little recovered and analyzed 30,000 self-destructed contracts, and identified possible attacks hidden among them. 2 million contracts have been created on Ethereum’s mainnet yet few holding any value have been destroyed. These high-signal transactions are difficult to find; many are not available to a fully synchronized Ethereum node. In order to achieve this feat, Jay created new tools that re-process blockchain ledger data, recreate contracts with state, and analyze suspect transactions using traces and heuristics.

Filtering deployment mistakes, DoS attacks, and spam to identify suspect self-destructs

Get Jay’s slides

Current State of Security

In this panel, Kevin Seagraves facilitated a discussion about Ethereum’s current security posture. What was the biggest change in Ethereum security in the last year? How is securing smart contracts different from traditional systems? How should we think about the utility of bug bounties? Hear what this panel of experts had to say:

.⁦@dguido⁩ on the over-reliance on bug bounties for smart contract security—you need qualified humans who tell you the breadth of code coverage, types of methodologies, and assess systemic design—not just a list of bugs. Afterward sure, bounty away. #devcon4

— Amber ☘ (@AmberBaldet) November 1, 2018

Security Panel at #DevconIV
"Bug bounties are not nearly as effective people think" #devcon4

— Cornelius Gouws (@CorneliusIII) November 1, 2018

Security Training

In this day-long training, JP shared how we conduct our security reviews; not just our tools or tricks, but the whole approach. In addition to that knowledge, we tried to impart our school of thought regarding assessments. Far too often, we encounter the belief that audits deliver a list of bugs and, consequently, the ability to say “Our code has been audited!” (and therefore “Our code is safe!”). That’s just part of the picture. Audits should also deliver an assessment of total project risk, guidance on architectural and development lifecycle, and someone to talk to.

We’re running the training again on December 11th in New York. Reserve yourself a seat.

attending Smart Contract Security workshop by @japesinator from @trailofbits in Prague today, certainly worth the f……

Alexander Remie (@__rmi__) November 03, 2018

Devcon Surprise

Instead of going to Devcon, Evan Sultanik stayed home and wrote an Ethereum client fuzzer. Etheno automatically seeks divergences among the world’s Ethereum clients, like the one that surfaced on Ropsten in October. Etheno automatically identified that same bug in two minutes.

We’re glad that we attended Devcon4, and look forward to participating more in future events.

Article Link: Trail of Bits @ Devcon IV Recap | Trail of Bits Blog