On December 12, over 150 attendees learned how to write and hack secure smart contracts at the final Empire Hacking meetup of 2017. Thank you to everyone who came, to our superb speakers, and to Datadog for hosting this meetup at their office.
Watch the presentations again
We believe strongly that the community should share what knowledge it can. That’s why we’re posting these recordings from the event. We hope you find them useful.
A brief history of smart contract security
John Mardlin of Consensys Diligence reviewed the past, present, and future of Ethereum with an eye for security at each stage.
Takeaways
- Ethereum was envisioned as a distributed shared computer for the world. High level languages such as Solidity enable developers to write smart contracts.
- This shared computer where anyone can execute code comes with a number of inherent security issues. Delegate calls, reentrancy, and other idiosyncrasies of Ethereum have been exploited on the public chain for spectacular thefts.
- Among the most exciting upcoming developments include safer languages like Viper, the promise of on-chain privacy with zk-SNARKs, and security tooling like Manticore and KEVM.
A CTF Field Guide for smart contracts
Sophia D’Antoine of Trail of Bits discussed recent Capture the Flag (CTF) competitions that featured Solidity and Ethereum challenges, and the tools required to exploit them.
Takeaways
- CTFs have started to include Ethereum challenges. If you want to setup your own Ethereum CTF, reference Sophia’s scripts from her CSAW 2017 challenges.
- Become familiar projects from Trail of Bits, like Manticore, Ethersplay, and Not So Smart Contracts to learn about Ethereum security and compete in CTFs.
- Integer overflows and reentrancy are common flaws to include in challenges. Review how to discover and exploit these flaws in writeups from past competitions.
Automatic bug finding for the blockchain
Mark Mossberg of Trail of Bits explained practical symbolic execution of EVM bytecode with Manticore.
Takeaways
- Symbolic execution is a program analysis technique that can achieve high code coverage, and has been successfully used to create effective automated bug finding systems.
- When applied to Ethereum, symbolic execution can automatically discover functions in a contract, generate transactions to trigger contract states, and check for failure states.
- Manticore, an open source program analysis tool, uses symbolic execution to analyze EVM smart contracts.
Addressing infosec needs with blockchain technology
Paul Makowski introduced PolySwarm, an upcoming cybersecurity-focused Ethereum token, and how it aligns incentives and addresses deficiencies in the threat intelligence industry.
Takeaways
- The economics of today’s threat intelligence market produce solutions with largely overlapping detection capabilities which result in limited coverage and expose enterprises to innovative threats.
- Ethereum smart contracts provide a distributed platform for intelligent, programmed market design. They fix the incentives in the threat intelligence space without becoming a middleman.
- PolySwarm unlocks latent security expertise by removing barriers to participate in tomorrow’s threat-intelligence community. PolySwarm directs this expertise toward the greater good, getting more security experts to create a better collective defense for all.
Learn more about Empire Hacking
- Visit our website
- Apply to join our Meetup
- Join our Slack community
- Follow @EmpireHacking on Twitter
Let’s secure your smart contracts
We’ve become one of the industry’s most trusted providers of audits, tools, and best practices for securing smart contracts and their adjacent technologies. We’ve secured token launches, decentralized apps, and entire blockchain platforms.
Article Link: https://blog.trailofbits.com/2017/12/22/videos-from-ethereum-focused-empire-hacking/