Well, speaking of contracts we all know how a legal contract works right. So, let’s take an example of a person buying something, and in return have to sign the legal document of the property which involves the contractor, banker, lawyer, owner and then you. Well, I can say if you want to cut it short and make it super fast and reliable, a super contract is what you need.
SUPER CONTRACT is a code which acts as an alternative to the legal contracts and helps us not to deal with a lot of humans (EXCITING RIGHT ?). Super contract is a bunch of code that is programmed into the blockchain which includes the terms and conditions of the whole legal contract and we don’t have to worry about trusting a legal system, court, lawyer, or even I can say the owner itself. Basically, it acts as an agreement between the two legal proceedings.
LET’S FIRST UNDERSTAND WHAT BLOCKCHAIN ACTUALLY IS ?
So we can say that the whole idea of smart contracts is based on blockchain technology.
Blockchain is the supercool technology where we can store and record the information in such a way that it is next to impossible for the hacker to get the information hacked, change or even they cannot cheat the whole system.
BLOCKCHAINS WORKS ON THIS 3 KEY ELEMENTS:
Speaking more about blockchains, In 2009 the first decentralised cryptocurrency, BITCOIN was found by a developer named SATOSHI NAKAMOTO. It is said that the Blockchain technology was already proposed back in 1991, but was practically served as the public transaction ledger for the first-ever cryptocurrency BITCOIN.
In more simple words we can say that BITCOIN was the cryptocurrency for which Blockchain technology was invented.
CRYPTOCURRENCY? HOW IS CRYPTOCURRENCY AND BLOCKCHAIN RELATED?
Let’s make it interesting and simple by taking an example of a tweet by ELON MUSK which was way too confusing for people to understand.
This was the trailer of what actually a smart contract, blockchain and cryptocurrency is !✅
Moving Forward to the more exciting part where we’ll discuss and prove the theory of “DON’T HATE THE HACKER, HATE THE CODE! ” is absolutely true.
“THERE ARE ALWAYS, TWO SIDES TO EVERY STORY “
This was the good part ! Now let’s skip to the BAD PART !
This is the part where we’ll see why and how smart contracts are getting Hacked! 😎
The most important thing we need to trust in smart contracts is the contract’s code. As the code is programmed into the blockchain it has its own position which cannot be altered, but the thing is, the smart contract is similar to any other open source code which is made all public and even the security programs are there to invite the hackers to come — discover and report the bugs in it. While the code in smart contract has nothing to do with the authentication, firewalls, mitigation risks and so on. This brings into light that smart contracts do get hacked when developers code is noob. According to the research, ethereum (which is the 2nd largest cryptocurrency platform) smart contracts are vulnerable to hacks: i.e $4 million Ether are at risk. Also from 2021 news reports, Smart contract → bugs let hackers steal $31 million in Digital coin.
YES! THIS IS CRAZY.
Now, Let’s discover the vulnerabilities of noob code through which hackers are getting in!
PENETRATION TESTING is the ultimate answer of HOW TO SECURE THE SMART CONTRACTS. Penetration testing means launching the intentional simulated cyber attacks which helps the company discover the loopholes and vulnerabilities and lastly make developers pro at coding by mitigating the loopholes before it goes public.
BECAUSE THIS WOULD BE THE ULTIMATE WIN SITUATION FOR DEVELOPERS.😁
Smart contracts mostly deals with the vulnerabilities with the financial assets like:
THIS ARE TOP 5 VULNERABILITIES trending in SMART CONTRACTS:
→ Also termed as call to unknown, recursive vulnerability and race to empty. This is also the most famous ethereum vulnerability, which had even led to the million dollar loss.
Reentrancy simply means when attackers are allowed to get in the middle of the contract and make the new calls before the execution gets completed. The most interesting thing is, it can change the state of a trusted contract and result in the call of an untrusted contract.
The HACKERS know how to play with the functions used by our cute developers.
- withdraw() function is used to allow the users to retrieve the funds. Now, the Hackers will use the same function to make malicious contracts and retrieve the whole funds.
- fallback() function in the malicious code is used to accept the fund and then callback into the victim contract by using the withdraw() function.
- Now here the functions like call() sends ether to the sender and if the sender is smart contract he will trigger back with its fallback function with all the transaction and funds.
2. ACCESS CONTROL
Access control is a common vulnerability that is seen in most of the web and android applications as well. As the real motive of this vulnerability is to bypass the authentication system and get unauthorised access over PINS, passwords, security token, biometric scans etc. In Smart contracts the access control vulnerability is the poor and insecure coding practice which gives the direct access to contract’s private terms and conditions, values, logic, funds and many more. This is done by using the contractor’s functionality through its public and external functions.
UNDERSTANDING THE CODE:
- The owner creates the smart contract and gives the special access to withdraw the funds.
- Now this special access is granted using an initialization() function.
- But, the thing is this function can be called by anyone, doesn’t matter even if the function has already been called once.
- This is tragic, because it allows anyone to be the owner of the contract and take all the funds.
3. TIME MANIPULATION:
Owners can lock and unlock the funds at a specific time. This is done by using block.timestamp. But who is giving all the values? MINERS.
BUT, WHAT ARE MINERS?
→ Bitcoin miners are the people who are advanced in computing supplies. Bitcoin miners compete to be the first to verify Bitcoin undertakings, and gain rewards paid in Bitcoin. They are the owners and also responsible to confirm if the transaction is authentic or not.
The miners have the ability through which they manipulate the time and attack or exploit the smart contract. Miners usually do this to win the ether in return.
- The Miner can use the block.timestamp to set the time of midnight in order to win the game.
- Now just seconds before midnight, the minner ends up mining the block by using block.timestamp. When the current time is close it decides to accept the miners block. This is how he/she will win the game.
EXAMPLE OF BUILDING A SIMPLE GAME:
UNDERSTANDING THE CODE:
- Now in order to win the game the miner can send 1 ether and call the spin function().
- After that the miner can send the block.timestamp to submit the next block which is divisible by 7
- Now, if the miner wins the block he wins all the ether.
- At the end for minner it would be a win-win moment.
4. UNCHECKED RETURN VALUES:
You should always avoid calling low level functions like “call”, because in case you are bad at handling them, it would lead to unexpected behaviour.
The Low level functions include: call(), callcode(), delegatecall() and send() .
The mistakes are pretty distinct from different Solidity functions, as they may now no longer propagate (or bubble up) and could now no longer result in a complete reversion of the cutting-edge execution.
Instead, they may go back a boolean price set to false, and the code will maintain to run. This can worry developers and, if the returns aren’t checked properly, can result in fail-opens and different undesirable outcomes.
UNDERSTANDING THE CODE:
- Now just imagine if the developer forgets to check the return value of send() function.
- The call() is used to send the ether to the smart contract but it does not accept it, as we haven’t mentioned the payable fallback() function.
- Now Ethereum Virtual machine will replace its return value with false.
- In case return value is not checked, the function’s value won’t get change and won’t be reverted back and etherLeft() will end getting a incorrect value
5. DENIAL OF SERVICE (DOS):
IT WAS AN ACCIDENT! 🤣
Denial of service is the most notorious attack in the history of cyber security. Other applications do have a chance to recover from this attack, but guess what? Smart contracts do not have any chance of recovering, it would be taken offline permanently. Many approaches cause denials of service, such as maliciously behaving whilst being the recipient of a transaction, artificially growing the gas which is essential to compute a function, abusing to get the access into personal additives of clever contracts, taking benefit of mix ups and negligence, etc.
UNDERSTANDING THE CODE:
- In this example, a caller can determine who the subsequent characteristic name will reward.
- Because of the high priced commands within side the for loop, an attacker can introduce a number of too big to iterate on (because of gas block barriers in Ethereum) as a way to efficiently block the function from functioning.
– Team Data Science meets Cyber Security 💙❤️