A Deal with the Devil: Breaking Smart Contracts

Presented at Black Hat Asia 2018, March 23, 2018, 2:15 p.m. (60 minutes).

The Initial Coin Offering (ICO) boom has been powered by smart contracts, making them a hotter and more lucrative target than ever before. One might expect that being well-funded by security-sensitive investors would be enough to save this technology from the security sins of its forebears. Unfortunately, smart contract security is poorly understood, even by some of the field’s most prolific and successful developers. However, the wider Ethereum community is working to change that. An amalgam of academics, security enthusiasts, and industry professionals have created the first generation of audit and development practices focused on defense of smart contracts, along with a nascent tool suite to augment them.

This talk presents a digestible but robust set of tools and practices used by the authors to find real vulnerabilities in real contracts during the course of their work as security consultants. Audience members who develop smart contracts will leave with a strong understanding of development and test best practices to make sure they are not the next to be “popped”, while those interested in auditing them will learn a battle-tested practicum for finding vulns in the wild.


Presenters:

  • David Wong - Security Consultant, NCC Group
    David Wong is a Security Consultant at the Cryptography Services practice of NCC Group. He has been part of several publicly funded open source audits such as OpenSSL and Let's Encrypt. He has conducted research in many domains in cryptography, publishing whitepapers and sharing results at various conferences including Black Hat and DEF CON as well as giving a recurrent cryptography course at Black Hat. He has contributed to standards like TLS 1.3 and the Noise Protocol Framework. He has found vulnerabilities in many systems including CVE-2016-3959 in the Go programming language and a bug in SHA-3's derived KangarooTwelve reference implementation. Prior to NCC Group, David graduated from the University of Bordeaux with a Masters in Cryptography, and prior to this from the University of Lyon and McMaster University with a Bachelor in Mathematics.
  • Mason Hemmel - Security Consultant, NCC Group
    Mason Hemmel is a Security Consultant with the Cryptography Services division of NCC Group, a global information assurance specialist providing organizations with expert security consulting services. He has presented numerous trainings on applied cryptography both at Fortune 50 companies and at conferences such as Black Hat. He has been part of a number of public audits of open source projects, such as Cloudflare's TLS 1.3 implementation and Kolide's Updater. Prior to his time at NCC Group, Mason graduated from Johns Hopkins University with a BS in Computer Science and an MS in Security Informatics.

Links:

Similar Presentations: