Locate Vulnerabilities of Ethereum Smart Contracts with Semi-Automated Analysis

Date

August 25, 2023

Time

11:00

Track

Track 1

Blockchain technology is trending in recent years, however, financial losses and impacts increase rapidly. By reviewing and investigating past incidents, it’s obvious that “Security” is mostly neglected or underestimated for projects of Decentralized Finance (DeFi) and Non-Fungible Token (NFT) fields. Though we have several auditing companies and static analysis tools, it’s still important for the industry to have ways of identifying flaws easily and immediately.

Due to the nature of the limitation of EVM’s available computing resource in terms of gas, we’re able to do a full simulation in EVM, construct the CFG, and recover byte code back to a high-level abstraction of each Ethereum smart contract. Consequently, we can leverage that simulated EVM environment to guide me through all possible paths with deliberately mutated inputs from the beginning of the byte code.

Though this is not a really new concept in the traditional reverse engineering industry, it’s rather efficient to do this with Ethereum. The introduction of the “gas” has overcome not only issues of network abuse of a blockchain but also the inevitable questions stemming from Turing completeness, which happens to give us a chance to do the full simulation at almost no cost.

In this talk, I will be presenting a hybrid analysis method to combine the results of two topics:

  1. Decompilation of Smart Contracts
  2. EVM Full Simulation into a semi-automated analysis tool

There will be several cases to be demonstrated during the talk.

Senior Security Researcher

CyCraft

Boik Su is currently in CyCraft as a senior security researcher focusing on web security and threat hunting. He has received some awards from CTFs, been the speaker at various security conferences like ROOTCON 13, OWASP Global AppSec – DC, AVTokyo, NanoSec, and others like OSCON and Taiwan Modern Web. He is also the lecturer at HITCON Training and National Center for Cyber Security Technology in Taiwan.