Posted on

Talk @ EthCC 2019: Let’s dig inside Ethereum Smart Contracts compiled to WebAssembly

Ethereum ETHCC Paris reverse webassembly patrick ventuzelo analysis smart contract Parity Kovan mainnet testnet conference talk

2019/02/18 @ EthCC 2019

At Devcon4, Vitalik annonced that WebAssembly (wasm) will be part of Ethereum 2.0 (Serenity). It’s already possible to compile smart contracts to wasm modules and run them in the Kovan network.

Using WebAssembly smart contract doesn’t mean using secure smart contract.

In this talk, I will explain what’s inside a WebAssembly module and illustrate how to analyze wasm Ethereum smart contracts to find vulnerabilities and unoptimization.

  1. Introduction
  2. WebAssembly basics
  3. Program analysis
  4. Parity Helloworld
  5. WASM module Vulnerabilities
  6. Conclusion

link / slides / video

Posted on

Blogpost: Ethereum Threat Actors Part 2 — ClipboardWalletHijacker Malware Still Active.

Ethereum clipboard hijacker malware patrick ventuzelo blogpost quoscient analysis qihoo360 Bitcoin

2019/02/18 @ QuoScient Medium

In part two of our mini-series (see part #1) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a clipboard hijacker malware targeting Bitcoin and Ethereum users. This malware, renamed ClipboardWalletHijacker by Qihoo360 Security Center, was first discovered in June 2018, after having infected 300 thousand computers within a week.

  1. Quick ClipboardWalletHijacker Analysis
  2. Hijacked Ethereum Transactions
  3. Cryptocurrency Exchange Used by the Actor
  4. Packers & Variants
  5. Conclusion
  6. Indicator of Compromise

link / pdf

Posted on

Blogpost: Ethereum Threat Actors Part 1 — DotNet Downloader using Ethereum Transactions for C&C updates.

Ethereum threat actor botnet transaction tracking patrick ventuzelo QuoScient C&C updates blockchain blogpost dotnet ilspy etherscan bigquery

2019/02/04 @ QuoScient Medium

As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions. We analyzed the sample provided by a German Security Researcher, Karsten Hahn @struppigel in this tweet.

  1. Downloader analysis
  2. Main Function
  3. GetLastTransactionHashFromAddress function
  4. GetAdditionalDataFromTransaction function
  5. Transaction analysis
  6. C&C Update Pricing
  7. Blockcypher service
  8. Future of Ethereum botnet
  9. Conclusion
  10. Indicators of Compromise

link / pdf

Posted on

Workshop @ Geneva Annual Blockchain Congress 2019: Introduction to Ethereum smart contract development and security

blockchain geneva octopus patrick ventuzelo ethereum eth introduction security smart contract workshop

2019/01/21 @ Geneva Annual Blockchain Congress 2019

Ethereum is one of the top5 cryptocurrency on the market cap and the major public smart contract platform. This position is due partially to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, …) and it’s important to keep security in mind when developing smart contracts.

After this workshop delivered by Quoscient, attendees will be able to create simple Ethereum smart contract, upload and interact with them on the blockchain.
We will also discuss about major security flaws/vulnerabilities that have occurred on the Ethereum main-net and how to prevent them from a developer point of view.

The following points will be covered in the workshop:

  1. Introduction of Ethereum
  2. Smart contracts development
  3. Vulnerabilities inside smart contracts
  4. Going deeper & Questions

slides

Posted on

Workshop @ BlackAlps 2018: Reversing and Vulnerability research of Ethereum Smart Contracts

blackalps 2018 ethereum reverse vulnerability research octopus patrick ventuzelo smart contract evm ethereum ETH EVM workshop

2018/11/08 @ BlackAlps 2018

Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ….). Some smart contract handle thousand of ETH and can’t be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that’s also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense.

This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.

The following points will be covered in the workshop:

  1. Quick introduction of Ethereum
  2. Basic Ethereum testing lab
  3. Reverse engineering of Ethereum smart contracts
  4. Analysis and vulnerability research
  5. Going deeper & Questions

link / slides / video

Posted on

Talk @ Devcon 4 – 2018: Reversing Ethereum Smart Contracts to find out what’s behind EVM bytecode

devcon iv ethereum patrick ventuzelo reverse evm octopus cfg analysis smart contract vulnerability research ocptimization talk

2018/11/01 @ Devcon iv.

Reverse engineering is a common technique used by security researcher to understand and analyze the behavior of closed-source binaries.

If you apply this to Ethereum smart contract (and more specifically on the EVM bytecode), thats allow you to analyze and verify the result of your Solidity source code compilation. 

From a developer point of view, it can save you a lot of time and money if you succeed to detect flaws and missing bytecode optimization.

Also, providing the Solidity source code it’s not mandatory during the smart contract creation, that’s why being able to directly reverse the EVM bytecode make even more sense if you want to understand the behavior of external smart contracts.

slides / video

Posted on

Workshop @ hack.lu 2018: Reversing and Vulnerability research of Ethereum Smart Contracts

hacklu 2018 ethereum reverse vulnerability octopus patrick ventuzelo smart contract evm ethereum ETH

2018/10/18 @ hack.lu 2018

This workshop is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After the workshop, they will be able to reverse, debug and find basic vulnerabilities into real-life smart contracts without having the Solidity source code.

The following points will be covered in the workshop:

  1. Quick introduction of Ethereum
  2. Basic Ethereum testing lab
  3. Reverse engineering of Ethereum smart contracts
  4. Analysis and vulnerability research
  5. Going deeper & Questions

link / slides

Posted on

Talk @ ToorCon XX – 2018: Reversing Ethereum Smart Contracts

toorcon webassembly wasm patrick ventuzelo reversing analysis ethereum evm

2018/09/15 @ ToorCon XX – 2018

Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ….).

Some smart contract handle thousand of ETH and can’t be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that’s also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense.

link / slides

Posted on

Talk @ ToorCon XX – 2018: Dissection of WebAssembly module

 

toorcon webassembly wasm patrick ventuzelo reversing analysis ethereum evm

2018/09/15 @ ToorCon XX – 2018

WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the “game changer for the web“. More than one year after the “official” release, it is not only used “for the web” by web browsers but also in some (huge) other projects like Blockchain Smart Contract platforms (EOS and Ethereum).

I will first introduce WebAssembly concepts and who currently used it in the wild. Secondly, I will show different WebAssembly VM available and explain the security measures implemented into it. Finally, I will show you, throw real life WASM modules, how to do static analysis, using techniques such as reversing, control flow and calls flow analysis, to understand deeper its behaviors. Along the talk, I will used multiple open source tools but mainly the one that I have developed and that is already available on Github (Octopus).

link / slides / video

Posted on

Talk @ Recon MTL 2018: Reverse Engineering Of Blockchain Smart Contracts

recon montreal reverse ethereum blockchain smart contract neo eos webassembly patrick ventuzelo

RECON Montreal 2018

Many platforms using blockchain technology have emerged in 2017 and take the top 10 position of the cryptocurrencies’s MarketCap. One of the main reasons behind is the possibility to create decentralized applications (dapps) by writing Smart Contracts.

During this presentation, we will analyze the implementation of smart contract mechanism (Virtual Machine, assembly language, instructions sets, …) used by those platforms. We will analyze the assembly languages and instructions sets used by the Virtual Machine of the major blockchain platforms.

We will see how to disassemble and reconstruct the CFG (Control Flow Graph) of those smart contracts and the tools actually available to perform a deeper security analysis.

This talk aims at covering the following platforms:

link / slides / video (not yet)