Ethereum Fact

Topics

• Pricing
• Solidity fact
• Block header
• Hack cases
  • Vulnerability in StandardToken.sol's implementation of transferFrom()
  • Parity wallet hack
  • NPM Package Vulnerability in Copay Wallets
  • batchOverflow Bug
  • Deflationary tokens attack
• Security study
  • Reverse Engineering Of Blockchain Smart Contracts
  • Blockchain Security - JP Aumasson
  • Smart contract sucurity scanner
  • How to Exploit Blockchain Public Chain and Smart Contract Vulnerability
  • Ethereum Smart Contract Audit CheckList
  • Automated Smart Contract Exploitation and Looting
  • CryptoCurrency Security Standard (CCSS)
  • Beauty Chain (BEC) Integer OverFlow
  • Zerocoin vulnerability
  • TEST YOUR H4CKING SKILL
  • HackPedia: 16 Solidity Hacks/Vulnerabilities, their Fixes and Real World Examples
  • Reentrancy attack
• Nodes
• Two types of accounts
• Transaction
• Begining of Ethereum
• Testnet block time
• Defination
  • What is an EIP?
  • EIP Types
• Token types
• Financial service
  • Derivative
• Dao - Decentralized Autonomous Organization
• Solidity
• Stable Coin
• Merkle Proofs in Ethereum
• How Ethereum Merkle Trees works
• Defi - Decentralized Finance Protocol
  • On-chain Asset Market Share
  • Top 5 DeFi
• Sign data
• Maker Dao
• Uniswap

Pricing

Storage	Gas	Eth	USD
1 Word	20,000	0.00008	$0.0688
1 kB	2.500,000	.01	$86
1 MB	2,500,000,000	10	$8,600

price at $860/ether

• refrence https://itnext.io/build-a-simple-ethereum-interplanetary-file-system-ipfs-react-js-dapp-23ff4914ce4e (opens new window)

Solidity fact

• Solidity is a limited language
• When executed, your code will run on every node of the network.
• So running Solidity on Ethereum is expensive.
• You cannot get data from the outside world (exp RESTFul Api call), but there's Oracle model to do this.
• No standard library for Array and String (like lowercase strings).
• ref https://blog.aragon.one/library-driven-development-in-solidity-2bebcaf88736 (opens new window)

Block header

Block header consists of

• PREVHASH
• STATE_ROOT
• TX_ROOT
• RECEIPT_ROOT
• TIMESTAMP
• NUMBER ref: How does Ethereum work, anyway? (opens new window)

Hack cases

Vulnerability in StandardToken.sol's implementation of transferFrom()

• https://github.com/ether-camp/virtual-accelerator/issues/8 (opens new window)

Parity wallet hack

• https://blog.zeppelin.solutions/on-the-parity-wallet-multisig-hack-405a8c12e8f7 (opens new window)
• https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/september/smart-contract-insecurity-broken-access-control/ (opens new window)
• https://github.com/paritytech/parity-ethereum/blob/4d08e7b0aec46443bf26547b17d10cb302672835/js/src/contracts/snippets/enhanced-wallet.sol#L216 (opens new window)

NPM Package Vulnerability in Copay Wallets

NPM Package Vulnerability in v5.0.2-5.1.0 of Copay Wallets (opens new window)

batchOverflow Bug

batchOverflow Bug in Multiple ERC20 Smart Contracts (CVE-2018–10299) (opens new window)

Deflationary tokens attack

Incident with non-standard ERC20 deflationary tokens (opens new window)

Security study

Reverse Engineering Of Blockchain Smart Contracts

• https://recon.cx/2018/montreal/schedule/system/event_attachments/attachments/000/000/053/original/RECON-MTL-2018-Reversing_blockchains_smart_contracts.pdf (opens new window)

Blockchain Security - JP Aumasson

https://aumasson.jp/data/talks/balccon18.pdf (opens new window)

Smart contract sucurity scanner

SECURITY SCANNER FOR ETHEREUM SMART CONTRACTS (opens new window)

How to Exploit Blockchain Public Chain and Smart Contract Vulnerability

PDF

Ethereum Smart Contract Audit CheckList

Ethereum Smart Contract Audit CheckList (opens new window)

Automated Smart Contract Exploitation and Looting

Automated Smart Contract Exploitation and Looting (opens new window)

CryptoCurrency Security Standard (CCSS)

CCSS (opens new window)

Beauty Chain (BEC) Integer OverFlow

Beauty Chain (BEC) OverFlow (opens new window)

Zerocoin vulnerability

• Further Disclosure on Zerocoin vulnerability (opens new window)
• Cryptographic description of Zerocoin attack (opens new window)

TEST YOUR H4CKING SKILL

• ethernaut.openzeppelin.com (opens new window)

HackPedia: 16 Solidity Hacks/Vulnerabilities, their Fixes and Real World Examples

• 16 Solidity Hacks/Vulnerabilities (opens new window)

Reentrancy attack

• Solution to 35C3 Junior CTF Challenge "Entrance" (opens new window)

Nodes

Aug 2018

• mainnet (id 1): 14902
• ropsten (id 3): 115
• rinkeby (id 4): 42

Two types of accounts

• User accounts (controlled by private keys)
• Contracts (controlled by code)

Transaction

• nonce (anti-replay-attack)
• gasPrice (amount of ether per unit gas)
• gasLimit (maximum gas consumable)
• to (destination address)
• value (amount of ether to send)
• data (readable by contract code)
• v, r, s (ECDSA Signature values)

Begining of Ethereum

• [ANN] Ethereum: Welcome to the Beginning (opens new window)

Testnet block time

• Ropsten: sub-30 seconds
• Kovan: 4 seconds
• Rinkeby: 15 seconds

Defination

What is an EIP?

EIP stands for Ethereum Improvement Proposal. An EIP is a design document providing information to the Ethereum community, or describing a new feature for Ethereum or its processes or environment. The EIP should provide a concise technical specification of the feature and a rationale for the feature. The EIP author is responsible for building consensus within the community and documenting dissenting opinions. https://eips.ethereum.org/EIPS/eip-1 (opens new window)

EIP Types

• Core - improvements requiring a consensus fork
• Networking - includes improvements around devp2p (EIP8) and Light Ethereum Subprotocol, as well as proposed improvements to network protocol specifications of whisper and swarm.
• Interface - includes improvements around client API/RPC specifications and standards
• ERC - application-level standards and conventions, including contract standards such as token standards (ERC20).

Token types

Token types

Financial service

• compound finance (opens new window)
• bloqboard (opens new window)
• Loan Scan (opens new window)
• dharma (opens new window)
• ETH Lend (opens new window)
• https://www.blockmason.io/ (opens new window)
• Quick Line (opens new window)

Derivative

• Open-Source Protocols for Decentralized Margin Trading and Derivatives (opens new window)
• Bringing Derivatives to the Blockchain (opens new window)

Dao - Decentralized Autonomous Organization

• Digix - Gold Coin (opens new window)
• Maker Dao (opens new window)

Solidity

• Solidity Coverage (opens new window)

Stable Coin

• Dai - Maker Dao (opens new window)
• Maker Dao Scan (opens new window)

Merkle Proofs in Ethereum

Every block header in Ethereum contains not just one Merkle tree, but three trees for three kinds of objects:

• Transactions

• Receipts (essentially, pieces of data showing the effect of each transaction)

• State

• Ref (opens new window)

How Ethereum Merkle Trees works

• Ethereum Explained: Merkle Trees, World State, Transactions, and More (opens new window)
• Diving into Ethereum’s world state (opens new window)

Defi - Decentralized Finance Protocol

On-chain Asset Market Share

• Defi Pulse (opens new window)

Top 5 DeFi

• MakerDAO (opens new window) (Stable coin)
• Uniswap (opens new window) (Dex)
• Compound Finance (opens new window) (Loan)
• Dharma Protocol (opens new window) (Loan)
• Colendi (Credit scoring)

ref: Top 5 DeFi (Decentralized Finance) Projects (opens new window)

Sign data

• JS Ethereum Signature Example (opens new window)

Maker Dao

• MKR Governance Dashboard (opens new window)
• MKR Governance Stats (opens new window)
• MKR DApps (opens new window)
• MCD Collateral Auctions (opens new window)
• MKR Burn Stats (opens new window)

Uniswap

• Uniswap Stats (opens new window)