Category Archives: Blockchain

The design weakness of Ethereum

 

Preface:

Any idea from you in regards to cryptocurrencies security features at this moment?  From technical point of view, blockchain technology is able to protect the data in the block. Thus hacker is hard to modify the data. It looks a prefect system. As far as we know, crypto currencies platform not secure as expected. But what is the actual problem ?

Refer to above diagram, it explicitly show the design weakness of Ethereum design. Since both smart contract and ethereum wallet has critical vulnerabilities occurred. Since a design weakness occurred in the end point (Ethereum wallet). In additional of the smart contract has vulnerability occurred. And therefore it provides a gut feeling to people crypto currency not indeed safe.

Known Attack

Integer Overflow and Underflow

Definition of integer overflow – If a balance reaches the maximum uint value (2^256) it will circle back to zero. Since the uint variable changes state, If any user can call functions which update the uint value, it’s more vulnerable to attack.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Definition of integer underflow –  If a uint is made to be less than zero, it will cause an underflow and get set to its maximum value.  C-like underflow might affect Solidity storage. It can arbitrarily allow malicious changes to constant variables. Below is the example of uint overflow and underflow.

Remark: What is the largest value you can represent using a 256-bit unsigned integer?

The 256-bit unsigned int (uint) data type can hold integer values in the range of 0 to 11579208923731619542357098500868790785326998466564 0564039457584007913129639935

contract C {
    // (2**256 - 1) + 1 = 0
    function overflow() returns (uint256 _overflow) {
        uint256 max = 2**256 - 1;
        return max + 1;
    }

    // 0 - 1 = 2**256 - 1
    function underflow() returns (uint256 _underflow) {
        uint256 min = 0;
        return min - 1;
    }
}

A vulnerability in the Parity Wallet library contract of the standard multi-sig contract has been found.

In June 2016, users exploited a vulnerability in the DAO code to enable them to siphon off one third of The DAO’s funds to a subsidiary account. On 20 July 2016 01:20:40 PM +UTC at Block 1920000, the Ethereum community decided to hard-fork the Ethereum blockchain to restore virtually all funds to the original contract.

All dependent multi-sig wallets that were deployed after 20th July. No funds can be moved out of the multi-sig wallets afterwards. For more details, please see below:

contract Wallet {
    function () payable {
    Deposit(...)
    }
}

CVE-2018-10666

CVE-2018-10666 – The vulnerability allows attackers to acquire contract ownership because the setOwner function is declared as public. A new owner can subsequently modify variables (see below diagram for reference).

Status update on 22nd May 2018

CVE-2018-11239 – An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in May 2018, aka the “burnOverflow” issue.

CVE-2018-10944 – The request_dividend function of a smart contract implementation for ROC (aka Rasputin Online Coin), an Ethereum ERC20 token, allows attackers to steal all of the contract’s Ether.

Observation:

In regards to the cyber security incident happened in past, the Ethereum system looks did not shown they are capable to protect himself.
Their functionaility may have improvement comparing with traditional bitcoin technology (see below):

Hyperledge Ethereum Bitcoin
Association Linux Foundation Ethereum Developers Bitcoin Developers
Currency N/A Ether BTC
Mining Reward N/A Yes Yes
Network Design goal – Private Design goal – Public Public only
Privacy Private Open Open
Smart Contracts Multiple-programming language C++,Rust and Go i. Bitcoin Core, is written primarily in C++
ii. Lightweight clients like MultiBit and Bitcoin Wallet written in Java

Next step : How to Protecting Yourself and Your Funds

1. One of the safest & easiest ways to store your ETH is use a hardware wallets.

2. Activate 2FA (duh) on any exchanges or online wallet you use.

3. Move your ether off exchanges, into a hardware wallet or paper wallet.

How to view your account balance, look up transaction and explore smart contracts?

Etherchain is an Explorer for the Ethereum blockchain. It allows you to view your account balance, look up transactions and explore smart contracts.

Browse all Ethereum Transactions – https://www.etherchain.org/txs

In God We Trust.

— End —

News update on 14th Aug 2018: An critical vulnerability was found in EETHER.An integer overflow occurs in unprotected distributeToken function. See below details for reference.

https://github.com/rootclay/Audit-of-smart-contracts/blob/master/0x00a0cbe98e4d110b0fa82646152d77babf2951d0/README.md

 

 

 

CVE-2018-10299 – integer overflow jeopardize Ethereum Zone

In the view of cryptocurrency supporter, Ethereum is the best. The cyber incident occured in cryptocurrency world so far shift the security focus to e-wallet (end point). Perhaps the cyrpto platform itself contains design limitation. However the end point design of crypto currency platform looks have more space for improvement.

If you install the MetaMask browser plugin, you can manage your accounts in your browser. The keys are stored only on your browser, so you are the only one who has access to your account and the private key. But when the web browser encounter vulnerability. It may jeopardize your private key. So security urge the crypto currency owner make use of hardware token instead of software.

We understand that web3.js is a collection of libraries which allow you to interact with a local or remote Ethereum node, using a HTTP or IPC connection. Java application encounter  vulnerabilities caused end user encounter cyber attack is not a news. Above informative diagram shown the integer overflow vulnerability of Ethereum case study involves java applet on the client side. As a front end application, Java application may not aware that he is the accomplice with the cryptocurrency cyber security incident.

Return to reality. Below headline news shown the vulnerabilities occurred in Ethereum (see below for reference). I am wishing that above details can provides hints to you for reference.  Let’s us awaken the design weakness of Ethereum cypto currency platform.

Critical EOS Smart Contract Vulnerability Discovered By Auditing Firm

https://bitcoinexchangeguide.com/critical-eos-smart-contract-vulnerability-discovered-by-auditing-firm/

 

Ethereum – CVE-2018-10468

As far as I remember, the goal of bitcoin technology aim to replace the traditional payment. In additional, the slogan of bitcoin is that it can provides a more secure way to send the money and it is hard to counterfeit.  We heard cyber security incidents happened in bitcoin industry frequently last year.  Ethereum , a most relieable and popular crypto currency in the bitcoin industy.  A vulnerability found in Ethereum that it give a way to hacker do the re-engineering. Hacker is able to transform the transfer function ( transferFrom()). Detail shown as below:

The transferFrom function of a smart contract implementation for Useless Ethereum Token (UET), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims’ balances into their account) because certain computations involving _value are incorrect, as exploited in the wild starting in December 2017, aka the “transferFlaw” issue.

For more details, please refer below url for reference.

https://peckshield.com/2018/04/28/transferFlaw/

Hackers jailbreak MyEtherWallet Infrastructure (Apr 2018)

ISPs tend to restrict what an end customer can advertise. However, any ISP do not filter customer advertisements.
A possible factor let’s hacker compromise the customer router thus advertise errant information into the global routing table.

An attackers stolen at least $13,000 in Ethereum within two hours.

Security expert speculate that it is a DNS attack. But many attack method can be used. For example: BGP hijacking. The scenario displayed on above diagram.

Headline news shown as below:

https://www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum

 

 

 

 

 

 

Verge Is Forced to Fork After Suffering a 51% Attack

Blockchain technology contains advanced security features fundamentally. However the heist occurs in such secure platform are in frequent. The questions of a retrospective and why was hacked? It proof that the problem not given by blockchain technology design flaw. Most likely the root causes are given by end point (client side), operation management (show the privilesge credential in the system event log). Rumors happened yesterday, verge user feared the attacker might use his dominant network position to siphon funds from their accounts. Verge technical team announce that it is a hash attack and it only some blocks were affected during a 3 hour period, not 13 hours. But what do you think? Do you think there is a zero day happens in e-wallet? Headline News can be found in following url.

https://news.bitcoin.com/verge-is-forced-to-fork-after-suffering-a-51-attack/

Hyperledger technology without compromise

It has different fraud found in banking industry in past. The most annoying import and export bills department is the letter of Credit application.  A regulation gap in between cross-border countries. There are fraudulent cases found in banking industry in past. The most annoying topic is the import and export bills department is the letter of Credit application. A regulation gap in between cross-border countries. If is easy to let banking staff not aware fall in trap created by crook. As a result it encountered financial lost.

Whereby the International Chamber of Commerce agree to compliance the Uniform Customs & Practice for Documentary Credits (UCP 600) rule. As times go by many people ask whether the UCP 600 will be revised?

The technologies market practice so far. I heard that Letter of Credit has been replaced by hyperledger. I have seen Microsoft Azure Cloud services is going to target hyperledger, Ethereum types hyperledger platform market. Should you have interest of this technology transformation. Please refer below diagram for reference. By the way, hyperledger services now available on Azure Cloud. For more details, please refer below url for reference.

https://azure.microsoft.com/en-us/blog/announcing-support-for-additional-blockchain-protocols-on-azure/

Heard that Crypto exchange BINANCE faced ‘large scale’ theft attempt

Heard that a rumors on discussion website. A victim stated that an unknown counterfeit cryptocurrency transaction submitted in his account. I retrospectively his discussion detail and feeling that the problem may not happen in his endpoint. The victim stated that he noticed that a 3rd API key has been created, without IP white listing. But the API key not his own belongings. Regarding to the BINANCE Exchange client specification, they support REST API. What if when they are using REST API caching middleware,acting as a reverse proxy between load balancers and your REST API workers. Is there a way let threat actors do the dirty tricks in the cache space?

Should you have interest about this news. Please refer below url for reference.

https://www.ft.com/content/58a32050-22aa-11e8-add1-0e8958b189ea

When will the dream comes true – Retail business operate cryptocurrency as a exchange

Former Chairman of the Communist Party of China (Mao) said that sailed on the sea must relies on helmsman(大海航行靠舵手). The statement looks true. The drinking coffee trend found by STARBUCKS. The STARBUCKS, a founder and leading the coffee market. The founder has business sense to dig out the potential business pipeline in the market. Schultz’s comments to Bitcoin – “I think blockchain technology is probably the rails in which an integrated app at Starbucks will be sitting on top of,”

For those who interested. Better to read this news. Please find below url for reference.

https://www.foxbusiness.com/features/starbucks-chairman-schultz-hints-at-blockchain-app

Blockchain technology can do the magic – EU GDPR new data protection regulation

Preface:

The movie title – when harry met Sally romantic. It is a comedy film written by Nora Ephron. It gives an idea to the world all we are interconnected with fate.

GDPR – High Level Understanding

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

GDPR principle

General Data Protection Regulation are, quite literally, data protection model. Details are shown as below:

  • Establish data privacy as a fundamental right
  • Clarify the responsibilities for EU data protection
  • Define a base line for data protection
  • Elaborate on the data protection principles
  • Increase enforcement powers

In regards to GDPR, how does blockchain technology assists?

Blockchains are secure by design.Each block typically contains a cryptographic hash of the previous block. By foundation, a blockchain is inherently resistant to modification of the data. This is exactly fulfill the GDRP mandatory requirements. Let’s take a simple understanding of the requirements of data controller.

  • (Article 24) – be accountable, demonstrate compliance
  • (Article 25) – Adopt privacy by design
  • (Article 27) – If not in the EU, appoint a representative
  • (Article 28) – Take care when using 3rd parties (Processors)
  • (Article 30) – Keep records of processing
  • (Article 32) – Do security well
  • (Article 33) – Tell the regulator if they have a breach (72 hours)
  • (Article 34) – Tell Data Subjects about some breaches
  • (Article 35 and 36) – Do privacy impact assessments
  • (Article 37,38 and 39) – appoint a Data Protection Officer where specified

Let’s see how blockchain technology addressing these subject matters

Perhaps reader not interested to read a whole bunch of words.An explicit view and explanation in below informative diagram.

Reminder – New EU GDPR will be effective in May 2018

END of discussion.