Closed gingeleski closed 5 years ago
(some words I'm working on are below)
Often we pen test apps that'll be internal to a client, with IP whitelisting in place to restrict access, making for less than 100 possible threat actors. Even if someone pwns the app to high heaven the worst they'll get is maybe SSNs.
Those "normal" web apps aren't holding digital cash. They aren't holding potentially millions of dollars in tokens some bad apple could run off with. And the source code to those apps isn't (more or less) showing. And not just anybody can access them. Not just anybody can call them.
That's the case here. That's what we are dealing with. This is high stakes security like you might not have seen previously.
You (or your clients) want to be damned sure of the contracts you put out.
Immutability is a big tenet of blockchain. Once you deploy a smart contract to the Ethereum mainnet, it's nearly impossible to change. Code is law. Unless you programmed in "upgradeability", which introduces a whole lot of inherent risk by itself.
We'll start this Ethereum security journey with just the contract files in scope. Either .sol files or EVM bytecode.
Are you up to the challenge?
Before talking issues let's talk about rating them.
When we pen test web apps the "OWASP way", we typically rate findings with a table like below.
TODO
This course's authors (plus smarter people than us!) are of the opinion this isn't appropriate for Ethereum contracts. Remember the immutability.
TODO
Turns out a whole slew of stuff can go wrong with Ethereum contracts. And it has.
TODO example 1
TODO example 2
TODO example 3
But don't fear. Any of these issues can be found in code review. Any known issues.
So we'll start there with "pure" code review. No tools. Just like a good pen tester shouldn't need Burp Suite.
Read through the following for a comprehensive introduction to different vulnerabilities.
TODO links
This should be more of a skim than a full ingestion. We advise against even taking notes. This content will be driven home with later exercises/drills.
It might be useful to re-skim this stuff before bedtime for several nights too. Immerse yourself in Ethereum vulnerabilities.
(more words)
At this point you might try your hand at some pure smart contract audit work.
This is pro-bono-ish auditing.
Anyone can request a free audit from the Callisto audit team. The barriers to become part of this team. You get paid in Callisto tokens, which admittedly aren't valuable. As of this writing.
Callisto webpage for smart contract audits
https://callisto.network/smart-contract-audit/
Get "hired" details in this Github issue
https://github.com/EthereumCommonwealth/Proposals/issues/2/
Actual Github repo where audit work goes down
Currently section 3 is "Contract security"