Web 3.0
Smart Contracts could be leaky
Abstract
This talk is about sharing experiences with you about things that worked and that did not work as expected, when I wrote my first Smart Contract and deployed it to a "decentralised" server.
- How I leaked the sensitive flag{}, and,
- what was the fix I applied to prevent leaking sensitive information?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9815426/Screenshot_2022-09-05_at_6.03.32_AM.png)
Takeaway
- Web3.0 is interesting
- Integer overflow is still possible, but exploitation isn't possible by standard means
- Information leakage is a real problem
About Me
Current: Freelancer History: C/C++ Secure Coding Instructor, Security Analyst Consultant, Scrum Master, Automation Engineer, Quality Engineer
At Leisure: Developer, Speaker/Trainer, Community Volunteer for Winja
Social Media:
-
Twitter (_riddhishree)
-
GitHub (riddhi-shree)
-
Medium (@riddhi-shree)
1. Integer Overflow
![](https://media0.giphy.com/media/OGzFu4KQuZ2/giphy.gif)
IntegerOverflow.sol
...
function sellArticle(string memory _name, string memory _description, int256 _price) public {
seller = msg.sender;
name = _name;
description = _description;
price = uint256(_price);
if(int256(balances[seller]) - _price >= 0) {
balances[seller] -= price;
}
}
...
Integer Arithmetics
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9817398/pasted-from-clipboard.png)
Text
https://valid.network/post/integer-overflow-in-ethereum
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9817409/pasted-from-clipboard.png)
-
Addition of 2 unsigned integers can overflow to a smaller value?
-
Subtraction of 2 unsigned integers can underflow to a greater value?
True or False
Contract Address
$ npx hardhat run scripts/deploy.js --network rinkeby
Compiled 1 Solidity file successfully
Deploying contracts with account: 0x231E671534B96936B48D7C2b9455d8E7FfD21543
Account balance: 1838357085301522520
IntegerOverflow address: 0x39F5bCa98883609378f850780C46e2161B419A96
ABI
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9816076/Screenshot_2022-09-05_at_2.14.11_PM.png)
React Frontend
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9816062/Screenshot_2022-09-05_at_2.08.13_PM.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9816063/Screenshot_2022-09-05_at_2.09.13_PM.png)
...
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9816098/Screenshot_2022-09-05_at_2.21.22_PM.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9816098/Screenshot_2022-09-05_at_2.21.22_PM.png)
Overflow Exception!
What Happened?
"In Solidity 0.8, the compiler will automatically take care of checking for overflows and underflows."
Reference:
https://ethereum-blockchain-developer.com/010-solidity-basics/03-integer-overflow-underflow/
![](https://media1.giphy.com/media/PijzuUzUhm7hcWinGn/giphy.gif)
2. Data Privacy
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818548/Screenshot_2022-09-06_at_10.43.29_AM.png)
https://docs.soliditylang.org/en/v0.4.24/contracts.html#visibility-and-getters
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818514/Screenshot_2022-09-06_at_10.12.24_AM.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818514/Screenshot_2022-09-06_at_10.12.24_AM.png)
Smart Contract
Contract Address: 0x150a318b4C9e8d66c1B3557bAFA497E485fEf8D2
-
Go to https://goerli.etherscan.io
-
Search contract address:
0x150a318b4C9e8d66c1B3557bAFA497E485fEf8D2 -
Locate "Contact Creation" transaction
-
Click on corresponding "Txn Hash" value
-
Select "Click to see More"
-
Locate "Input Data" section
-
Select "UTF-8"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818561/Screenshot_2022-09-06_at_10.58.02_AM.png)
How do I create Web3 capture-the-flag challenges, if the secret flag just can't be hidden from the world?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818573/Screenshot_2022-09-06_at_11.09.50_AM.png)
No such thing as Privacy?
Jugaad
string(abi.encodePacked(...))
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818598/Screenshot_2022-09-06_at_11.33.46_AM.png)
New Contract Address: 0x130ccC606C9aeF1235694a2Ae6cbdc7cee4b7912
-
Go to https://rinkeby.etherscan.io/
-
Search contract address:
0x130ccC606C9aeF1235694a2Ae6cbdc7cee4b7912
-
Locate "Contact Creation" transaction
-
Click on corresponding "Txn Hash" value
-
Select "Click to see More"
-
Locate "Input Data" section
-
Select "UTF-8"
![](https://s3.amazonaws.com/media-p.slid.es/uploads/899690/images/9818601/Screenshot_2022-09-06_at_11.47.47_AM.png)
![](https://media2.giphy.com/media/5z0cCCGooBQUtejM4v/giphy.gif)
The secret flag is not readable (just like that) by the world, anymore!
3. Capture-the-Flag
Contract Address: 0x5Ae52B13d270Cb8D06DCF188657B335A142E13C5
Network: Goerli
Can you solve this?
Web3
By Riddhi Shree Chaurasia
Web3
- 604