Predicting Random Numbers in Ethereum Smart Contracts

Ethereum has gained tremendous popularity as a platform for initial coin offerings (ICOs). However, it is used in more than just ERC20 tokens. Roulettes, lotteries, and card games can all be implemented using the Ethereum blockchain. Like any blockchain implementation, Ethereum is incorruptible, decentralized, and transparent. Ethereum allows running Turing-complete programs, which are usually written in Solidity, making it a “world supercomputer” in the words of the platform’s founders. All these features are especially beneficial in the context of computer gambling, in which user trust is crucial.The Ethereum blockchain is deterministic and as such it imposes certain difficulties for those who have chosen to write their own pseudo-random number generator (PRNG), which is an inherent part of any gambling application. We decided to research smart contracts in order to assess the security of PRNGs written in Solidity and to highlight common design antipatterns that lead to vulnerabilities allowing prediction of the future state.Our research was performed in the following steps:3,649 smart contracts were collected from etherscan.io and GitHub.These contracts were then imported into the Elasticsearch open-source search engine.Using the Kibana web UI for rich search and filtering, 72 unique PRNG implementations were found.Based on manual assessment of each contract , 43 contracts were...
Read more

ZeroNights ICO Hacking Contest Writeup

Prior to ZeroNights security conference, an ICO hacking contest had been announced. The first three contestants to solve the tasks could win invites to the conference. My motivation to participate in the contest was driven by the interest in smart contract security which is gaining popularity in various CTFs nowadays.The ICO website was a dApp that interacted with two contracts on Rinkeby testnet via web3.js. The first contract was an ERC20 token for HACK coins so you could see your balance, number of sold coins, total supply, etc. The ultimate goal of the contest was to get more than 31337 HACK coins.The other contract was a lottery game, here is a relevant fragment from it: function spinLottery(uint number) public { if (msg.sender != robotAddress) { playerNumber = number; players.push(msg.sender); NewLotteryBet(msg.sender); } else { require(block.number - lotteryBlock...
Read more

The Ethernaut CTF Writeup

Zeppelin Solutions invited everybody to participate in their smart contract CTF competition called “The Ethernaut” which started together with the annual DevCon 3 conference held in Cancun. First five contestants to solve all tasks shared the prize pool of 10000$.For each task the Ethernaut bot created a contract on Ropsten testnet. At Positive.com we could not miss a chance to take part in the CTF, so here is our writeup for the seven tasks presented to the contestants.0. Hello EthernautThe first task was designed to get comfortable with the CTF and contract interaction. In Chrome Dev Tools you were welcomed with shiny ASCII graphics:After the first contract was deployed, you needed to call info() method, which instructed about the further steps: “You will find what you need in info1().”. Calling info1() told us: “Try info2(), but with “hello” as a parameter.”, which then required the following sequence of calls:contract.info2(“hello”) → The property infoNum holds the number of the next info method to call.contract.infoNum() → 42contract.info42() → theMethodName is the name of the next method.contract.theMethodName() → The method name is method7123949.contract.method7123949() → If you know the password, submit it to authenticate().At this point we needed to get the password...
Read more