Replay Attacks on Ethereum Smart Contracts

Video thumbnail (Frame 0) Video thumbnail (Frame 1346) Video thumbnail (Frame 3442) Video thumbnail (Frame 9032) Video thumbnail (Frame 10270) Video thumbnail (Frame 12522) Video thumbnail (Frame 13380) Video thumbnail (Frame 14464) Video thumbnail (Frame 15311) Video thumbnail (Frame 17421) Video thumbnail (Frame 19077) Video thumbnail (Frame 21677) Video thumbnail (Frame 22453) Video thumbnail (Frame 23947) Video thumbnail (Frame 24813) Video thumbnail (Frame 26019) Video thumbnail (Frame 27237) Video thumbnail (Frame 28656) Video thumbnail (Frame 30299) Video thumbnail (Frame 31433) Video thumbnail (Frame 34517) Video thumbnail (Frame 36335) Video thumbnail (Frame 37657) Video thumbnail (Frame 38567) Video thumbnail (Frame 39412) Video thumbnail (Frame 40282) Video thumbnail (Frame 42442) Video thumbnail (Frame 43332) Video thumbnail (Frame 45435) Video thumbnail (Frame 47397) Video thumbnail (Frame 48141) Video thumbnail (Frame 50447) Video thumbnail (Frame 51722) Video thumbnail (Frame 52948) Video thumbnail (Frame 54612) Video thumbnail (Frame 56893) Video thumbnail (Frame 57867)
Video in TIB AV-Portal: Replay Attacks on Ethereum Smart Contracts

Formal Metadata

Replay Attacks on Ethereum Smart Contracts
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
In this paper, a new replay attack based on Ethereum smart contracts is presented. In the token transfer, the risk of replay attack cannot be completely avoided when the sender's signatures are abused, which can bring the loss to users. And the reason is that the applying scope of the signatures is not properly designed in the smart contracts. To test and verify this loophole, we selected two similar smart contracts for our experiment, at the same time, we used our own accounts in these two contracts to carry out the experiment. Because the same signatures of the two contracts were used in the experiment, we got a double income from sender successfully. The experiment verified that the replay attack is really exist. Besides, the replay attack may exist in multiple smart contracts. We calculated the number of smart contracts with this loophole, as well as the corresponding transaction activities, which find some Ethereum smart contracts are risked for this loophole. According to the vulnerability of the contract signature, the risk level is calibrated and depicted. Furthermore, the replay attack pattern is extended to within contract, cross contract and cross chain, which provide the pertinence and well reference for protection. Finally, the countermeasures are proposed to fix this vulnerability.
Chain Goodness of fit Design by contract Core dump Block (periodic table) Information security Analytic continuation Information security
State observer Group action Context awareness Code Plotter Multiplication sign System administrator ACID Design by contract Set (mathematics) Database Insertion loss Mereology Fault-tolerant system Database transaction Software maintenance Neuroinformatik Timestamp Fluid statics Computer configuration Single-precision floating-point format Matrix (mathematics) Row (database) Information security Physical system Exception handling Computer virus Trail Moment (mathematics) System administrator Computer Mereology Digital signal Image registration Product (business) Mechanism design Type theory Numeral (linguistics) Internetworking Chain System programming Self-organization Information security Block (periodic table) Physical system Row (database) Point (geometry) Game controller Computer file Token ring Plastikkarte Wave packet Number Local Group Frequency Chain Telecommunication Hacker (term) Software Wireless LAN Self-organization Scale (map) Operations research DNS <Internet> Characteristic polynomial Physical law State observer Mathematical analysis Commutator Plastikkarte Core dump Computer network Software Design by contract Collision
Ocean current Rule of inference Group action Software developer Real number Software developer Computer Image registration Lattice (order) Plastikkarte Cartesian coordinate system Rule of inference Demoscene Computer programming Time domain Graphical user interface Voting Internetworking Internetworking Design by contract Integrated development environment Finite-state machine
Context awareness Virtual machine Maxima and minima Design by contract Plastikkarte Graph coloring File system Integrated development environment Process (computing) Abstraction Physical system Programming language Weight Code Plastikkarte Computer network Skewness Cartesian coordinate system Computer programming Formal language Process (computing) Software Chain Design by contract Ideal (ethics) Physical system
Design by contract Analytic set Plastikkarte Image registration Distance Cartesian coordinate system Demoscene Time domain Voting Data management Design by contract Information security Information security Sinc function
Module (mathematics) Context awareness Functional (mathematics) Group action Spyware Token ring Plastikkarte Open set Plastikkarte Mereology Database transaction Flow separation Mathematics Hacker (term) Atomic number Natural number Design by contract Synchronization Codec Information security Information security Buffer overflow
Scale (map) Vulnerability (computing) Dependent and independent variables Greedy algorithm Dependent and independent variables Multiplication sign Plastikkarte Insertion loss Port scanner Plastikkarte Mereology Software bug Universe (mathematics) Design by contract Object (grammar) Hacker (term) Physical system
Context awareness State of matter Block (periodic table) Multiplication sign Heat transfer Design by contract Plastikkarte Database transaction Plastikkarte Database transaction Electronic signature RAID Electronic signature Software Design by contract Validity (statistics)
Source code Standard deviation Vulnerability (computing) Game controller Standard deviation Decimal Design by contract Feasibility study Plastikkarte Electronic signature Electronic signature Number Process (computing) Strategy game Feasibility study Design by contract Strategy game Formal verification Process (computing) Vulnerability (computing)
Vulnerability (computing) Digital filter Data recovery Data recovery Plastikkarte Port scanner Computer programming Product (business) Network topology Function (mathematics) Internet service provider Design by contract Theorem Contrast (vision)
Area Proxy server Interface (computing) Content (media) Heat transfer Design by contract Streaming media Contrast (vision) Plastikkarte Content (media) Electronic signature Electronic signature
Game controller Functional (mathematics) Service (economics) Token ring Execution unit Design by contract Database transaction Heat transfer Coprocessor Electronic signature Sign (mathematics) Process (computing) Hash function output Process (computing)
Token ring Augmented reality Length Correspondence (mathematics) 1 (number) Design by contract Database transaction Heat transfer Plastikkarte Database transaction Natural number Function (mathematics) Formal verification Design by contract Normal (geometry) Formal verification Process (computing) Data conversion Procedural programming output Row (database) Condition number Address space
Implementation Heat transfer Valuation (algebra) Parameter (computer programming) Database transaction Parameter (computer programming) Database transaction √úbertragungsfunktion Function (mathematics) output Formal verification Process (computing) output Implementation Address space
Computer file Token ring Token ring Heat transfer Maxima and minima Database transaction Heat transfer Plastikkarte Database transaction Design by contract output Formal verification Process (computing) Procedural programming output Resultant God
Token ring Design by contract Token ring 1 (number) Analytic set Design by contract Hill differential equation Video game console Mereology
Area Pairwise comparison Proxy server Token ring Chemical equation Execution unit 1 (number) Design by contract Heat transfer Instance (computer science) Parameter (computer programming) System call Electronic signature Radical (chemistry) Mathematics Process (computing) Heat transfer Contrast (vision) Proxy server Address space Annihilator (ring theory) Address space Flux
Email Game controller Process (computing) Inheritance (object-oriented programming) Password Order (biology) Source code output FAQ Data conversion 2 (number) Electronic signature
Execution unit Token ring Source code Graphic design
Group action Statistics Real number Design by contract Mathematical analysis Plastikkarte Electronic signature Local Group Information Contrast (vision) Address space Vulnerability (computing) Vulnerability (computing) Information Token ring Mathematical analysis Plastikkarte Feasibility study Group action Statistics Electronic signature Latent heat String (computer science) Design by contract output Address space
Meta element Polygon mesh Group action Software developer State of matter Sigma-algebra Mathematical analysis Plastikkarte Conjunctive normal form Dimensional analysis Local Group Solomon (pianist) Chain Mathematics String (computer science) Contrast (vision) Message passing Identity management Texture mapping Token ring Feasibility study Computer network Term (mathematics) Vermaschtes Netz Statistics Electronic signature Latent heat Message passing output Determinant
Ocean current Design by contract Mathematical analysis Plastikkarte Database transaction Total S.A. Electronic signature Number Frequency Chain Hacker (term) Information Traffic reporting Information Digitizing Content (media) Mathematical analysis Plastikkarte Range (statistics) Database transaction Statistics Electronic signature Latent heat Frequency Ring (mathematics) Chain Design by contract Row (database)
Chain Email Arm Design by contract Plastikkarte Core dump Plastikkarte Information security Block (periodic table) Electronic signature Information security
good morning Arawa morning thank you for attending our talk this researching that bought replay attacks after a lot contracts now let me give a brief self-introduction and muster emperor style her that thinking by is the primary researcher he didn't much it is more than half of the work but for some issues or wizard he kinda attended his talk today so the Goblin is all to introduce the research to you my name is the weekend I am a security researcher Orion continue and this is my colleague er Condor hi you can continue
is a research group within 360 technology that he mo was formed in 2014 we fixed under security issues in numerous types of our system but we also encourage remember to do other research that they are increased in this this is why we also have this topic today's talk campuses for parts at the beginning we were introduced the backgrounds all plot plot King smart contra and the last room then we were discussed security issues about putting theoretically in smart contracts suddenly we will talk about the key point we play attack and we are going to Hugh white exists and how it works and the last one is a demonstration or replay attacks under static code analysis all steamy no similar one or a built-in now let connect I few the first apart
hello everyone as you know my name is Quincy okay I come from China so the first topic is in background and mainly about the instruction of leyte the files are loaded attacks like blockchain smart contacts or essa so we've heard some news about rock chambers what is poaching yeah blockchain so to speak is a large terribly directly commuter network and the users can interact with it by sending transitions each training is messy gooey is a cryptographic central and other law crustacean enforce is a mind by Mac name called global called global collisions the advantage of blockchain are listed here it has unified that at first we is repair the consul's reach a loss settlement to be completed with three are within three to 60 60 second correct rather than three days or and more the offers where we is a large-scale fault tolerance in which system can withstand 33 to 40 percent nor the future or still operate normally under the control of hackers poaching does not really on trust and not controlled by any single administrator or organization except for privileged chain and rhodium chain so it is able to be adopted a external observer can very verifies the history of transitions it can operate all auto auto moments without any who any human involvement so next the what Ashley can blockchain achieve first it can issue actual craft called cranes way which is digital set on the blockchain right right now sorry sorry public chains offer their own tokens to lament with all updating transitions and incentives the meditations are walk blockchain next it has some num monetary culture in inflow the record record array recorder as I think expands on blockchain and times time matrix all of to create high-value data some blockchain systems was some other of professionality including including context that can I show custom custom the thickness and articles and I said exchange ticket or acid our offer of option and fiscal period is and generally computer I'm sorry my poor English so I try to relax sorry for now we have now made we have
no many application or black jeans afraid all the main reason how about those things no no eventually further about 2013 the public release that blocking can be used in Congress all application besides accountant besides the cup beside that and Sascha and such as I said dominum recognization and ownership recognization market for market for sale for Pfizer seeking and Internet of scenes working and so on and
how to relate those applications we need the smart contact what is smart contact is a computer program running secure development that Ashley that oughta mentally transceivers dicto ancestors according to previous previous rules from the group applaud example of a GUI or tips suppose you're paired with your girlfriend's as she will give your okay we're 100 bucks if you can figure out what's what's inside for shopping bag maybe that is a dress or teach other and you met it but your girlfriend to not pay you anything you have you all how to accept it because you have no other way to get your reward however if Xia is a smart contact once you made your case current and the coder will automatically be enforced and as a risk and the reward in real solution it int might be dictatorial we are coming to your party your pocket so smart contacts are priests our quarterly meetings approaching and and enforcing certain from certain personalities how
do you contact the skew evelopment for smart contact certainly there are many public chain support smart context and this is the most popular one awesome what is desam it's approaching with the built-in programming language and it offers Maxim after and and force deadly so it is very dear to process matter contracts Assam
has secured application system called Assam called Assam virtual machine also as also known as EVM this is not in custody it by a sandbox but in fact but in fact it is complain Hamlet or ISIL and what that is a color that is wrong inside the UVM does not have access to the net to the network or file system or another epoxies even some other contracts have limited contact with with another or other smart contracts with
IBM so our smart contacts can be used in many things what autism is one of the Muslim is Fanshaw since fantasy including hedging contract saving War II and other now venture scenes include includes online walking the distance is the manager and managing managing and dentistry connotations mmm
however with increasing speed of applications of Azzam and smart contact many security issue come along according to analyte an ally and like okay according to analytics 100 us and the
stolen the news users joining as ecosystem de le?n's I would see are they are caught they are quite active and infertile a transparent essence over 1 million Ahn's Aslam this is this is increasing magnus tactic attack many eyes from hackers and security as security issues come up for more frankly in many parts of our ecosystem such as such as exchange worried worried and the smart conned atc there are there are several security security actuals come up including change attack and wallet hiding our colleague hijacking and overflow tech in smart context as to
smart contact which is most 121 pinballing the atoms there are also many security issues just for 20 and 18 april contexts such as PS were detect we detect with 1finity you met security attacks to several contact like edu or other in june there are another security action there are other another security issues reported to smart contact like SNES or this open era lock host made a huge impact on module module exchange affecting several functions including talking as nature talking talking deposit and a token deepest and the talking withdraw according to the most
recent research papers from circa and university college london after organizing be close to 1 million smart contact and thirdly 4200 of their awesome one one being able to hacking and the also sent the auto the also assemble another 3759 so the pays all was a smart contact and the phone said 18 this ad eight and nine percent of the current a low-cost so so how to lowers probably of loss first may recur and come later and objective at art for our contact and second and second we and second when any lab host is fund we need to make we need to make any immigrants respond to response so that week will now add fast at first time or at first time this contact is speaking attacked underserved the there need to be some it may really reverse for those who teach act and report any bugs to to possible to post actively work incentive the whole system is operate and so next part
is my college my is a has some guiding you and by the way I'm very sorry my English so so there you next good one hey I'm back now next we are going to fix on the issues or replay attacks in smart contractor
now let me explain the concept of replay attack as a distinguished in the flora play attack in critical network world it's not to capture and the recent attack that is if a transaction is legitimate on one blocking it's also legitimate our another block King so when you transfer BT say one your PC state to octopus this raid may be transferred at the same time that is the replay attack in blockchain to replay attack we found that many smart contracts adopted the same way to verify the fertility of the signature and it is possible for replay attack our
motivating is that we propose replay attacks all smart contracts and wish to attract the users attending we try to detect the 1 or between smart contracts and make them more secure finally we want to enhance the mystic awareness for country country of the creator and in here it increased saw in western to
achieve our goal we have done several things that we funded the replay attack a problem exists 52 smart congrats and we analyzed the decimal contractor example two were for the reply attack we analyzed the sauce and the process of river hack to expound the feasibility of replay attack principle we also were fired the replay attack based on the signature huan'er ability and the finally we propose the defense strategy to prevent this problem then I'm going to show you
something the first day Adam E is one or Pintus gang our aim is to get the name and the number of vulnerability or replay attacking smart contracts and the restated asturias can extend to discover the smart controls which have one ability first jogging well the contrary is accorded with the PRC 20 standard this requires the total supply to be greater than zero second
now get the name of the contrary to determine whether the name is earlier
Shalini felt a smart contrast one or about to replay attack the a theorem provider either the EC recover from him to wire fasting here if a contractor used the is a recover from him it was marketed as suspicious this scanning program can be found at the following data it's a our critics github storagee after we auditor and the wife added asking our product we found the 52 basic targets and the DC is the coded to second GRC 20
talking contractor you can kick it from pitiable from our great harvest origin
why does the replay attack occur the signature our user where utilize the young smart contractor if the contents of the signature were not correctly limited by the smart contract there is possibility of replay attack sake and the interfaces transfer proc stream here is an example the contents are with the MTC contrasting area and the contents of the utt contrast second here are exactly the same
this is an example in the controller the usual end like this land they easily get 256 funking calculated a hash and the happy is the input of the signature so we can see in the Permenter all this function it's just a from 200 feet and announced there is nothing relegated to the contrary itself we exactly now let
me explain the attacker processor well suppose the transaction in a contract one you the a12 transfer 100 tokens to you'll be through rocketry stay and the ecers rs3 talking you to be paid for to see a service fee in this process the input of the signature user a should it be a P 100 industry and the lake is amongst one then the Christopher were carried by procuring see after this transaction being completed you the beacon can have 100 tokens from you the a where suppose the user a talented carry out the transfer are a controller to through procuring so the Leakey's announce is also one where suppose you they know just replay attacks starts after you receive 100 tokens from you the aid you the P replace that signature or you dating from r8 i confident want in a hundred to now he can get another 100 tokens I concur to without the premise of unit a that easy to see this smart contract I counted to were attacked by Europe be and there 100 tokens all you they were stolen net to verify the existence of
this warranty we conducted an experiment the Permenter condition are listed as as follows we choose to e rc 20 smart contracts the utt congrats and the MTT converter then we create two accounts Alice and Bob all natural way deposit some tokens in the two accounts in corresponding correct and the last procedure all of this work verification is in the end in step one the normal transaction records and the ethereal whereas gained to spend out a council which boosts her with which had both ugt tokens and empties it Hagen sir but here we use two accounts Allison the bubble in step two what we induce the
allison to send him to unities talking and that contacting rotating is shown below the length 0 to 6 corresponds to the augmenting of the transferee transfer proctoring in step 3
Bob take out the input data of this transaction on the blocking the parameter from two value field are we and as why extracted from from the this method the following is the
implementation of the transfer function
instead for public use the imputation in step two to execute another craft fur in the smart contract or empty see the result of this transaction is sure as below
so that file but God only not only to ugt tokens but also to MTC tokens from Alice in this procedure the transfer of two MTC caucus was not authorized by anything
now we come into the final part demonstrating and the analytics and to
begin with the demonstration we selected tooth contracts the unity console and the MTC contract then we said to our owner accounts Alice and ababil and this is the sender and probably the receiver post their two accounts on some tokens for transferring nectar this is the
popular in Curtis the parameter from to where you see me as our acquired of Roma unity this is the caller the permanent already from the change the parameter R as in a way a signature in another token replay from two faiths are exactly the same as the last call and the simple proxy transfers an area is at first a unit eight dedicates to start a party you'll stay to help him transfer Hortense you think gets the address of the contrast and Chris the instance of the talking to be transferred after that say we are Canada singing here from me user a and then you walk in the transfer funking provided by the contra to send the talking to the talking receiver you the B then the proxy see we are with falling for making that the minor higher down package process and the finally transacting process of tranquille now
let me show you the terminal for comparison a curious a balance of of Barbara on both you GT contractor and the MTD contractor he has six tokens on both the tour contract
now I Christopher three tokens from and is to bobble immunity Contras through a process or a we have few seconds for the miner to pack okay it's finger now accurate a signature and accurate dependence all Papa unpolluted converts and empty the controller King the parents are you GT is nine but on the MTC its 306 I copy their permanence from
Beauty to MTC and start the replay attack you can see here I guess I need to input the password are all proc sorry I don't need to input the password order Oh Allison it means that I don't need the panicking all ality
is finicky now accurate dependence of
Baba MTT we can see the penance yz9 even
I know so purposes the stole stole three tokens or allottee an empty cigarette to show
you the impact of this vulnerability were also made similarly to the statistics and analysis by Apple real 27th the one ability of this replay attack received existing 52 a seroma smart contracts finally according to the owner bid here all the replay attack with you I didn't contrasting to sweet group the group wollen there are two contracts they no specific information is contained in the second clear all smart contracts so the signature can be fully reorder and then in the group tool there are 37 contracts in a the contractors specific screening is 82 into the input of the signature but the second crane is d all can be reeled in the group 3 the address of the contractor all there across the all the sender is containing the sticking to a smart contract but there are strong restriction doesn't there you still have the possibility of reply attackers
certainly we classified the contrast by visible replay attacks approach you five contracts that can be replayed in the specific contract yourself and another 45 contrast can be replayed at between different the contracts besides with eyt disease 45 contrasting into three groups for the specific perfect dated using the signature course contracted replays may happen amara any contrast as long as they are in the same group the group and the group to both a
the best feed identical data to the imputed signature we market the specific perfect data used in Group one as theta one and we mark the specific perfect picture using group to as data to so for example you can see the take to me this contrast is the same string as we understand the messaging in group two in
group 3 they don't add any perfect state to the input our signature just from too rarely free announcer and there are two change can be replayed between texture and dimension suddenly according to the
trading frequency or above making the contracts by a pareo 1324 contra has the world found wiki hydra contacting rock to within one week and the night contracts were found which have the current hacking records from one week to announce the preparing of nearly 20% of the total number of the contrary need active safety contents the war fund we
have the transaction records Biondo or month and three contracts only have the record for deployment so according to the comprehensive analysis 16% of the contract are attacking asti are active the reason for replay attack in smart contract is that's the misused signature when constructing the concoct the contractor so our conveyor are listed here faster the designers all smart contract should always conformal the suitable ring or digital signature when designing smart contracts second the smart contracts deployed on public king should aiding in the specific information all the public in sake of the charity and the name of the public chain and the other identical information finally the user all smart contracts need to pay attention to news and the report and the report concerning the owner build his career
and the conclusion you add the security problem of the hallmark on crowds have been widely concerned as long as less technical or misusing in smart contracts there is possibility of a replay attack we believe was that there one being here on the other arm of mark on health how not totally come to light
thank you falling hour [Applause] if some guys have some question all this attack and you can send mail to since you can send a mail to us thank you