/security-workshop-for-devs

Secure smart contract development workshop hosted by ConsenSys Diligence and MythX.

How To Not Get Rekt: Secure Smart Contract Development

In this workshop we'll practice detecting & preventing common bugs in Solidity/EVM smart contracts. We'll solve challenges from CaptureTheEther and OpenZeppelin Ethernaut and learn how to use MythX during development to prevent security bugs and verify security properties.

Preparation

Here's how to get set up for the workshop. First, you need a web3 capable browser and some testnet ETH. You probably also have both, but if not, get Metamask and grab some ETH from the Ropsten faucets:

The workshop exercises are hosted in an separate repo. Get a local copy by cloning the repo:

$ git clone https://github.com/ConsenSys/mythx-playground/

If you run into insurmountable problems ask the instructors for help.

Setting up MythX for Remix

Head to the MythX website and sign up for a free account to generate your API key. In this workshop we'll be using the Remix plugin.

Part 1 - Detecting and Preventing Common Vulnerabilities

In the first part of this workshop we'll be looking at different ways of identifying, fixing and preventing vulnerabilities during development.

Exposure of Private Information

Let's start with something easy to get warmed up! Ethereum is a public ledger and nothing you put on this ledger is really private.

Target Contract:

Broken Access Controls

Some of the worst incidents so far were caused by critical functions that were inadvertently exposed to attackers. Remember Parity WalletLibrary?

Target Contracts:

Integer Arithmetic Bugs

Antoher common source of bugs are integer overflows and underflows. We'll cover them im the next two examples. Hint: The best way to prevent integer arithmetic bugs is by using SafeMath.

Reentrancy

The infamous TheDAO was exploited by reentrancy in 2016. Although the community is more aware of it, reentrancy struck back in October 2018.

Let's look at a simplified example of the DAO bug.

Predictable Random Numbers

It is impossible to create truly random numbers using Solidity. Let's see what happens if we rely on things like blocknumbers and blockhashes for randomness.

Target Contract:

Part 2 - Verifying Custom Security Properties

The Solidity assert() statement is used to specify conditions that are expected to always hold. If you want to prove certain assumptions about your code, you can put them into asserts and use Mythril's symbolic execution engine to do all the hard work for you.

In thus exercise we'll write and check and invariant for Etherbank.

Part 3 - Security Testing in the Development Workflow

Catching bugs early during the development lifecycle saves a lot of pain. In this section we'll have a look at Truffle and CI integration.

Security Analysis with Truffle

$ npm install truffle-security

Credit

Created by ConsenSys Diligence and the Mythril team. Special thanks to Mick Ayzenberg (Security Innovation), Trail of Bits, Steve Marx of CaptureTheEther and ConsenSys fame and Zeppelin Solutions for vulnerable contract samples and challenges. Also, kudos to the Truffle and Guardrails teams for working with us on Mythril Platform integration.