2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms. First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.” While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks. Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.
This document discusses blockchain technology and its potential applications. It defines blockchain as a shared, distributed ledger that allows participants in a business network to view transaction records. Blockchain addresses the problem of difficulty monitoring asset ownership and transfers in a trusted network by providing a permissioned, replicated shared ledger. The key properties that enable this are decentralization, strong authentication, and tamper resistance. The document also discusses public versus private blockchains and the challenges and opportunities blockchain poses for financial institutions in validating transactions without third parties.
Blockchain & Smart Contracts! This document provides an introduction to blockchain and smart contracts. It discusses what a blockchain is, why many blockchains exist, consensus algorithms like proof of work and proof of stake, public versus private blockchains, smart contracts and how they work, examples of successful smart contracts, potential use cases, and CIT blockchain projects including Catena which provides blockchain as a service and an iRobot proof of concept.
Blockchain 101 talks about blockchain from a very basic perspective (non-technical). This presentation gives you an idea of what blockchain really is beyond cryptocurrency, different types of the blockchain, components of a blockchain, essentials of the blockchain, and myths about blockchain. this presentation also throws light on major applications of the blockchain , its advantages and limitations, major consortiums and startups in this space and the timeline of development. we also tried to include how a use case for blockchain can be identified and how startups need to go about building a blockchain product or services This presentation was developed by Jithin Babu and Sakshi Manthanwar. Both of them are blockchain researchers and consultants. For more info regarding presentation kindly contact jithinbabu555@yahoo.com
Presentation by DHS S&T at the NY Blockchain 360 Conference regarding Blockchain's relevance to the Homeland Security Enterprise. Results of security and privacy research and development over the last 2+ years and next steps.
This document provides an overview of blockchain technology. It discusses that blockchain was first introduced in 2008 as a way to facilitate digital transactions without a central authority. Blockchain uses cryptography, a digital ledger, and a consensus mechanism to securely record transactions. The blockchain is made up of blocks that contain cryptographic hashes linking them together. Miners use proof-of-work to verify transactions and are rewarded with cryptocurrency. Once recorded, transactions cannot be altered, providing transparency and security.
Smart contracts can be deployed and executed on the Ethereum blockchain using web3.js. Web3.js is a JavaScript API that allows interaction with Ethereum clients like Geth to deploy contracts, call contract functions, and get information from the blockchain. Contracts are written in languages like Solidity and deployed through transactions that store the compiled code at an address. Once deployed, the contract code and data resides on the blockchain and can be interacted with through web3.js by calling functions or accessing public variables.
Blockchain in a nutshell, basic idea of blockchain, Types of blockchain working of blockchain barriers of blockchain blockchain and cryptocurrencies
This is My Presentation Slide based on Block Chain Technology and it's future. I did it in my Network Security Course.
Blockchain technology allows for a shared, replicated ledger of transactions that can be viewed by all participants. It enables peer-to-peer exchanges on a distributed network in a secure and non-repudiable way. Blockchain solves issues with monitoring asset ownership and transfers in a trusted business network by providing a permissioned, replicated shared ledger. It is not just for cryptocurrencies like Bitcoin but can be used for any form of asset registry, inventory, and exchange across different industries. The future potential of blockchain applications is still emerging as it will be applied experimentally to many aspects of society over the next few years.
What are crypto wallets? How different are they from exchanges? What is their job to be done? where are they weak? What is the potential and future they hold Brought to you by @ZenGo
The document discusses HyperLedger Fabric, a permissioned blockchain framework. It provides an overview of key Fabric concepts including its architecture, components, transaction flow, and how it differs from other blockchain platforms like Ethereum. The summary is as follows: [1] HyperLedger Fabric is a permissioned blockchain framework that uses channels and smart contracts called chaincode to allow for private and confidential transactions between specific network members. [2] It has a modular architecture consisting of peers that host the ledger and chaincode, an ordering service to sequence transactions into blocks, and a certificate authority for identity management. [3] Transactions in Fabric are validated by endorsing peers running chaincode, ordered into blocks by
Blockchains promise significant benefits but also face challenges to widespread adoption. Some key challenges are a lack of interoperability between different blockchain networks and platforms, as well as issues around integration with existing systems and scaling to meet enterprise needs. Interledger aims to address the interoperability challenge by providing a protocol for connecting various ledger systems, including blockchains, to enable asset transfers between them. This allows for a more connected "Internet of Value" and new business opportunities across platforms.
This document provides an introduction to blockchain technology. It discusses the history of blockchain, which began with Bitcoin in 2009. Blockchain consists of a series of linked blocks containing transaction summaries secured using cryptography. Transactions are validated by nodes in a peer-to-peer network before being recorded in a new block added to the blockchain. Current applications include cryptocurrencies like Bitcoin, smart contracts, and distributed data storage. Advantages include security, transparency and decentralization, while disadvantages include volatility and implementation challenges. The future scope of blockchain is presented as significant for benefiting society through applications like identity management and data marketplaces.
Blockchain technology is gaining significant attention and investment from major banks and financial institutions. Banks are projected to invest $400 million in blockchain by 2019, and over 30% of firms surveyed have annual blockchain budgets over $5 million. Blockchain uses distributed ledger technology to securely record transactions in digitally recorded "blocks" that are linked together, allowing participants on a blockchain network to reach consensus on a single view of the truth. This consensus-based approach provides advantages over traditional centralized databases by enabling trustless verification and transparency across organizations without the need for intermediaries.
This document provides background information on cryptocurrencies and blockchain technology. It discusses cryptocurrencies like Bitcoin and Ethereum, initial coin offerings, how to obtain cryptocurrencies, and price fluctuations. It also explains blockchain technology including how transactions are processed and validated through hashing, digital signatures, and proof of work. Potential applications or "killer apps" of blockchain technology discussed include payments, registries, supply chain management, and digital identities. The document concludes with information on blockchain initiatives in Austria.
This document discusses blockchain technology, including what blockchain is, how it works, types of blockchain networks, applications of blockchain, advantages and disadvantages. Blockchain is a distributed digital ledger that records transactions in blocks that are linked using cryptography. It allows for transactions to be recorded and distributed without a central authority. Consensus algorithms like proof of work are used to validate transactions and add new blocks to the blockchain. Blockchain has applications in financial transactions, asset tracking, data storage and decentralized applications. Its advantages include transparency, security and cost reduction. However, it also faces challenges related to speed and implementation costs.
Block Chain Technology is the redesigning of the way transactions will be processed. It is tantamount to as paradigm shift the way of doing business.
The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts. The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign. To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation. In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently. We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings. We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.
Ethereum is a unique offshoot of blockchain technologies that incorporates the use of what are called smart contracts or Dapps – small-sized programs that orchestrate financial transactions on the Ethereum blockchain. With this fairly new paradigm in blockchain, however, comes a host of security concerns and a track record that reveals a history of losses in the range of millions of dollars. Since Ethereum is a decentralized entity, these concerns are not allayed as they are in typical financial institutions. For example, there is no Federal Deposit Insurance Corporation (FDIC) to back the investors of these contracts from financial loss as there is with bank depositors. Furthermore, there is also no Better Business Bureau (BBB) or Consumer Reports organization to offer any sort of ratings on these contracts. However, there exists a well-known method for verifying a program’s integrity; a method called symbolic execution. Such an examination promises to give not only a perspective on the security of Ethereum, but also highlight areas where security experts may need to target to more quickly improve upon the security of this blockchain. This paper proposes a solution to ensuring security and increasing end user confidence -- a digital registry of smart contracts that have security flaws in them. A rating system for contracts is proposed and the capabilities one has with knowledge of these vulnerabilities is examined. This research attempts to give a picture of the current state of security of Ethereum Smart Contracts by employing symbolic analysis on a portion of the Smart Contracts up until approximately the 8.4 millionth block. Vulnerabilities in Smart Contracts may be prevalent and, if they are, a registry for enumerating which ones are can be built and potentially used to easily enumerate them.
Due to the immutability of the ledger and the difficulty to update their consensus rules, Blockchain applications have many critical layers where a bug can cause huge, irreversible fund losses. This talk will shed some light on why and how Blockchain applications are so critical and will discuss past events that led to fund loss or consensus failures due to bugs in critical parts of the code of Bitcoin and Ethereum applications.
Blockchains can be used as backends for applications by utilizing smart contracts and storing data immutably on the blockchain. While blockchains are not ideal for all use cases due to their expensive and slow nature, they enable building decentralized applications where security is important. Developers can build apps that interact directly with smart contracts, or provide front ends that reference blockchain data without needing their own servers.
Blockchain has swept the tech space by storm and we are now seeing the first wave of products built using this technology. One of the biggest challenges with blockchain is taking very technical concepts, such as signing transactions, and making them intuitive and easy to use. In this talk, Yev discussed the tools, design decisions, and best practices involved when creating a blockchain product.
Main takeaways: -Intro to blockchain concepts, public/private keys, signing transactions, wallets, -Product challenges unique to blockchain -Metamask and other tools that people currently use to interact with the Ethereum blockchain -Common design and product considerations when making a blockchain product
After a brief introduction on what is blockchain technology and how it works under the wood, focusing on Ethereum the next generation blockchain implementation. We will focus on the concept of smart contract introducing it through a simple case study and its standard implementation in ethereum. We will code it using Solidity language deploying and testing it in a live demo on Ethereum test network.
This slide is a entry level introduction to blockchain security, it illustrates the current status of the issue, summarises attack methodology, and reviewed a few past hack cases.
This document discusses building a cross-platform cryptocurrency application. It covers using a monorepo architecture for code reuse across mobile, desktop, and npm library applications. It also discusses developing cryptocurrency wallet features like generating transactions and signatures, smart contracts, and blockchain basics.
- Quick update in blockchain tech space - Comparision between tech - Security in Blockchain (Focusing on ETH Solidity attack vectors) - Design patterns - 2 Popular hacks (Case study)
Blockchain has gained lots of attention in recent years. Bitcoin and Ethereum are leading the race. Crypto currencies in spite of uncertainty and volatility are here to stay. Smart contract programming is the future for the Internet 3.0.
Mimblewimble protocol, initially proposed in 2016 as a privacy and scaling solution for Bitcoin, is the essence of the latest cryptography and blockchain inventions of top scientists and core bitcoin developers. Grin, is the famous implementation of this protocol, eagerly expected by industry. It was launched this year on the 15th of January as a separate blockchain and a completely private payment system with its own coin.
These slides exemplify how to employ the tools available through Cloud Foundry and Kubernetes to enable a continuous integration and continuous delivery pipeline on blockchain.
Blockchain from Technology, Economics, Business, Legal and use cases perspective. Discussed at Stanford University.
This presentation is part of New Product Developers (NPD) meetup regularly conducted by Divum. In this session, we covered gentle introduction to blockchain to running a truly decentralised Pizza ordering application built using solidity on ethereum.
This document discusses key concepts and components related to blockchain solutions, including actors such as users, developers, operators, and architects. It describes various components that make up blockchain solutions such as ledgers, smart contracts, consensus mechanisms, and how applications interact with blockchains. It also covers considerations for blockchain developers and operators, and challenges around integrating blockchains with existing systems and achieving determinism.
The document provides an introduction to blockchain and Hyperledger. It discusses how Hyperledger Fabric now supports Ethereum smart contracts, allowing Ethereum developers to integrate with and migrate to Hyperledger Fabric. It also summarizes some of the key components, security aspects, and functionality of IBM's blockchain platform and Hyperledger, including consensus mechanisms, identity management, pluggable components, and how applications interact with the platform.
"With ""Trust none over the Internet"" mindset, securing all communication between a client and a server with protocols such as TLS has become a common practice. However, while the communication over Internet is routinely secured, there is still an area where such security awareness is not seen: inside individual computers, where adversaries are often not expected. This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this ""last mile"" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable."
Blockchain is the new form of technology. Learn about the fundamentals of blockchain technology, use cases, and more in this presentation.
A basic introduction on Ethereum Blockchain. It covers some important jargon of Ethereum, Solidity example and tools to write Solidity.
This document summarizes various topics related to cryptocurrency wallets and security. It discusses the risks of early "brain wallets" that used passphrases to generate private keys, introduces BIP-39 standards for generating mnemonic phrases from entropy, and describes cases where vanity addresses were exploited by brute forcing the private keys that generated contract addresses.
Decentralized Finance (DeFi) is one of today’s most compelling crypto narratives and Compound is one of its most prominent examples. ZenGo research team has taken a deeper look into one of the most intriguing and novel aspects of the Compound protocol, the Liquidation process. This whitepaper (originally published on early 2020) offers a step-by-step technological explanation and financial survey of Compound’s Liquidation process and thus offers a learning opportunity on a prominent DeFi project, relevant for both experts and beginners.
This document summarizes an Elliptic Curve Cryptography (ECC) presentation about a Bluetooth pairing attack. It begins with an introduction of ECC using an analogy of billiards on an elliptic curve table. It then explains how ECC is used for key exchange in Elliptic Curve Diffie-Hellman (ECDH). The document describes a Bluetooth pairing vulnerability that allows an attacker to perform a man-in-the-middle attack on the ECDH key exchange by manipulating the Y-coordinate. This places the ball in a position where it can predict the shared secret if the private keys are both even numbers.
Cortana has several components that could be exploited by attackers to compromise systems or retrieve sensitive information: 1. The Cortana agent on devices is powerful and can accept input even when screens are locked, allowing commands through the "Open Sesame" vulnerability. 2. Cortana's voice actions could be used to invoke unsafe browsing on locked screens through the "Voice of Esau" attack, potentially leading to remote code execution. 3. Third-party Cortana skills could be authorized on locked screens, allowing the invocation of skills with malicious payloads through the "Skill of Death" scenario. Proper design is needed to secure new interfaces like Cortana, as adding capabilities to locked screens
Our physical environments become increasingly packed with new, computerized, devices that increase our comfort and productivity and augment our everyday experience. These devices maintain a wealth of new and existing types of sensors into our surroundings and offer new channels of communications between humans and machines (voice, gestures), between machines themselves (new wireless protocol standards) and between machines and their motherships in the cloud. The coexistence of these new devices and interaction models with our "legacy" IT infrastructure have not escaped the eyes of the digital world's most early adopters – the hackers. In their minds, we've just created so many more gateways into our corporate networks with new types of sensorial data to collect (AKA steal) and subvert, and new protocols and formats to abuse in the process of getting access to corporate assets. As we researched the potential effect of this trend on enterprise cybersecurity we focused on one specific, much hyped, type of interaction: voice. In particular, we examined the voice interaction capabilities that are most prominent in an enterprise environment – those of Microsoft's voice activated assistance Cortana. During our research, which will be detailed in this session, we were able to fully demonstrate the following scenarios: Using voice as a gateway into enterprise: We will expose a previously unknown vulnerability in Microsoft Cortana's voice interface (responsibly disclosed to Microsoft and now patched) that allows close proximity attackers to take over an unattended locked Windows 10 computer. Using voice for lateral movement: We will show how this attack can be further amplified to allow remote attackers to move laterally within the victim's network. Systematically subverting information produced and used by sensorial systems: We will analyze, in technical details, the protocol Cortana uses to talk to its cloud and will expose the "Newspeak" tool that utilize this knowledge to fiddle with the protocol for fun (pranks!) and profit (additional custom functionality!), or just monitor it for security purposes. We will conclude our presentation with some practical suggestions regarding defending against this new breed of threats against enterprise networks and assets.