Ethereum Smart Contract Hacking - Real World CTF 2018

แชร์
ฝัง
  • เผยแพร่เมื่อ 2 ธ.ค. 2024

ความคิดเห็น • 121

  • @Underjobbed
    @Underjobbed 6 ปีที่แล้ว +113

    Looking forward to part 2 :)

  • @reijin90
    @reijin90 6 ปีที่แล้ว +2

    Very cool video! Can't wait for part 2!
    Personal tip for anyone working with this in the future: If you install metamask (browser extension) and point it to the given API endpoint of the private network you can make transactions and all that from within Remix. You can select the wallets available in Metamask in the dropdown instead of the Javascript VM. That should help debugging such contracts quite a bit as you can check inputs and debug messages on the live network :)

  • @charllsquarra1677
    @charllsquarra1677 6 ปีที่แล้ว +68

    way, way over my head, but I mostly enjoyed it :)

    • @KtosZPlanetyZiemia
      @KtosZPlanetyZiemia 6 ปีที่แล้ว +2

      If something is not clear for you, ask, try, pause the video, read, give yourself a time?

  • @TobyAsE120
    @TobyAsE120 6 ปีที่แล้ว +43

    Could you maybe make an introductory video about this topic? What the hell is ethereum, what the hell is a contract, who programs around with this, who uses it for what, what does it all mean? Normally I kind of get what you are talking about, this time I couldn't follow at all. I have absolutly no idea about what blockchain is or how it works. My mind hurts.
    Apart from me not understanding a word you said, the presentation was great as usual!

    • @tedp9146
      @tedp9146 6 ปีที่แล้ว +1

      etherum is a crypto currency (like bitcoin) and you can find a lot about the basics of a blockchain, ps: i also didnt understand what the hell this ctf was about

    • @kyleguerrero6106
      @kyleguerrero6106 6 ปีที่แล้ว +3

      TobyAsE120....Google anything you dont know and things will start to make sense in the world. Ethereum is a type of crypto currency, a contract is apart of that currency transaction, can be used for things like over seas voting for any country, on line transactions etc. Google google google, the information is out there and this is engineering, its not always easy to understand. Also there seems to be quite a few things you need to know about as in JS promises,Inline Assembly (Had no idea this was a thing), recursion and how does Assembly even get executed from the web 0_o........So yes its hard and tough but you gotta google and enjoy the process and things will start to make sense

    • @runakovacs4759
      @runakovacs4759 6 ปีที่แล้ว

      3blue1brown can help explain what a blockchain is, at least the mathematical basis of it.

    • @tedp9146
      @tedp9146 6 ปีที่แล้ว

      Dacino Hoihe 3b1b is bae

    • @michaellin4553
      @michaellin4553 6 ปีที่แล้ว +4

      I'm doing experimental research on this right now, I'm a high school student. Believe me, I know my stuff.
      Let's give you a little idea. Bitcoin introduces a blockchain, an infinitely appendable data structure that is not amendable. Every blockchain is composed of rules. To write a transaction, you sign a statement that sends some amount of currency to an address, from an address (think of addresses as public key fingerprints). These transactions are included in blocks, which take a predictable amount of compute power to find a hash below a certain target (we call these hashes Proofs of Work). These are useful because blocks that have valid proofs of work are "provably" of value, that is, people mined them because they are of monetary worth. This is opposed to a bank, where Bank A and Bank B have a transaction between them, and both mutually affirm via digital signature that a certain transaction is legit. Blockchains are better in this aspect because you can't necessarily check that banks aren't lying, but math can't lie. It cost your CPU barely anything to check that a block had a considerable amount of time and effort invested into appending it (just calculate two SHA256 hashes!). Blocks are also indestructible, spread around in what is basically a torrent in a swarm.
      If you consider Bitcoin as a bank, you can compare smart contracts as deterministically executable code agreements between bank clients. If Trader A wants to buy 30 shares of some company, and Trader B is a broker, there can be disputes between the two about whether the money was paid or if the goods recieved. Eventually, the courts resolve it, but why have a dispute in the first place? Just make the share delegation happen through a contract on the blockchain. Contracts hold the funds, Trader A gets the shares as a token.
      Wrap these contracts into a Turing-complete bytecode, and create client implementations of the virtual machines to read these, that's Ethereum in a nutshell. Contracts have their own addresses, but they are basically robots. They can do, quite literally, anything a regular program can do. Some dude programmed a Quake rendering engine in Solidity (a high level smart contract language derived from JavaScript). Of course, there's the Halting problem, so contracts cost money (paid in Ether) to run. Also, contracts always behave as programmed, but not always as intended. That's why hacks happen on Ethereum.

  • @adokce
    @adokce 6 ปีที่แล้ว +1

    i see a lot of comments of people not understanding a single thing in a video. I'm usually like that with your other videos but this one, I know what you're talking about. can't wait for part 2

  • @levyroth
    @levyroth 6 ปีที่แล้ว +2

    This was such a ride! Please, part 2 as soon as you can! Got me curious :))) And understanding the algorithm and thought process of the dev is so much more important than the code language itself. The true sense of hacking.

  • @ZombiecowCast
    @ZombiecowCast 6 ปีที่แล้ว +2

    Glad you did this video. I've been interested in writing smart contracts and have done some surface-level research to gain some exposure but your video helped put a few things together. Thanks for the simple and clear explanations of your thought processes!

  • @solidpain9098
    @solidpain9098 6 ปีที่แล้ว +10

    I study IT-Sec in my masters and it's still way over my head. I understood about half of it.

    • @silverzero9524
      @silverzero9524 6 ปีที่แล้ว +1

      Nice dude. I didn't get it at all

    • @sk8sbest
      @sk8sbest 6 ปีที่แล้ว +1

      It's solidity which is blockchain-based. Not the usual run-of-the-mill programming language with your typical design pattern.

  • @BlackHermit
    @BlackHermit 6 ปีที่แล้ว +3

    Looks like it was extremely fun to participate, great CTF.

  • @logix2435
    @logix2435 6 ปีที่แล้ว +10

    Finally new Video!

  • @funsinator3993
    @funsinator3993 6 ปีที่แล้ว

    This gave me the motivation to learn more about smart contracts and how to use Solidity. It's actually really fun to learn! Thank you!

  • @judgeomega
    @judgeomega 6 ปีที่แล้ว

    knowing about the function collisions seems like such an esoteric bit of knowledge im surprised more than a handful of people in the world know about it. i guess there are just several levels of coding skill beyond my understanding and awareness.
    You sir, are top class.

  • @adrianadamane2571
    @adrianadamane2571 6 ปีที่แล้ว +25

    Normaly, i kan at least make a picture of why you do, what you do, but today my mind falied.

  • @sqrtof81
    @sqrtof81 6 ปีที่แล้ว +8

    19:10 Shit, I have to wait for the second part.

  • @maulanaiskandar1058
    @maulanaiskandar1058 5 ปีที่แล้ว +2

    I'm watching this at 3 AM and I'm glad I did that 😂

  • @jasx
    @jasx 6 ปีที่แล้ว +1

    God.. this video reminds me how fun code challenges used to be for me. great work

  • @creapuretivity6780
    @creapuretivity6780 6 ปีที่แล้ว

    This is the first video where I am able to fully understand everything you say I am so happy!

  • @attention_shopping
    @attention_shopping 6 ปีที่แล้ว

    honestly amazing. thanks for this. really looking forward to part 2!

  • @anikethsaha5064
    @anikethsaha5064 6 ปีที่แล้ว

    I know ethereum,solidity,web3 all in some level...but still didnt able to get 80% of the code....man u r gr8..

  • @DefinitivNichtTim
    @DefinitivNichtTim 6 ปีที่แล้ว +4

    Gespannt auf Teil 2

  • @dachrillz
    @dachrillz 6 ปีที่แล้ว

    I love these vidoes on smart contracts, would love to see more of them!

  • @Tornnaz
    @Tornnaz 6 ปีที่แล้ว +1

    what.. i looked at your channel like 5 minutes ago to see if i missed an upload. nice timing!
    also thanks for feeding my curiousity.

  • @MeriaDuck
    @MeriaDuck 3 ปีที่แล้ว

    Ow my, that whole red herring business... how does someone even come up with this crazy CTF. That really requires some brainpower.

  • @pedrobernardo5887
    @pedrobernardo5887 6 ปีที่แล้ว

    Great video! Couldn't understand a single sentence. Marvelous!

  • @froggenfury6169
    @froggenfury6169 6 ปีที่แล้ว +25

    don't understand a single thing. haha

  • @fiskebent
    @fiskebent 2 ปีที่แล้ว

    Great stuff! I've never actually seen any blockchain code, so it's very interesting to actually see some.

  • @ARitzCracker
    @ARitzCracker 6 ปีที่แล้ว

    Haha yeah, web3js is an absolute _amazing_ piece of code. This is why I'm in the process of creating my JS library that uses WebAssembly for its cryptographic functions and I'm doing my best to use a little dependencies as possible :) I'm happy to provide the links to my WIP github repos if anyone's interested.

  • @kejertskyi
    @kejertskyi 5 ปีที่แล้ว

    i didnt get anything about it but let me give you a thumbs UP, cuz you seems to understand more about this complicated stuff

  • @michaellin4553
    @michaellin4553 6 ปีที่แล้ว

    TL;DR Address 0xcf... is the chain's "miner".
    I think this chain uses Clique PoA. Therefore 0xcf... is most likely the only sealer, considering it's the coinbase (the miner reward recipient).
    By the way, the "HomesteadBlock" and others in the genesis JSON refer to Ethereum hard forks. The current one the main network is in is called Metropolis Byzantium, having alot of features not present in the original chain. Mainnet uses chainid 1 (same for ETH Classic), testnets use other small integers, custom "devnet" chains use other ones.
    EDIT: I am likely wrong. It seems that a sealEngine key needs to be in the genesis file. However, that doesn't change the fact that 0xcf is the miner. The devnet uses Ethash, rather than Proof of Authority.

  • @TheFerdi265
    @TheFerdi265 6 ปีที่แล้ว

    This sounds like a really cool and weird challenge about Ethereum.
    For me the fishy constructor would probably be the go-to thing to check. It really sounds like it jumps into the argument code on purpose, and maybe executes part of the sample question? I don't know exactly, but it's the only thing that looks like it could maybe be code in the game contract that would lie around during contract creation

  • @bigmistqke
    @bigmistqke 6 ปีที่แล้ว

    This s the geekiest detective serie I never knew I needed in my life. Exciting!

  • @ShaquilleMagnusson
    @ShaquilleMagnusson 23 วันที่ผ่านมา

    Thanks for the forecast! I have a quick question: I have a SafePal wallet with USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How should I go about transferring them to Binance?

  • @cntrix2047
    @cntrix2047 6 ปีที่แล้ว

    I was waiting for this!

  • @bertrandfossung1216
    @bertrandfossung1216 3 ปีที่แล้ว

    Great content. Please make more videos on Ethernaut and Paradigm CTFs. Thanks in advance🙏🏾

  • @cjhackerz
    @cjhackerz 6 ปีที่แล้ว +5

    Good work! Tip: web3 is also available in python

  • @keith-tv9yn
    @keith-tv9yn 6 ปีที่แล้ว +4

    i got an 8 hour ad lmao

  • @Bubatu7
    @Bubatu7 6 ปีที่แล้ว

    Incredible work, thanks for the video.

  • @LeonardIvory-k4g
    @LeonardIvory-k4g 2 หลายเดือนก่อน

    Great analysis, thank you! I need some advice: My OKX wallet holds some USDT, and I have the seed phrase. (behave today finger ski upon boy assault summer exhaust beauty stereo over). How can I transfer them to Binance?

  • @arekkrolak6320
    @arekkrolak6320 6 ปีที่แล้ว

    not a bad video for someone who says they don't understand promises and stuff :)

    • @LiveOverflow
      @LiveOverflow  6 ปีที่แล้ว

      if there is anything to take a way from my videos, it is that you can know a lot of stuff in one area, but have no clue about another ;)

  • @MatthewScerriM
    @MatthewScerriM 5 ปีที่แล้ว

    Just stumbled across this! Thank you so much for posting! Please do more Ethereum/Solidity/Blockchain stuff like this.
    Now onto part 2! :)

  • @negativegravity9470
    @negativegravity9470 6 ปีที่แล้ว +3

    My brain died for 20 minutes

  • @aerodigital
    @aerodigital 6 ปีที่แล้ว

    That constructor was how you get the null sender, so it goes to the overloaded function, which is your collided hash function?

    • @LiveOverflow
      @LiveOverflow  6 ปีที่แล้ว

      I don't understand, sorry :S
      But the purpose of the constructor is another one which we will talk about in a special extra episode ;)

  • @harshant1
    @harshant1 6 ปีที่แล้ว

    i was waiting for this ,

  • @Flare03l
    @Flare03l 6 ปีที่แล้ว

    On a hunch, does the solution involve the fact that delegatecall executes the other contract in the context of the calling contract, by that I mean the state (storage) of the contract making the delegatecall is the one used for the call. That would explain the weird custom storage semantics.

    • @LiveOverflow
      @LiveOverflow  6 ปีที่แล้ว +1

      These are definitely thoughts I had. These were the ideas I was chasing down. But in the end the solution was something else ;)

  • @cartercancino
    @cartercancino 2 หลายเดือนก่อน

    You're doing a fantastic job! Could you help me with something unrelated: I have a SafePal wallet with USDT, and I have the seed phrase. (air carpet target dish off jeans toilet sweet piano spoil fruit essay). How can I transfer them to Binance?

  • @dragon0o030
    @dragon0o030 6 ปีที่แล้ว

    cool that you talk about that. will help many People :D

  • @KarlssonF
    @KarlssonF 6 ปีที่แล้ว

    Are you by any chance a student at the TU Berlin?

  • @LR-qt7fx
    @LR-qt7fx 6 ปีที่แล้ว

    Will you visit the 35C3?

  • @mohamedbounab8613
    @mohamedbounab8613 5 ปีที่แล้ว

    Guys where should i find the writeups

  • @seancpp
    @seancpp 6 ปีที่แล้ว

    What language is the contract code written in? Looks like javascript but *not quite* ...TypeScript?

  • @lucassantana9911
    @lucassantana9911 6 ปีที่แล้ว +3

    Brasil

    • @frontilinebr
      @frontilinebr 6 ปีที่แล้ว +1

      É nois que voa bruxão.

    • @Thiago1337
      @Thiago1337 6 ปีที่แล้ว +1

      Br carai

  • @klarusdetro1544
    @klarusdetro1544 6 ปีที่แล้ว

    AmazingThanks!

  • @Calm_Energy
    @Calm_Energy 6 ปีที่แล้ว

    that is one heck of a function name “AcoraidaMonicaWantsToKeepALogOfTheWinner”

  • @atul7322
    @atul7322 6 ปีที่แล้ว

    Internet want this kind of content
    That's failure too not only the heavens

  • @sheikacabuslay4641
    @sheikacabuslay4641 2 ปีที่แล้ว

    i've learned something new

  • @AI-JAM
    @AI-JAM 6 ปีที่แล้ว

    try 'cnpm' for China, it's a really useful mirror of npm that can easily be accessed in China.

  • @Martin-zx5ip
    @Martin-zx5ip 6 ปีที่แล้ว

    What language do you suggest I learn, C++ or JS.

    • @codechapter6960
      @codechapter6960 6 ปีที่แล้ว

      Whats your intent??

    • @Martin-zx5ip
      @Martin-zx5ip 6 ปีที่แล้ว

      @@codechapter6960 Which one would be more useful

    • @codechapter6960
      @codechapter6960 6 ปีที่แล้ว

      Well JS is arguably more widely used and also easier for me to learn even tho i learnt c# first. C++ is more for like desktop apps and JS is more universal
      Check out w3schools for either

    • @Martin-zx5ip
      @Martin-zx5ip 6 ปีที่แล้ว

      @@codechapter6960 Thanks!

    • @codechapter6960
      @codechapter6960 6 ปีที่แล้ว

      No Problemo!

  • @BassheadMusicConnoisseur
    @BassheadMusicConnoisseur 6 ปีที่แล้ว +2

    I got my chocolate, lets goo

  • @harsheetdham4631
    @harsheetdham4631 6 ปีที่แล้ว

    I didn't understand most of it could you go over it again like with basic details

  • @ncflg7667
    @ncflg7667 6 ปีที่แล้ว

    Why did you need to download geth for this challenge? instead of "geth attach 100.100.0.4:8090" coudlnt you just set this geth node as your web3 provider?

    • @LiveOverflow
      @LiveOverflow  6 ปีที่แล้ว

      And I don’t have to download web3? ;)
      Also next video we will need it

    • @ncflg7667
      @ncflg7667 6 ปีที่แล้ว

      @@LiveOverflow Actually, web3 can be used from the terminal integrated into remix and there you could set the Web3 provider to the geth node. This means you could have done everything you did in this video from within remix. Looking forward to part 2 :)

    • @LiveOverflow
      @LiveOverflow  6 ปีที่แล้ว

      Oh really? :D never tried that
      Though in the next video we need geth to run our own chain for debugging

    • @ncflg7667
      @ncflg7667 6 ปีที่แล้ว

      @@LiveOverflow Docs on geth + remix: github.com/ethereum/remix/blob/master/README.md#prerequisites
      The integrated web3 is a really good option if you want to quickly check contracts on the main network with web3.eth.getStorageAt() for example.

  • @rj_2190
    @rj_2190 6 ปีที่แล้ว

    What a cliffhanger

  • @MAstylerLP
    @MAstylerLP 6 ปีที่แล้ว +2

    Cliff hanger T-T

  • @gwnbw
    @gwnbw 6 ปีที่แล้ว +12

    Helping the Chinese out once again? x'D

  • @50ksubscribers49
    @50ksubscribers49 6 ปีที่แล้ว +2

    you are crazy.......

  • @waqarahmed4200
    @waqarahmed4200 6 ปีที่แล้ว

    hi fabi

  • @pushkar260
    @pushkar260 6 ปีที่แล้ว

    yeah this is understandable,.......... wait what... , whoa assembly.......ok now i'm lost

  • @GameMovies999
    @GameMovies999 6 ปีที่แล้ว

    I didn't understand absolutely anything :(

  • @ankuryogi3298
    @ankuryogi3298 4 ปีที่แล้ว

    My last 2 brain cells died :(

  • @LemonChieff
    @LemonChieff 6 ปีที่แล้ว +9

    Love your content.
    Could you make a video on *telnet* to show exploits and explain why it's not secure anymore?
    I could google it but I'm sure you'd explain it better :3 either way thank you for being awesome

    • @NickInts
      @NickInts 6 ปีที่แล้ว +6

      Telnet is a plaintext protocol. A long time ago, users would telnet to a Unix server and log in through the prompt. Anyone on the same local network as the person using telnet would be able to grab all of their data (username, password, commands, etc.) from the wire. This is why SSH exists.

    • @dummybugstudios6450
      @dummybugstudios6450 6 ปีที่แล้ว +4

      I think being able to google and learn stuff is a pretty useful skill to practice ;)

    • @LemonChieff
      @LemonChieff 6 ปีที่แล้ว +1

      @@dummybugstudios6450 It is. I'm just used to comment "

    • @kyleguerrero6106
      @kyleguerrero6106 6 ปีที่แล้ว

      Why not telnet......look into reverse telnet, that's why.

  • @masterjiggle5728
    @masterjiggle5728 4 ปีที่แล้ว

    Lol neither got 1000000 eth nor the girl

  • @anissnoussi9641
    @anissnoussi9641 6 ปีที่แล้ว

    what I learned from this video is next to nothing! I licked it anyways !anyone has a good book to start with smart contracts an ETH ?

  • @Fvneral_moon
    @Fvneral_moon 5 ปีที่แล้ว

    I have no clue wtf he is talking about most of the time lol

  • @josh.salles
    @josh.salles 6 ปีที่แล้ว

    aww need moar

  • @tuanlinhdao3389
    @tuanlinhdao3389 6 ปีที่แล้ว

    *Clap* from fellow hacker.

  • @codechapter6960
    @codechapter6960 6 ปีที่แล้ว

    LO if you are reading this umm
    do somethihng
    like reply

    • @codechapter6960
      @codechapter6960 6 ปีที่แล้ว

      No reply

    • @L0j1k
      @L0j1k 6 ปีที่แล้ว

      "LO" was the very first string ever sent across the internet. They were attempting to send "LOGIN" but the connection failed after the first two characters.

  • @codechapter6960
    @codechapter6960 6 ปีที่แล้ว

    #secondcomment

  • @LiEnby
    @LiEnby 6 ปีที่แล้ว

    wait ETH runs code xD

  • @Alex-qt9om
    @Alex-qt9om 6 ปีที่แล้ว

    Hi

  • @codechapter6960
    @codechapter6960 6 ปีที่แล้ว

    Hi