Posted on

History of hacks and incident in the crypto space

Bancor Hack (2020-06-16)

Short Version: A public call in the smart contract allowed anybody to withdraw token from the contract. The problem is not the function being public, the allowed input type has been set too general. Bancor did a white hat attack to withdraw all funds. Funds were lost by front running bots, not by hacker. Maybe part of it will be returned for a bug bounty.

What I think about this

It's crazy that an audit did not reveal this, because it looks like a trivial bug/mistake to me. It's not about logical problems, it's about allwod input type, if I am right (Not a smart contract dev myself). Bancor did fix this bug at June 13. It looks like the code fragment was introduced in one step, so like copy/past from another source?

Commit which introduced the bug:
https://github.com/bancorprotocol/contracts-solidity/commit/bd4060bf060cc55aaa11af86ec03a14026ee5b3d#diff-936d4cb65ef1b220e833b30f52f8d74f

Fix: https://github.com/bancorprotocol/contracts-solidity/commit/47d8663d720d49aed55710039875070d514baca4

At risk: $455,349
Lost: $135,229, not by the smart contract failure, but by some front running bot during white hat attack.
Solved: White hat attack and new contraced deployed
Code: https://github.com/bancorprotocol/contracts-solidity/blob/d4b1dc7b2e4d46a555b48ad34fd0fe235abad7b4/solidity/contracts/utility/TokenHandler.sol#L45-L47

Sources
I used these both sources for this short version:
https://blog.bancor.network/bancors-response-to-today-s-smart-contract-vulnerability-dc888c589fe4?gi=ccf539fc91b
https://medium.com/@1inch.exchange/bancor-network-hack-2020-3c71444fd59d

Parity Hack (2017-11-06)

"I accidentally killed it"
https://github.com/openethereum/openethereum/issues/6995

https://medium.com/solidified/parity-hack-how-it-happened-and-its-aftermath-9bffb2105c0

Posted on

A protocol for domain trading via Blockchain

Artikel in Deutsch

Analysis

The market for domain trading is a very illiquid market with high barriers:

  • The pricing is not transparent.
  • High referral fees are due (platform fees/escrow)
  • Domains are offered which are not available at all.
  • Domains are offered for sale, but the seller is difficult or impossible to reach.
  • The purchase has to be handled through a trustee and the domain transfer is relatively simple, but difficult for laymen to manage.
  • Since sometimes considerable sums are involved and the selling parties do not know each other, there is a high risk of fraud.
  • Purchases are often international and therefore a legal protection is difficult / expensive / complex.

Solution

The goal is a trading platform where domains are sold at fixed prices and as soon as a payment is received via the Smart Contract, the domain transfer can be initiated without the seller's intervention. The Smart-Contract keeps the purchase amount in escrow until the buyer has completed the domain transfer. The buyer himself must pay the purchase amount plus a deposit. The deposit will be returned to the buyer after completion of the domain transfer and the purchase via the platform.

If the buyer does not lodge an objection after a time limit, the seller receives his money back and the buyer his deposit. If the buyer confirms the completion of the purchase and does not carry out the transfer, his deposit expires and he gets his purchase amount back.

Challenges

  • The domain transfer must be confirmed by a DNS entry after completion. It must be possible to read the DNS entry unambiguously into the Smart Contract using an oracle. This interface must be fraud-proof.
  • The transfer (Unlock/Transfercode/AK/DNS entry) must still be handled by the buyer - but could be done against a fee from outside.
  • The market may not be interested in price transparency.
  • Even stolen domains can be sold this way.
  • Expansion: Domain auctions are also well feasible via Smart Contracts
Posted on

Versiegelung von ungeöffneten Objekten und Nachweis mittels Blockchain

Recherche

Security tamper evident bags = STEB

Allgemein

https://en.wikipedia.org/wiki/Security_bag

 

https://en.wikipedia.org/wiki/Tamper_resistance

https://en.wikipedia.org/wiki/Security_seal

https://en.wikipedia.org/wiki/Tamper-evident_technology

https://en.wikipedia.org/wiki/Evidence_management

https://en.wikipedia.org/wiki/Package_pilferage

https://en.wikipedia.org/wiki/Security_tape

Produkte

https://www.labellock.com

https://www.debatin.de

https://www.atg-polizeibedarf-shop.de/

https://www.alibaba.com/showroom/tamper-proof-paper-seals.html

ICAO Duty Free Bags | Security Envelopes

http://headlandltd.com/security-seals/reusable-security-bag/

http://www.printablesecuritylabels.com/sale-9651240-plastic-bank-cash-bag-security-seal-safety-deposit-bag-tamper-proof-deposit-bags.html

Tamper Evident Security Envelopes

https://www.amazon.de/s/ref=nb_sb_noss?__mk_de_DE=%C3%85M%C3%85%C5%BD%C3%95%C3%91&url=search-alias%3Doffice-products&field-keywords=manipulationssicherer

https://www.gov.uk/government/publications/notice-205-official-customs-seals-and-trader-sealing/notice-205-official-customs-seals-and-trader-sealing

Ist es möglich Formspuren zu digitalisieren?

 

Parameter von Dingen

  • Oberfläche als Abdruck (Reproduzierbarkeit? Veränderung über die Zeit)
  • Masse
  • Gewicht
  • Volumen (Differenzmethode ohne flüssigkeit?)
  • Durchleuchten

 

https://de.wikipedia.org/wiki/Technische_Formspuren

 

https://www.heise.de/newsticker/meldung/Direkt-von-Amazon-Faelschungen-von-AMDs-Ryzen-Prozessoren-im-Umlauf-3772757.html

 

Posted on

Brainwallet, eine nicht so gute Idee

Brainwallet sind nicht wirklich sicher, da Menschen schlechte Quellen von Entropie sind.

Online:

https://brainwalletx.github.io/#generator

Code:

https://github.com/brainwalletX/brainwalletX.github.io

Hacktools:

https://github.com/ryancdotorg/brainflayer
https://github.com/FredericHeem/etherhunt

Links:

http://blog.ether.camp/post/138376049438/why-brain-wallet-is-the-best