Security has always been one of the most important aspects of information technology, and today many organizations and their developers adopt a security-first mindset when building applications.
These principles and actions are often collectively described as ‘DevSecOps’, which encompasses the entire culture and approach of application security. DevSecOps stands for development, security, and operations. It aims to embed a security-first mindset into all aspects of information technology and infrastructure.
One of the newest and most exciting markets in information technology is blockchain, which comes with a giant ecosystem of decentralized protocols and applications that aim to take us into an updated version of the web, what many refer to as web3.
What is web3 and what exactly is a decentralized application?
The term web3 encompasses various concepts that focus on aspects of application architecture and user experience:
These core concepts aim to give users back control of their identity using public key cryptography and grow the adoption of peer-to-peer economics through various blockchain mechanics and protocols. Many blockchains and their surrounding protocols can process advanced transactions and manage state using smart contracts that are executed within isolated virtualized environments.
These are then synchronized across all nodes on the network through a mechanism called a consensus algorithm. This is a mechanism that allows users or nodes to coordinate in a distributed setting to ensure that all nodes in the system can agree on a single source of truth, even if some agents fail. Additionally, many blockchains operate in a censorship-resistant way by keeping their protocols open and permissionless.
What does the landscape look like?
There is an inherent risk in a blockchain-based architecture because the backbone to the network is typically powered by a digital, token-based cryptocurrency and usually carries a monetary value. These tokens are held in addresses, typically stored in externally owned accounts or within smart contracts. And since trust is also distributed with use of public key cryptography, each address on the network is prone to attack.
The balance for each account is distributed across the network on what is known as the public ledger, visible for anyone to see, which leaves an open window for hackers to target specific users or contracts. This makes privacy and anonymity a particularly important aspect for blockchain. Often, humans managing these accounts are either targets of attack or are given too much trust and can act in an illicit way.
– Social engineering
– Poorly managed trust or keys
– Embezzlement and fraud
Additionally, the technology footprint of these various blockchain technologies, protocols and decentralized applications is already large and is growing fast. Therefore, it is important to think about the security implications of this fast-growing ecosystem. Anything that is built with a core concept of decentralization has an increased landscape and therefore more attack points that should be carefully analyzed and secured.
Here are a few points that are worth considering when auditing the security of your decentralized applications and technology infrastructure:
– Layer 1 Blockchains (Bitcoin and Ethereum)
– Layer 2 Blockchains (Sidechains and Rollups)
– Smart Contracts
– Software wallets
– Hardware wallets
– Blockchain Clients (Miners and Validators)
– Custodial Exchanges (centralized)
– DeFi Exchanges (decentralized)
– Marketplaces (NFTs)
Common attack vectors in smart contracts
When we talk about DevSecOps in the development lifecycle of an application, we typically refer to security driven development. This is also commonly known as the act of shifting security left. It is one of the most important aspects of the DevSecOps culture, because it starts with developers thinking about security as code. Since blockchain-based smart contracts can store value and act as a bank, this makes the code within them extra vulnerable to attack and they should be written with strict security in mind.
We have seen several hacks targeting smart contracts and the vulnerabilities usually are focused on exploiting the code. One of the biggest hacks in history took place last year when Poly Network, a cross-chain protocol, reported that an attacker hacked a smart contract, transferring the equivalent of 610 million USD by moving various assets to external wallet addresses controlled by the hacker.
There are many vulnerabilities of smart contract development, but some of the most frequent attacks are:
– Underflow and Overflow – Typically occurs when arithmetic operations cause unsigned integers to reach their maximum byte size, causing the value to ‘wrap around’ and could cause unexpected behavior in the business logic of your application.
– Contract Reentrancy – The action of exploiting a contract by reentering over and over, where the attacker usually withdraws more funds than should be permitted.
– Transaction Front Running – This refers to the process where someone uses technology or market advantage to get prior knowledge of upcoming transactions.
– Poorly managed secrets.
– Poorly implemented access control.
What can you do to level the playing field?
– Build a security-first culture, DevSecOps concepts are a great starting point for organizations looking to build a security culture.
– Perform audits. Audits give a fresh perspective on application logic and operational processes, help expose vulnerabilities in code, and instill trust in users of your application. MythX and Slither are great tools for auditing Ethereum smart contracts.
– Offer bug bounties and perform crowd sourced pen testing. Crowd sourced security is a proven method to help strengthen your security footprint. By placing your company into bug bounty programs and performing penetration testing of your applications and infrastructure you can stay ahead of vulnerabilities and hacks.
– Adopt an open-source strategy. The transparency of your application is important in a technology like blockchain because it allows participants to opt-in based on the verification and audits of your code. Additionally, having components that are open-sourced allows for more accountability of your project in a community setting.
– Implement multi-signature for administrative operations. Implementing smart contracts that adopt a multi-signature architecture for administrative functions like transferring ownership, funds, and other critical operations will provide an extra layer of security for your application.
Blockchain, decentralized applications and the various protocols surrounding them are growing quickly. These new and exciting ways of deploying applications have the potential to disrupt many different industries. However, it is imperative that we focus on a security-first mindset and implement a DevSecOps culture wherever possible.
About the Author
Kevin Jones is Senior Product Manager for NGINX at F5. F5 is a multi-cloud application services and security company committed to bringing a better digital world to life. F5 partners with the world’s largest, most advanced organizations to optimize and secure every app and API anywhere, including on-premises, in the cloud, or at the edge. F5 enables organizations to provide exceptional, secure digital experiences for their customers and continuously stay ahead of threats.
The first step in anyone’s journey into blockchain should be to read the associated whitepaper for the protocol you are building on.
Next, study previous hacks and vulnerabilities, even going as far as to try and reproduce the hack in your development environment.
To get a hands-on learning experience for security on Ethereum, I recommend the following capture the flag (CTF) programs in which vulnerabilities or ‘flags’ are hidden in purposefully vulnerable programs or websites to teach fundamentals of security.
Featured image: ©Siahei