Officer's Blog

Posted on Nov 21, 2022Read on Mirror.xyz

How to Defend Your Castle | Innovative Trio in Smart Contract Security: Monitoring, Prevention, Defense

Looking at this month’s never-ending hacks, one wonders why they happen so frequently. Have audit firms actually gotten worse at what they do?

Read an original article via the link below:

https://medium.com/pessimistic-security/how-to-defend-your-castle-innovative-trio-in-smart-contract-security-monitoring-prevention-c8885304035a

This, in my opinion, is not the case; yet, the topic is rather tricky because you can, in certain ways, reduce the risks to yourself and your project!

I’d also like to thank the Authors of all of the services used as examples in this article, as well as the Authors of all of the resources I used as references; keep up the good work!

https://spotter.pessimistic.io/

Let’s get to the bottom of this question!


I — So… Why?

Hacks like the one that occurred lately occur as a result of organizations running too many upgrades… There are too many! Contracts should always be redeployed, fixed, and updated. Auditor work is much slower and takes more time.

Companies in this situation are pursuing the number of people and introducing upgrades faster than they have time to check, and it’s unexpectedly not their fault — after all, they do business and are quite confident in what they do.

At the same time, many projects discover about the occurrence after it has occurred, when there is almost nothing they can do and can only try to comfort their own community, which will have no effect unless serious action is taken to protect the project.

Often companies find out about new incidents right from Twitter, you might not believe it, but it’s true! However, few people know that there are solutions that make it possible to do the proper level of protection on blockchain as well.


II — Introduction

To begin, blockchain is a different layer, which we will refer to as the data-layer for convenience, and it is in line with the front-end and back-end, so we must organize a separate monitoring. This is critical to do, first and foremost to grasp how blockchain works and what types of assaults exist — in NFT, Meta-verse, DeFi, DEX, and so on.

You will be able to set up the appropriate alerts and active protection based on this data, for example, knowing which specific changes of your smart contract are especially important to watch.

https://n00bzunit3d.xyz/blog/intro-to-web3-security

But how? Let’s turn to the father of all blockchains — banking compliance system and banking security, after all, it is their replacement in each individual case by a few DApp and we all consider as the signs of that very mass adoption of the smart contracts.

If we finally want to give people the opportunity to be their own bank, we must realize that in this case people must be able to replace all those services and actions for which traditional banks get money!

www.researchgate.net/publication/340061422_Decentralized_Finance_On_Blockchain-

So, as a rule, in such serious institutions as banks, local security services use such things as DLP and SIEM. In the same way, organizations can use different security technologies for detection of insider threats.

Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest. The terms “data loss” and “data leak” are related and are often used interchangeably.

For example, DLP encryption protocols can inform the organizations when a large file gets missing from the server. Likewise, the SIEM solutions can detect and inform you about insider threats if detected.

https://medium.com/databulls/what-is-data-loss-prevention-dlp-how-does-it-work-f1b3db3710e9

Security information and event management is a field within the field of computer security, where software products and services combine security information management and security event management. They provide real-time analysis of security alerts generated by applications and network hardware.

So let’s focus on that in a bit more detail in the prism of the blockchain-based smart contracts. In blockchain we are dealing with not quite normal characteristics and with a lot of data at the same time, but all the things I listed above can be done at the blockchain level as well.

For example, here is the technology I described in 2020, and it is similar to the implementation of roughly the same web2-origin thing but in blockchain. This is exactly the idea I want to convey — there are already working bundles, you just need to properly adapt them to the data-layer.

https://www.smartcontractresearch.org/t/from-zapper-post-mortem-to-using-front-run-in-project-defense-theory-post/545

Theoretically, it could be used to obviously front-run anyone not using a private pool. It starts getting more complicated when they do. As an additional step within Flashbots, such a monitoring tool could be very useful!

www.researchgate.net/publication/340700069_Blockchain_Ethereum_Clients_Performance_Analysis_Considering_E-Voting_Application

MEV can also prevent the funds loss from the bridge or protocol during the process. In this system, before the hacker’s transaction goes to block, the Monitoring tool detects suspicious transactions in mempool and moves funds into the block before the hacker’s transaction.

Learn more about MEV from this resource!


III — On-chain Monitoring

Imagine the situation — you are the owner or employee of a large financial protocol based on smart contracts, and hundreds of indignant people start tweeting to you and you realize with horror that their anger is justified — because your project was hacked and right now they are taking money out of it, using the Reentrancy attack.

Most likely, you will make a lot of mistakes and will not immediately understand what to do. But what would happen if you had monitoring installed?

Your technical team might have been notified when the attack started (when the money started flowing out of the system) or even before the attack!

https://twitter.com/bertcmiller/status/1589275677811159041

To do this, monitoring should not only work for notification, like Tenderly, but also for a warning, like Forta or others similar to it. And the best would be if they will duplicate each other, and common events will be managed by the “head” program acting like a classic SIEM.

Does that sound cool? It is, because you can combine all three principles of reliable protection — prevention, internal response to minimize damage from an attack, and active protection against the actions of a hacker. Let’s imagine this situation again.

https://github.com/nascentxyz/simple-security-toolkit

So, you are the owner or an employee of a large project and suddenly your company’s CISO or CTO gets a message on his cell phone that a dangerous smart contract has been embedded into the network, which aims to carry out a flash loan attack against you.

www.smartcontractresearch.org/t/a-survey-on-ethereum-systems-security-vulnerabilities-attacks-and-defenses/98

You immediately give the order to deal with it and the team begins to work — update the smart contract, activate active protection in the form of bots or urgently evacuate the money to backup storage or halt contracts immediately.

Check out:

Either way, they will have time to think. Each deliberate action will increase your chances of a successful outcome and it’s having that time that will allow you to do anything at all.

https://github.com/forta-network/forta-bot-examples

https://officercia.medium.com/tenderly-app-a-swiss-pocketknife-for-the-web3-developer-89bb904bee46

But this situation also has a variation. I would even call it a common mistake — because often such tools are simply understood as services that allow you to let you know if something has already happened and an attack has already started.

https://youtu.be/PPtPVv2KZ7c

However, this is not entirely true — and sometimes even the creators of these services miss some important details. I’m going to go through the main services in our review and at the end I’ll tell you about the tool we’re preparing in pessimistic.io and how it is connected to everything written above.


IV — On-chain Monitoring & Defense Tools Shortlist

To begin with, the companies I have shortlisted for our review. In my opinion, these are worthy representatives:

First, let’s look at the pros of each system. I would like to single out BlockNative from the general list for the good idea to refer to a mempool to get information about impending attacks, at the same time it would be hard to imagine reliable protection without installing something like Forta or Tenderly, but the question arises, how to do it so that it works?

For a better understanding of what we are going to talk about next, I advise experienced readers to read the following WP. Obviously, the current incarnation of DappGuard is nothing more than a proof of concept based on developed tools, surprisingly, it has been a long time and we have real working tools!

https://forta.org/blog/how-fortas-predictive-ml-models-detect-attacks-before-exploitation/

Here is one of the very first concepts of monitoring and protection combined.

I’m sure many people would correct me — if you’re building a wall of security, you have to know it better than anyone else. There’s certainly some truth in those words, and one of the main drawbacks of these services — the complexity of configuration — also stems from them.

Also check out this implementation:

https://github.com/jtriley-eth/counter-exploit-toolkit

Another significant disadvantage is the slow (from 40 seconds up to 5 minutes) reaction time.


V — On-chain Simulation: User-Side Defense

There is also another point of view. Some just want to protect their users and thus focus on user-side aspect of the defense system rather then installing complex smart contracts monitoring.

In short, it comes from eth_sign, transfer_from functions & eip-712 making theft possible as they don’t respect any allowances. One solution is to use a special app (don’t confuse them with rug-checker tools, delegate.cash or DeFiYeildShield) which will simulate a transaction right before you interact with a smart contract.

There are such services existing as:

But there is also an important thing to keep in mind! A frustrating part about this is was this caused a rally around “tx simulation for safety”, but simulation strictly does not provide safety, but would introduce a new vector for impersonating a credible looking claim.

https://officercia.mirror.xyz/M0QAuwwbppAFj2KWZV02DEC8CtrxaX3R47kdpcTspvE

https://officercia.mirror.xyz/Y3xDO0XlAvIzJBwNhFZnvPWLiztWxIp1KHqg-B0kKxI

There was also an incredible item, and I really like this idea, since it is probably a logical continuation of an old script and this service, but this is actually lot better than another simulator (it probably uses simulation like in this list).

Bonus toolset for Tokenomics modeling & simulation:

These tools have nothing to do with our main topic — smart contract monitoring for projects, though they can be definitely used as an additional security layer, let’s say — from the community end, and you, as a project owner, should suggest your community checking them out just in order to prevent users getting scammed by all sorts of scammers floating around.

Even though some attack vectors are possible, the pros of these services obviously outweigh their disadvantages and allow you to significantly reduce the damage to your community through hundreds of “low-level” attacks.


VI — Our Vision | Pessimistic.io Solution

As an auditing company, we once thought something needed to change. At that time we had already released the SmartCheck tool and had experience in developing tools.

A few words about our tool, SmartCheck — which can serve as a reinforcement of what we will talk about next in a sort of a blue-box scanner form. Even in its raw form, it shows good results, and second place in ToB’s article is not bad for a tool we stopped supporting three years ago.

Please check out:

https://spotter.pessimistic.io/

https://t.me/pessimistic_spotter_public

So, our vision is to create a next-level monitoring and protection system, which by all parameters — such as speed of response, data collection resources and so on, will significantly outperform the competition.

It is important to note that we intend to depart from the traditional concept of separating tools for preventing and reporting attacks on the project and the community, and instead plan to make the system flexible, so that it can be used for a variety of purposes. Simultaneously, we intend to make it the most convenient for projects and will adhere to this paradigm.

You may reasonably ask us what the main differences are from what we talked about earlier, so here goes:

  • We want to predict attacks rather than react to those that have already happened;

  • We want to implement a black-box fuzzer and similar tools, so attacker contracts can be simulated right as they are deployed.

  • We plan to react in milliseconds and for this we experiment with data centers located nearby BGP nodes and other techniques;

  • Setting up our monitoring will take five minutes. Exactly 5 minutes — and this is our biggest advantage;

  • We are going to keep our detection techniques closed source so that a hacker cannot predict them;

  • We will work with mempool and other transaction aggregators to gain additional seconds for our clients. We also want to be compatible with other tools and services, and we want to collaborate rather than compete, because we feel that multiple monitoring technologies will complement one other, resulting in improved ecosystem security!

In the following articles we will gradually expand the functionality of our service and provide an opportunity to test it on your system. We’ll let you know the release date soon!

Thank you very much for your attention!


If you want to support my work, you can send me a donation to the address: