Blockchain Developers Meetup 0x06 – Jump Oriented Programming in Ethereum Smart Contract

Milen RadkovMilen Radkov
Posted underEvents &Meet-ups
Cover Image for Blockchain Developers Meetup 0x06 – Jump Oriented Programming in Ethereum Smart Contract

Hey you, fellow blockchain developer. If you’ve missed out our 0x06 monthly meetup which happened last week (22.01.2019) – here is some interesting stuff for you to catch up.

Blockchain Developers Meetup 0x06 – Jump Oriented Programming in Ethereum Smart Contract

What happened recently

As always we discussed what interesting happened from developers perspective during the month. We got out focus on the last minute postponed Constantinople Ethereum fork.

Constantinople Ethereum fork postponed

As it turns out Chain Security, a company focused on research and security of smart contracts, found a vulnerability that might result to bigger issues and re-enabling re-entrancy attacks on some smart contracts after the fork.

fork

Summarizing this – EIP1283 which is introducing cheaper gas costs for SSTORE operations may result in reentrancy vulnerability for some smart contracts.

Contracts that increase their probability to being vulnerable are contracts that utilize a transfer() or send() function followed by a state-changing operation. An example of such a contract would be one where two parties jointly receive funds, decide on how to split said funds, and initiate a payout of those funds.

And the brief explanation: The issue is that when a CALL is made to transfer funds, even if the caller hasn’t specified additional gas, will spend 2300 gas. Solidity’s .transfer() function does this and provides no option for the user to override that.

And this has not been an issue previously, because even though with 2300 gas the caller could make a CALL from the callee,but there was no way to change a storage entry when SSTORE costs 5000 gas.

But now after Constantinople and the EIP-1283 the cheapest SSTORE operation is 200 gas, which opens up a non-zero possibility of re-entrancy attacks on some smart contracts.

Jump Oriented Programming in Ethereum

Exploiting Acoraida Monica game

As the title suggests it – the whole topic that we went through is quite catchy. We initially saw this thing called Jump Oriented Programming in Ethereum last month, is quite well explained in a couple of great videos by LiveOverflow in his YouTube channel. So we got in touch with him and Milen Radkov presented this at the meetup.

We saw how we can make a Solidity smart contract misbehave, making it acting different, hiding what exactly is it doing.

The whole thing is based on carefully selected function names, and specifically chosen address in order for the execution to succeed (in this case making it possible to withdraw and drain the whole contract).

Resources

Useful links

Also published on Medium.

Milen
About the author:

Milen

Milen Radkov has experience building and delivering successful complex software systems and projects for both big enterprises and small startups. Being actively developing across different blockchain protocols, platforms and projects for the past 5 years, he has gained extensive experience in blockchain development, architectures, consensus algorithms and token economics. Milen is a well-known figure in the blockchain space.

More Stories

Cover Image for Real-World Assets and the Future of DeFi

Real-World Assets and the Future of DeFi

Ivelin MollovIvelin Mollov

Real-world assets are blockchain-based digital tokens that represent physical and traditional financial assets. The first wave of decentralized finance (DeFi) […]

Read more
Cover Image for Navigating Upgradable Solidity Smart Contracts: A Practical Guide

Navigating Upgradable Solidity Smart Contracts: A Practical Guide

Ivelin MollovIvelin Mollov

In the ever-evolving landscape of blockchain technology, the concept of upgradeable smart contracts has emerged as a crucial tool for […]

Read more

Have a project in mind?

We have the expertise! Drop us a line and lets talk!

Contact us