On September 5th, the POD conference hosted by Odaily and strategically co-organized by 36Kr Group was held in Beijing. At the security forum of the conference, Guo Yu, the founder of SECBIT Lab, discussed the security issues of the blockchain with the guests. Guo Yu launched a report on the recent security hot topic Last winner, explaining the inside story in detail.
When talking about the Last winner attacking the parent contract and why it is necessary to pass in the address of the Last winner contract, Guo Yu said that the Last winner attacking the parent contract is actually a general weapon that can attack many types of Fomo3D games. This contract is very cleverly constructed.
secondary title
The following is the transcript of the speech by Guo Yu, the founder of SECBIT Lab:
I am Guo Yu from Amby Lab, and today I would like to share some interesting things.
On August 10, a partner suddenly told me that there seemed to be some strange things in Ethereum, and asked us if we could analyze it. After we took it, we also felt that things were strange. There are a large number of consecutive failed transactions, and the red dots are all 0.1 ETH. These repeated things seem to be attacking something. And all these transactions originate from a weird smart contract whose first four letters are 0x5483. The transaction volume of this smart contract is still very large, there are dozens of transactions per minute, which can easily cause serious congestion in Ethereum, which is a preliminary feature we found. Feeling strange and suspicious, we also wondered what it was going to do.
We later found that in addition to a large number of failed transactions, there was an even larger number of successful transactions. There are no significant characteristics of successful transactions. It is very strange that 0.1 of them are invested and 0.19 of them come out. At the same time, a special feature of failed transactions is that the Gas consumption is extremely low, which seems to be a very efficient mining machine with a high return rate.
Later we found out that 0X5483 is actually an attack contract for attacking Last winner. It is carefully constructed and very powerful, and the attack steps are also very complicated. There are a lot of transfers in the contract. For example, in this contract in the PPT, 0.1 ETH is thrown in, and 0.18 ETH or 0.12 ETH comes out in the end.
What is Last winner? It is a copycat version of Fomo3D, mainly for domestic use. In Baidu, you can see a lot of advertising information, and there are also many WeChat groups and QQ groups. In addition, Last winner also has Android and iOS clients that can be downloaded. At that time, there were 16,000 people at the peak, and the people who participated were crazy.
What is Fomo3D? This is a phenomenon-level smart contract game some time ago, which instantly caused congestion to Ethereum users. There is a huge reward lure in the game, and the rules go like this. The first is to exchange the key, and throw it to the Fomo3D-like game contract after getting the key. This includes three profit methods. The first method exists in the main prize pool, and you can have the opportunity to get the final prize, that is, the game keeps counting down, and the last person who buys the key gets the final huge reward; the second method has A sub-reward pool, the way is a random probability lottery, that is, there is a chance to draw a lottery when the key is exchanged; the third way is a small reward, the earlier the key is bought, the sooner you can enjoy the dividends that come in later. Based on these three attractive winning models, Fomo3D caused congestion in Ethereum for a time after its launch.
On July 24th, Ambi Labs discovered that there was a loophole in the second airdrop just now. Someone could get the result of the lottery in an unfair way. We only received the warning on August 10th.
The model of the airdrop lottery that was exposed before is that someone disclosed a plan that can be attacked, but the attack method is very inefficient and may not even be successful. Everyone knows it but no one tries it, and it seems that they can't make any money. But this attack contract is different. According to statistics, the success rate of this contract is nearly 60%.
The next day, we started to analyze the contract and found three doubts. One is that there are five addresses to call the attack contract; the other is that the address of the Last winner contract is passed into the attack contract as a parameter; the third is that every successful winning attack transaction includes the creation and self-destruction of the contract. I didn't know why at the time, but it was certain that this was a gang. After analyzing its data, it was found that this gang did many other things, and they jointly attacked different game contracts. We named this attacker group "BAPT-LW20".
On the 12th, the team began to try to reverse analyze the contract code. Due to the limited tools at hand, I can only look at self-decoding. After digging for a day, there is still no progress, and the analysis process has reached a deadlock. The next day, my friend suggested copying the attack contract and replacing the attacker’s address in the attack contract with our address. Can we get rewards like him? We redeploy the attack contract and launch a tentative attack. But after many attempts, it was impossible to win the draw. We made a very complete replacement and tracked the process. I don't know why, but it is very depressing even if it fails.
At 12 o'clock in the evening, the final plan decided to deadlock the contract and start reverse analysis of the contract. Contract reverse is very tiring, what should we do? Our idea is to develop reverse analysis aids. We don't have anything on hand, we have to do a few things. First of all, there are few reverse analysis tools for EVM, so we decided to develop it ourselves; moreover, it is difficult to track the multi-layer nesting of contracts; at the same time, it is not easy to locate the loop process in EVM bytecode.
We spent three days developing the tool and things started to turn around. The first tool is awesome-tx-tracer (contract behavior tracking). With this tool, several tracers can be generated in the whole process of the smart contract, and many transaction behaviors can be analyzed by the tracers, thereby generating a large amount of data; A tool for reverse engineering—minievm (contract execution simulator), with which many tracers can be qualitatively analyzed in batches; the third tool is ida-evm (contract flow graph analyzer), which is modified based on the evm plug-in . The generated tracer can automatically go back and forth, back and forth, so that it is easier to watch the whole process repeatedly.
In the end, we finally discovered the truth. The attack contract is a parent contract, and the parent contract drives 1000 sub-contracts, which can greatly increase the winning rate of random numbers. At the same time, when each sub-contract attacks, it will create a ghost contract to launch the attack. What are ghost contracts? It is created at the time of the attack, and it will self-destruct immediately after the attack, leaving no traces in the blockchain storage area. Hackers drive 1,000 sub-contracts through a certain parent contract, and create countless self-destruct contracts. The self-destruct contracts finally attack the Last winner. This is a very clever thing.
The review started on the morning of the 17th, and the final result we finalized was to withdraw 50% of the lottery pool within 6 days, initiate nearly 50,000 attack calls, and create more than 20,000 ghost contracts. It is very interesting for Last winner to increase the proportion of the airdrop prize pool from 1% of Fomo3D to 10%. Therefore, after hackers successfully attacked Last winner, they don't know much about Fomo3D. This parent contract launched an attack within a few hours of the first day of Last winner's launch, earning hundreds of thousands of dollars per hour in the first few days.
Coincidentally, at 10 o'clock in the morning, the Last winner award is given out, which is the first award among the three profit models just mentioned. The grand prize was taken away by one of the five attackers. The attacker's address is 0X5167, and the reward amount is also super high, which is bigger than what they got in the airdrop.
It's not over yet. Five days later, at 3:02 pm, we made another amazing discovery. The first round of Fomo3D ended and the grand prize was taken away. Was it taken by someone? No, they used the same method to take the big prize. Why? When we saw the Fomo3D Awards, we found a familiar scene. When the grand prize is drawn, a group of continuous abnormal blocks appears, and the number of messages in this group of continuous abnormal blocks decreases sharply. Finally, the same well-known miner blocks the winning transaction. Before and after the end of Last winner, similar abnormal blocks appeared, and the winning news was also packaged by the same miner. At this time, we found that it was a coincidence. We began to wonder, is the mining pool really cheating on Fomo3D? After contacting the person in charge of the mining pool for the first time, and comparing all the information we knew with the other party, we found that the mining pool did not participate in this cheating, but this abnormal block hides a huge secret. The secret is that the messages in the abnormal block all call the same contract, which stores some very weird transactions. The Gas of all transactions is equivalent to 100 times the normal Gas; and the creator of this contract is the same person as the winner.
The miners did not cheat, but the attackers used the miner’s packaging strategy, that is, the miners will give priority to the transaction packaging with high fees, which is most beneficial to the miners. By creating ultra-high handling fees, it will cause block chain congestion and block other players. The attacker is also very smart. The attack contract can intelligently judge whether to activate the network blocking function to maximize its benefits and minimize its costs.
In short, this contract is very cleverly constructed. If the attacker does not take the prize, it will still exist in the application pools of many mining pools. When the time is right, these transactions will become transactions with very high transaction fees.
Therefore, this game loophole makes the previous main prize pool and sub prize pool can be easily attacked. There is another question. Everyone still remembers that Last winner attacked the parent contract. Why do you need Last winner as the contract address? In fact, this attack parent contract is a general parent contract that can attack many types of Fomo3D games. On the second day after Fomo3D was launched, someone discovered the airdrop lottery loophole and successfully attacked it.
You are facing the top hackers in the world, and you may suffer losses at any time. Therefore, the severity of smart contract security is far beyond everyone's imagination. Is the future decentralized world that everyone imagines really so beautiful? When enjoying the benefits of a decentralized world, there will also be some costs and some new security risks. thank you all.
