Popular Blockchain Security firm, BlockSec has debunked a viral rumor of an Ethdev contract hack. BlockSec used Phalcon’s Simulation to prove the security of a $532m smart contract.
BlockSec Debunks Hack Rumors With Phalcon Simulation
BlockSec, a China-based tech firm focusing on the security of the whole life cycle of smart contracts, digital asset supervision, and anti-money laundering, has taken to its Twitter page to discredit a widespread rumor of the hack of an Ethdev contract involving about $532 million. According to a very recent Twitter thread released by BlockSec earlier today 31st of October, the Ethdev contract in question is still very much intact.
Using Phalcon’s Simulation, a powerful transaction explorer designed for the DeFi community, BlockSec presented a detailed analysis to prove the security of the Ethdev contract with the tag (0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae) worth $532 million.
BlockSec further revealed that there had been numerous attempts to breach the smart contract by altering the ownership of the contract, albeit to no avail. In its exact words, BlockSec’s tweet reads:
“Rumors said that everyone could hack the Ethdev contract (0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae — with $532M). Lots of trials have been observed to change the owner of this contract. We will use Phalcon’s simulation to tell you the truth that the contract is NOT hacked”.
The Ethdev Ownership Exploit
Ethereum, the widely used and most commercially successful blockchain, is a neutral, open-source, publicly visible, immutable public ledger, making it susceptible to hacks and breaches, one of which is the ownership breach. When a function in the smart contract is an external function, it can be called by anyone (attacker) apart from the deployer or the owner to make changes and effect transactions.
The ownership attack is one in which an attacker can call a function to update the values on a smart contract and easily exploit it. The Ethdev contract in question is rumored to have been hacked via the ownership breach.
Accompanied by screenshots of the transaction, BlockSec’s tweets have debunked this misinformation showing that although an attacker could modify ownership by executing the “add owner” function, they could not breach the contract successfully. BlockSec explained:
“We can simulate the execution of the Owner function to check whether an address is the contract’s owner. Let’s see the result of address: 0xd9301bf972372ac0f33aa8734b1a23072df6db4c. Looks like it is NOT the owner even though it can successfully execute the add Owner function.”
Have Smart Contracts Become Infallible?
Addressing concerns as to why the “add owner” execution did not revert, BlockSec explained that this was “because the contract did not revert even when the caller is not the actual OWNER of the contract.”
Although several smart contracts have been successfully hacked via the ownership exploit, it is very much preventable. Blockchain security experts have shown two possible solutions to the ownership exploit of the problem. These are the custom modifier and OpenZeppelin’s Owner contract. One of these was perhaps employed to secure the Ethdev contract in question.
By introducing an owner variable, initialized with msg.sender, during initialization in the constructor, developers can add a custom modifier that verifies true ownership of a contract before allowing any modifications.
Read the full article here
Discussion about this post