Kennashka DeSilva
Aimee Reyes
Blockchain is a technology that is rapidly gaining widespread adoption; however, security standards, frameworks, or methodologies that incorporate the OWASP principles are not widely available. Frameworks such as OWASP as it relates to Blockchain Application Security (BAS) can ensure accountability, fair participation, and security within the network.
DEFI stands for Decentralized Finance and is an alternate financial universe with a steadily growing catalog of applications that runs autonomously, where users can deposit digital assets and earn returns, borrow, and loan money — still in its infancy. There is an opportunity to increase the quality of life and economic health across the board as currently, the total all-time high exceeds $2t with about $3b lost or stolen through hacks.
What are some components within a blockchain?
Blockchain networks are primarily managed through a peer-to-peer network for use as a publicly distributed ledger. Some components of the blockchain include transaction blocks of data representing each transaction found. The wallet stores your funds and allows a way to buy, sell, swap, and earn cryptocurrencies. Smart Contracts are computer code that automatically executes all or parts of an agreement. Public Key Cryptography, or asymmetric cryptography, is an encryption method that employs two mathematically related numbers.
How does the blockchain work?
Bob wants to send money to Susan. Bob’s transaction gets represented within the block. The block gets broadcasted to every party in the network. The transactions gets confirmed and approved. The block gets appended to the ledger, and Susan receives her funds.
The OWASP Top Ten List is an industry-recognized tool for identifying vulnerabilities in application security. Blockchain Application security has some areas of opportunity for correlating OWASP to the blockchain to help discover potential vulnerabilities in blockchain systems.
Here is a list of OWASP's top ten vulnerabilities as it relates to blockchain applications:
A01:2021 – Broken Access Control
Secure implementation of authentication is critical to the DEFI ecosystem. The wide use of browser wallet transaction authorization means that a large attack surface exists.
Examples:
Metamask wallet: Signing a transaction to an insecure wallet such as fake projects posing as trusted brands with the average end-users being unable to analyze a smart contract.
Contract Function calls allowing the owner to sign a transaction and allowing bad actors to claim ownership of the digital assets but didn’t check. Solution:
Wallet Access Policy and Implementation
Reading the contract before signing
Researching the credibility of the project
A02:2021-CRYPTOGRAPHIC FAILURES
Cryptographic algorithms within Blockchain Applications can guarantee a high level of privacy for the users. On the other hand, failures in cryptography can be traced to poor management errors.
Examples:
Keccak-256 failure (hashing algorithm for accessing addresses in memory or storage).
Multi-signature architecture Failure
Private keys that are not encrypted somehow fell into the hands of the hackers.
A02:2021-CRYPTOGRAPHIC FAILURES DEFENSE
Solution:
Life cycle management of cryptographic keys (generation, distribution, destruction)
Ensure geographical dispersion of keys required to sign a transaction.
Implement Identity and Access Management (IAM) controls such as least privilege and zero-trust principles.
A03:2021-INJECTION
Injection attacks occur when the user-supplied is able to insert information into an insecure Blockchain Application API.
Examples: Insecure Blockchain API Smart-contract parsing function that allowed a buffer-out-of-bounds write Unsecure function calls that allow a buffer-out-of-bounds write.
A03:2021-INJECTION DEFENSE
Solution: Test early and often for dynamic queries, escape special characters and etc. Sanitize, validate and filter Leveraging machine learning for signature-based detection and anomaly-based detection.
A04:2021-INSECURE DESIGN
An insecure design flaw in DEFI applications relates to, design patterns flaws in architectures such as weakness in the operation, management of exchanges, and e-wallet services
Insecure Design example:
Double Spending Attacks Re-entrancy Attacks
A04:2021-INSECURE DESIGN DEFENSE
Solution: Secure Development Lifecycle with CICD principles Secured component library, tooling, and threat modeling.
A05:2021-SECURITY MISCONFIGURATION DEFI applications allow access to a variety of services in the palm of your hands such as DAO, Trading, Insurance, P2P lending and borrowing, and more. In this case, security misconfigurations in the application could drastically end-users.
Examples:
Security features that are not enabled by default such as wallet password protection for browser-based wallets.
DEFI applications rely on third-party outdated libraries such as NPM packages.
A05:2021-SECURITY MISCONFIGURATION DEFENSE
Solutions: Auditing Tools MFA Defense In-Depth Patch Management and Updates An automated testing process to verify the effectiveness of the configurations and settings in all environments.
A06:2021-VULNERABLE AND OUTDATED COMPONENTS
Blockchain systems rely on complex middleware, like Ethereum or Hyperledger Fabric, and ether.js that allow running smart contracts, which specify business logic in cooperative applications.
Examples: Dependency faults lead to the declaration which allows an application to read data
A06:2021-VULNERABLE AND OUTDATED COMPONENTS DEFENSE
Solution: Patch management policy and process for outdated dependencies, unnecessary features, components, files, and documentation. Actively Monitor for external libraries and functions that may be deprecated or within an outdated version.
A07:2021-IDENTIFICATION AND AUTHENTICATION FAILURES
In a decentralized application, it is important to verify the user's identity, authentication, along with user session management to protect against authentication-related attacks.
Examples:
Authentication weaknesses in the DEFI application that permit automated attacks such as brute force or other automated attacks No API Authentication Exposed Private Keys from Github Repositories Excessive API data exposure in HTTP requests (GET, POST requests)
A07:2021-IDENTIFICATION AND AUTHENTICATION FAILURES DEFENSE
Solution:
Multi-factor authentication (MFA) to prevent automated credential stuffing, brute force, and stolen credential reuse attacks. Strong password Policy Password for users and internal systems API Access Policy, and Attributes to limit requests for Session Manager Policy Good Testing
A08:2021-SOFTWARE AND DATA INTEGRITY FAILURES
Software and data integrity failures as it relates to blockchain application security hold valuable data that must be kept secret and must be appropriately protected.
Example: A failure to achieve oracle integrity which allows exploitation by malicious actors.
A08:2021-SOFTWARE AND DATA INTEGRITY FAILURES DEFENSE
Solution:
Digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered. Ensure libraries and dependencies, such as npm, are consuming trusted repositories.
Utilize logs
Change Policies to minimize the chance that malicious code or configuration may be introduced into your software pipeline.
Compliance Frameworks as it relates to personal data protected by privacy laws like the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accessibility Act (HIPAA)
Centralized or private blockchain implementation
A09:2021-SECURITY LOGGING AND MONITORING FAILURES
Security Logging and Monitoring is currently not widely available for all blockchains such as bitcoin, Ethereum, and others. With proper logging and monitoring mechanism, anomalies can be detected.
For example:
Blockchain explorer auditable events such as high-value transactions failed transactions and etc.
Appropriate alerting thresholds and response escalation processes are not made widely available on all blockchains.
A09:2021-SECURITY LOGGING AND MONITORING FAILURES DEFENSE
Solution: Anomaly Detection and Alerts Real-Time Blockchain Explorer Analysis Ensure that logs are generated in a consumable format leveraged with AI Incident response and recovery policy
A10:2021-SERVER-SIDE REQUEST FORGERY
SSRF flaws as it relates to DEFI Applications occur whenever a web application is receiving resources without validating the user-supplied URL.
Examples:
Insecure URL fetching during the enumeration phases of an attack
Untrusted data from the blockchain explorer without validating and sanitizing it first.
Cross-site scripting vulnerabilities that allow crypto-mining malware to be run on the victim’s computer.
A10:2021-SERVER-SIDE REQUEST FORGERY DEFENSE
Solution: Web Application Firewall: Enforce “deny by default” firewall policies. Establish a lifecycle policy for firewall rules based on applications. Log all accepted and blocked network flows on the firewall
Sanitize and validate all client-supplied input data
Enforce strong URL schema
Disallow HTTP redirections
CONCLUSION
Blockchain Application Security (BAS) lacks specific security guidance and resource. The Blockchain may be secure however applications sitting on the blockchain may not. Most Web3 Application have HTML front-ends; in result, security controls correlating to the OWASP Framework centered around traditional web application security is critical.
Kennashka DeSilva
EY, Cloud Security Consultant, Web3 Hacker
Kennashka DeSilva, Cybersecurity Consultant at EY, is highly skilled in building web2 and web3 applications in addition to securing cloud environments. She is passionate about integrating best practices in blockchain security and cloud computing.
Aimee Reyes
Security Engineer
When not typing "terraform destroy" I build security tooling that intersects with machine learning. Ex-OWASP DevSlop co-host, currrent Women in Cybersecurity and Society of Hispanic Professional Engineers student chapter president.