All posts by Nguyen Sy Thanh Son

I am a software developer. I follow microservices and devops

I hacked Parity MultiSig Wallet in Ropsten Testnet

Parity MultiSig Wallet was hacked in 7 November 2017 (see the details here https://paritytech.io/blog/security-alert.html). The hack destroyed 1% of Ethereum’s valuation.

Today, I try to investigated the vulnerability and  re-do exactly what hacker did with Parity Wallet’s smart contract.

There are two main steps I need to do:

  • Create Parity Multisig Wallet in Ropsten Testnet
  • Try to hack it

I recorded all steps I did in the video.

At the first step, I red the source code of Multisig Wallet. Parity Multisig Wallet contains two main contracts – Wallet Contract and WalletLibrary Contract. Wallet Contract stores ETH, WalletLibrary contains functions to implement almost features of a multisig wallet.

After understanding a little bit, I tried to deploy the MultiSig Wallet to Ropsten Testnet using Remix IDE and Metamask

Now, I show you the steps to deploy the contracts.

Step 1: Installation

Open Metamask, select Ropsten Network, create two account (User Accout and Hacker Account) and get free ETH.

Open Remix IDE, select Solidity compiler version soljson-v0.4.10+commit.f0d539ae.js. Create file Wallet.sol and copy/paste the source code to the file.

Step 2: User deploys WalletLibrary Contract

On Metamask, select User Account. In Remix IDE, select WalletLibrary Contract and click create button to deploy. Waiting for the deployment finished.

After that, copy the address of WalletLibrary (with me, it is 0x6bc323538bad65bbde22f908f9a8f180ea4078fe) and paste it into line 448 in Wallet.sol file. This step means we link Wallet Contract to WalletLibrary Contract that we just deployed.

Step 3: User deploys Wallet Contract

Wallet Contract has some constructor parameters, so we need to complete it. In my case, it is ["0xd088d9c6abb936260BF4540026C8F0aDFfD09836"], 1, 1000. 0xd088d9c6abb936260BF4540026C8F0aDFfD09836 is User Account Address.

Now click create button to deploy the Wallet Contract. This contract is multi-signature wallet and store ETH.

Step 4: What hacker did?

This step, I will do things like Hacker did.

I open Metamask, select Hacker Account. I open Remix IDE, copy/paste the source code to Wallet.sol file. I do not need to deploy WalletLibrary contract again (Hacker was same). In Remix IDE, I select WalletLibrary Contract, and copy/paste the address of Wallet Library to address textbox and click address button. Now I have WalletLibrary Contract in my IDE.

 

Now, I run initWallet function

 

And run kill function.

 

So the WalletLibrary was died.

 

Conclusions

I think that hacker do not want to burn 500.000 ETH. He just want to send 500.000 ETH to his wallet, so he called kill function. Because I checked kill function source code:

It means that if kill function is called, the contract will be died and send all the balance to his wallet. But he had a mistake. 500.000 ETH is not stored in WalletLibrary Contract, It is stored in Wallet Contract. So the result is 500.000 ETH was frozen, and he got nothing.

That is a bad day with Ethereum Community and hacker as well.

References

Parity Multisig Hacked. Again

Parity Multi-sig wallets funds frozen (explained)

 

How to get started building an ICO Smart Contract

ICO (Initial Coin Offering) is a new way to raise fund for startups.  There are many steps we have to be done before launching an ICO. One of them is writing ICO Smart Contract. Actually, ICO Smart Contract source code is quite simple. I think that, in the near future, there will be ICO Platform to help you create Smart Contract in some of mouse clicks.

However, Blockchain and Smart Contract is still new with developers, and Smart Contract development process is still complicated. So developer will think that there are a lot of things to learn before creating an ICO Smart Contract.

I created a documents to guide developers who have experiences in development but are new in Blockchain and Smart Contract. The document will show you step by step to create an Simple ICO Smart Contract and deploy it to Local Environment or Testnet (Ropsten).

For the document, you can take a look to link: https://erc20token.sonnguyen.ws

The document is open source under MIT License, now there is only English version.  So contributions are always appreciated. The source code of documents and demos are published to Github at link: https://github.com/thanhson1085/DemoCoin.

The smart contract that we used in my tutorial is very simple and only for education purpose. In fact, the scenario for ICO is more complicate and we need to comply the law of country where you want to sell your token.

Beside the law, you should concern to the security issue for your smart contract. Try to make your contract as simple as possible (Security loves simple). And reading the smart contract best practice document, learn from the fails (as DAO, Parity MutliSig Wallet) before start coding.

Get started Ethereum/Solidity ICO Smart Contract

The below is commands when I start to learn Ethereum/Solidity . Assume that we installed Geth and Solidity Compiler in our machine.

Install Ethereum

Install NodeJS

Install Solc

Run an Ethereum Node in testnet:

Run an Ethereum Node in Ropsten Testnet:

Run a private blockchain:

Open another terminal, connect to the exist node:

Mining

Strart mining

Check hashrate

Stop mining

Sync status

Remove Ethereum Database

Check balance in Ether

Send a transaction:

Send with gas, gasPrice:

ERC20

Specification: https://theethereum.wiki/w/index.php/ERC20_Token_Standard#Approve_And_TransferFrom_Token_Balance

Logstash Elasticsearch data retention

If you are using Elasticsearch to centralize your log data, that is a great solution. However, after few months, you will have huge log data store in your server hard disk. You have to clean the old log data that you are sure that you will not use it in future.

To delete the 10-day-ago log data, we can use the script below:

So we should run the script above every night to delete data. So we use cronjob:

Thanks for your reading

linux shirt

Software is like sex t-shirt

My First AI Application

I am not Data or AI scientist, I am just a Developer. I tried to learn AI in my free time. There are a lot of information from Internet. After reading many many articles and source codes, I still did not find the approach. I confused by many AI algorithms as CNN, Logistic Regresstion, K-Tree, N-Tree …  As you know, I am a developer, so I did not understand at all. :).

Finally, I find the solution. The thing I need just Tensorflow.

To start, I try to build AI that can classify Dog/Cat Image. I followed the steps below.

Step 0 – Installation

I installed Tensorflow on my Ubuntu 14.04 Server by commands:

To understand this, you have to understand Python, PIP and Virtualenv

Step 1 – The Samples

I search Dog/Cat Image on Google Image. After that, I resize/save them to my local storage.

Please see link: https://github.com/thanhson1085/Hello-AI/tree/master/dataset/training_set

Step 2 – Training

After having the samples, I started to research to train my AI. I found the solution here: https://github.com/thanhson1085/Hello-AI/blob/master/retrain.py

It was copy from Tensorflow Example: https://github.com/tensorflow/tensorflow/blob/master/tensorflow/examples/image_retraining/retrain.py

Now, I run command to train my AI by using Inception V3 Model and my Training Dataset

The most import thing is the output file output/retrained_graph.pd. This is the trained model file, I will use this file for my AI.

Step 3 – AI Service

After having the trained model file. I wrote the AI Service. I used Flask Framework to handle uploading image. When user uploads a image, my AI service will check it is CAT or DOG. Please see the source code:

For the details, see file https://github.com/thanhson1085/Hello-AI/blob/master/app.py and https://github.com/thanhson1085/Hello-AI/blob/master/catordog.py

Step 4 – Deployment

Now, everything is reading to deploy. I chose Heroku to run my AI service https://thanhson1085-hello-ai.herokuapp.com/

Finally, we have a simple AI, we understand how it works, how to train it and what is most important thing we need to build a AI.

Thanks for your reading!

Tensorflow T-shirt

Tensorflow T-shirt

How to HOT Backup Database (MongoDB, MySQL, ES …) to AWS S3

Actually, there are many way to backup your database. You can using RSYNC, MongoDump for Mongo, S3 Backup Plugin for ElasticSearch. However, this post will show you the way I used in my project. Maybe, It is not perfect for all case. But in my case, it is really perfect.

Docker Ironman T-shirt

Docker Ironman T-shirt

I am running a project with Microservice Architecture. All Databases and Services are running in Docker Container.  In my plan, I have to backup all databases every night.

At the beginning, I tried to use tar command to compress the data, and then I use command aws s3 copy to copy backup data to S3. It seems work. But tar command makes MongoDB stop working. I tried to google to solve the problem. I found the solution is rsync command.

The backup process should be implement in three steps:

  • Use rsync command to copy the data to other location
  • Compress the data by tar command
  • Move the compressed data to AWS S3

The script should be:

Thanks for your reading.

Connect USB from Virtual Machine using Vagrant and Virtual Box

Sometimes (e.g You are developing an IoT Project), you need to connect you board to Virtual Machine via USB Port. This post will show you steps to connect USB port from Virtual Machine using Vagrant and Virtual Box.

At the first, you have to make sure that the USB device was connected to your computer with command:

The output above shows the USB Device has VendorID is 0x1a86 and ProductId is 0x7523. So we add the lines below to Vagrantfile:

Finally, starting your Virtual Machine:

In your Linux Virtual Machine, type lsusb to check the result.