DEF CON 25: Porosity

Decompiling Ethereum Smart-Contracts

Matt Suiche
Comae Technologies



Today, we presented how to decompile Ethereum Smart-Contracts at DEF CON 25.

Video Presentation of Porosity during DEFCON25


Porosity’s GitHub:
And you can also find our Slides here and our WhitePaper here.

Why ?

Ethereum smart contracts are code that is executed on every node of the decentralized Ethereum blockchain network. When connected together, they form the distributed applications (Dapps) that power an emerging “Internet of Value.” Contracts themselves are stored on the blockchain such that everyone can be certain they will generate the exact same output without relying on a central server (or single company) to own that application.

Most Ethereum developers write smart contracts in Solidity, a high-level (human readable) programming language which resembles JavaScript. While Solidity is not the only language that targets the Ethereum Virtual Machine (EVM) – for example, the Python-like Viper is being developed by Ethereum’s creator Vitalik Buterin – for now, Solidity is by far the most widely used.

Softwares have bugs, Smart contracts too

Prior hacks on the Ethereum network such as the 2016 DAO theft or the recent Parity multi-sig wallet compromise resulted because of poorly written Solidity code that introduced vulnerabilities which hackers exploited to steal funds from other Ethereum users, not because of compromises of the underlying blockchain protocol or cryptographic weakness.

Because of the perceived insecurity of Solidity, so far most tools have focused on scanning Solidity source code, which is assumed to be available. For example, frameworks like Open Zeppelin combine automated scanning for known issues with human review to build a library of “safe” contracts, but tools like this are only helpful if developers choose to submit their code for review.

Once a smart contract is compiled to EVM bytecode and launched on the Ethereum network, however, there is currently no way to provably go back and ensure that code is safe. As new vulnerabilities are discovered, we cannot retroactively identify affected smart contracts unless the developers have retained their own source code or shared it with the world.


“Porosity," is the first decompiler that generates human-readable Solidity syntax smart contracts from any EVM bytecode. Because compiled smart contracts are all world visible on the Ethereum network, this means that now all contracts can now be reviewed at any time. Once reversed, the code can be scanned to check for susceptibility to new attacks or to ensure adherence to changing best practices. Porosity removes a major roadblock to interacting with contracts of unknown origin and helps further the “trust but verify” blockchain thinking.

Porosity + Quorum = ❤

Quorum: Ethereum code fork created by J.P. Morgan aimed at enterprises that want to use a permissioned blockchain that adds private smart contract execution & configurable consensus.

Porosity is also useful for corporate consortia running private Ethereum blockchain networks such as Quorum, which may require real-time security scanning of smart contracts or have mandated application patching processes. Porosity and Quorum are being packaged and tested together as a way to integrate blockchain technology into traditional enterprise security workflows. The new open-source bundle is now available via J.P. Morgan’s GitHub.

Quorum now includes Porosity integrated directly into geth out of the box:

  • Scan private contracts sent to your node from other network participants
  • Incorporate into security & patching processes for private networks with formalized governance models
  • Automate scanning and analyze risk across semi-public Quorum networks



Matt Suiche
Comae Technologies

Hacker, Microsoft MVP, Founder of @ComaeIo — Co-Founder of @CloudVolumes (now @VMWare)