Global AppSec Tel Aviv 2019

As Blockchain platforms become more developed, companies are beginning to investigate how this emerging technology might improve their business and are beginning to consider the risk implications involved with integration.

This two-day course is a deep-dive into state of the art methodologies used when developing smart contracts for Blockchain enabled Decentralized Applications (DApps). We focus on the Ethereum Blockchain, Web 3.0, and the Solidity language, as these are currently the most used platforms for building decentralized applications. Participants are guided through Solidity and its constructs so that they will be able to identify (and exploit) the most common vulnerabilities on this platform.

Since the consequences of insecure smart contracts are so public and costly, often resulting in immediate theft of funds, we focus the course primarily on common vulnerabilities found in this platform and how to prevent them.

We will be utilizing our custom Blockchain Capture the Flag platform as part of our exercises and demos. This platform allows users to interact with realistic DApp simulations and score points on a leaderboard by stealing funds from smart contracts on the test network.

Challenges and exercises will be used to demonstrate many of the most common vulnerabilities found in solidity smart contracts, including the following:
- Reentrancy
- Integer Underflows/Overflows
- Predictable Randomness
- Insecure Authorization
- Unchecked Low-Level Function Calls
- Unexpected Balance
- Denial of Service
**Exploiting these vulnerabilities will require a deep understanding of the following concepts:
- Identifying and avoiding client-side protections
- Communicating with smart contracts directly using a tool like MyCrypto
- Understanding and constructing an ABI
- Code reviewing Solidity projects for vulnerabilities
- Writing and deploying attack contracts written in Solidity on the test network
**All of these skill sets will be covered and demonstrated in this course.

Upon completion attendees will know:
* How Blockchain works, what makes it a novel, and where might it be useful
* What Web3 is and what are Decentralized Applications (DApps)
* How to interact with DApps using common tooling
* How to write and deploy example smart contracts
* What are common vulnerabilities found in DApps and smart contracts
* How to exploit these vulnerabilities in practice

Attendees will be provided with:
* A copy of our slides
* Access to our custom CTF platform
* Flash drives containing the tools and exercises used during this training

Attendees should bring:
Students must bring a modern laptop machine capable of running Chrome or a similar web browser.