Ethereum smart contracts are Turing-complete programs that mediate transfers of money. It doesn't come as a surprise that all hell is breaking loose on the Ethereum blockchain.
In this talk, we'll introduce Karl, an Ethereum blockchain monitor, and Scrooge McEtherface, an auto-exploitation bot that extracts Ether from vulnerable smart contracts. Scrooge uses symbolic execution to detect vulnerable states that live up to three transactions deep and constructs exploit payloads using the Z3 constraint solver.
We'll also examine the game-theoretic consequences of Scrooge's existence. What if multiple bots compete for exploiting the same contracts? How about honeypots that counter-exploit bots? Is it possible to cheat those honeypots? When all is said and done, who is going to end up stealing money from whom?
During the talk, we'll show many examples for vulnerable contracts, honeypots, and counter-honeypots, explain the role of transaction ordering and frontrunning, and launch a little challenge for the audience.