Ethereum dApps (decentralized apps) are a core pillar of why development on the platform has skyrocketed. Many of these dApps work by combining standard web applications with a consensus protocol behind them. In other words, users can interact with a standard web application to issue transactions to a series of Ethereum smart contracts.
This produces an expanded attack surface for Ethereum dApps: since smart contracts are publicly visible on the blockchain, an attacker can exploit the dApp either through the web application’s logic or by attacking the smart contracts directly. In this talk, I demonstrate how an Ethereum dApp works from top to bottom. I show what transactions through a dApp look like, how they can be spoofed, and the different attacks we can leverage against a dApp — whether over the web or by targeting the smart contract directly — to try and steal its ether.