Web3.0 - Smart Contracts Could Be Leaky

#smart-contracts #web3 #decentralized-systems #application-hardening #secure-coding #security-testing

Focus Areas: 🔐 Application Security , ⛓️ Blockchain Security , ⚙️ DevSecOps

Presentation Material

Abstract

What is Web3.0? The best way to find the answer was by getting my hands dirty. This talk is about sharing experiences with you about things that worked and that did not work as expected, when I wrote my first Smart Contract and deployed it to a decentralized server. How I leaked the sensitive flag{}, and, what was the fix I applied to prevent leaking sensitive information?

AI Generated Summary

The talk details experiences from creating Web 3.0 challenges for a CTF event, focusing on smart contract security misconceptions. A primary investigation involved attempting to design an integer overflow vulnerability. However, it was discovered that Solidity version 0.8 and later include built-in overflow/underflow checks, rendering such a challenge ineffective unless an older compiler is used.

The second major topic concerned data privacy. The speaker demonstrated that marking variables as private in a smart contract does not conceal their values, as all contract state and transaction input data are publicly visible on the blockchain. In the created CTF challenge, a flag was inadvertently leaked through the transaction input data, which is viewable on blockchain explorers like Etherscan/Blockscout and within the contract’s ABI file. The ABI file, while describing function interfaces, also exposes any hardcoded strings.

To prevent the flag from being trivially extracted from the ABI or transaction data, the speaker employed the abi.encodePacked function to obfuscate the flag string. This concatenated and encoded the flag into a less readable format within the transaction input, though it remained technically present on-chain.

Key practical takeaways include: never storing sensitive information on a public blockchain, as privacy does not exist by default; understanding that private visibility only restricts other contracts, not public observers; and using the latest Solidity compiler (≥0.8) for automatic arithmetic safety. For educational CTFs, abi.encodePacked can be used for simple obfuscation, but it is not a security control. The talk also highlighted the use of blockchain explorers and ABI analysis as fundamental reconnaissance techniques for smart contract auditing.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview — always refer to the original talk for authoritative content. Learn more about our AI experiments.