Blockchain Development and Security

Instructor: Wu-chang Feng
Zoom (T/Th 8am-9:50pm): link
TA: Wenjing Wu (OdinID wwu , DM @wen pdx-cs.slack.com
Contact and discussion: Office hours: here
TA office hours: W/Th 11am-noon on Zoom
Course material
Useful links
Course Description This class provides an overview of blockchain systems, how they are built, and how they can be exploited. Students will get hands-on experience working with public blockchains such as Ethereum as well as build and deploy permissioned blockchains using Hyperledger Sawtooth on Google Cloud Platform. They will then examine security vulnerabilities in blockchain systems and how they may be automatically exploited.

Schedule

Week Topic Slides/Content Assignments Due
1 Course Overview
Overview and Applications
Underpinnings of blockchains
Public-key cryptography, Digital Signatures
Hash functions and properties
00, 01a : 01b
Do you need a Blockchain?
Polyswarm podcast
Lab 0
Labs 1.1, 1.2
2
Consensus protocols
Crash vs Byzantine fault-tolerance
Voting-based (BFT, Paxos)
Lottery-based (Proof-of-work, Proof-of-stake)
Blockchain Development
Bitcoin, Hyperledger overviews
01c : 01d
Consensus article
FLP and CAP article
Bitcoin overview
Labs 1.3, 1.4
3
Ethereum & Smart Contracts overview (DApps)
Solidity programming (language overview, basic types and constructs)
01e : 02a
Ethereum beige paper
Labs 2.1, 2.2 Lab notebook #1 (Fri)
4
Solidity programming (Web3.js, ERC20, ICOs)
Ethereum tools (Metamask, EtherScan, MyCrypto, Remix)
02b : 02c Labs 2.3, 2.4  
5 Blockchain security overview
DASP Top 10, SICTF intro
D6: Bad Randomness
D3: Arithmetic issues (Types), D2: Access Control
03a, 03b : 03c, 03d
(Not so)smart contracts
Labs 3.1, 3.2
Labs 3.3, 3.4
Lab notebook #2 (Fri)
6
D5: Denial of Service, D4: Unchecked low-level calls
D: Centralization, 51%
D1: Re-entrancy
03e, 03f : 03g, 03h Labs 3.5, 3.6
Lab 3.7
 
7
D7: Front-running, D8: Time manipulation, D10: Unknown unknowns
D9: Off-chain attacks
Advanced topics
Vyper
03i, 03j : 04a Labs 3.8, 3.9
Labs 4.1, 4.2, 4.3
Final project
 
8
Symbolic execution (Manticore)
05a Labs 5.1, 5.2, 5.3
Labs 5.4, 5.5
Lab notebook #3 (Fri)
9 Advanced Topics
06a Lab notebook #4 (Fri)
10
Final project time
 
Lab notebook #5 (Fri)
Finals
Final project (Fri)

Course objectives

  • Examine the underpinnings of blockchain systems and their applications
  • Develop and deploy blockchain applications and smart contracts (DApps)
  • Analyze smart contracts for security vulnerabilities
  • Exploit smart contract vulnerabilities
  • Use symbolic execution to automatically reveal smart contract vulnerabilities
 

Policies

Grading
Attendance and participation 5%
Lab notebooks 60%
Code in repository 10%
Final Project 25%
Attendance and participation Although we are remote, the class is synchronous and attendance is graded. Sometime during each Zoom class, this Google Form will be enabled for you to register your attendance. If you miss class, extra credit is given back for participation in the Slack channel. You are expected to follow this code of conduct when communicating.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.

Assignments

Lab notebooks, git repository
Lab assignments will be given each class covering the course material. You will perform each one, while maintaining a lab notebook in a Google Doc that documents your progress via screenshots with your OdinID, Google Cloud project identifier, or wallet address in them. Notebooks should be exported as a PDF file and include a table of contents generated by Google Docs. Submission will be done via adding, committing and pushing the file to your private course git repository. Notebooks are in sections (e.g. 1-5) and are due Friday of the following week the last lab in the section is assigned. Use the following naming convention to submit your notebooks.
  • notebooks/<section_number>.pdf e.g. notebooks/1.pdf for the Sawtooth labs
The notebook will be graded based upon the following rubric:
  • Neatness and organization
  • Completeness
  • Inclusion of OdinID, Google Cloud project identifier, or wallet address in screenshots
For notebook submission and assignments that require code to be written, you will maintain a private git repository that will be setup in the first assignment. You will share the repository with the instructor and TA.
Final project
You will build a DApp of your own using Vyper and/or web3.js. Then, via a narrated screencast of no more than 15 minutes, you have done via a demo and a source code walkthrough. Submission instructions and a grading rubric will be given when the project is assigned.