Blockchain Development and Security

Instructor: Wu-chang Feng
TA: Jeff De Lamare
Contact and discussion: Office hours: here
TA office hours: Wednesday 10am-noon in Fishbowl
Course material
Useful links
Course Description This class provides an overview of blockchain systems, how they are built, and how they can be exploited. Students will get hands-on experience working with public blockchains such as Ethereum as well as build and deploy permissioned blockchains using Hyperledger Sawtooth on Google Cloud Platform. They will then examine security vulnerabilities in blockchain systems and how they may be automatically exploited.

Schedule

Week Topic Slides Assignments Read/Listen
1 Course Overview
Overview and Applications
Underpinnings of blockchains
Public-key cryptography, Digital Signatures
Hash functions and properties
00
01a
01b

Lab 0
Labs 1.1, 1.2
Do you need a Blockchain? paper
Polyswarm podcast
2
Consensus protocols
Crash vs Byzantine fault-tolerance
Voting-based (BFT, Paxos)
Lottery-based (Proof-of-work, Proof-of-stake)
Blockchain Development
Bitcoin, Hyperledger overviews
01c
01d
Labs 1.3, 1.4 Consensus article
FLP and CAP article
Bitcoin overview
3
Ethereum & Smart Contracts overview (DApps)
Solidity programming (language overview, basic types and constructs)
01e
02a
Labs 2.1, 2.2 Ethereum beige paper
4
Solidity programming (Web3.js, ERC20, ICOs)
Ethereum tools (Metamask, EtherScan, MyCrypto, Remix)
02b
02c
Labs 2.3, 2.4  
5 10/28: NO CLASS
Blockchain security overview
DASP Top 10, SICTF intro
D6: Bad Randomness
03a,03b
Labs 3.1, 3.2 (Not so)smart contracts
6
D3: Arithmetic issues (Types), D2: Access Control
D5: Denial of Service, D4: Unchecked low-level calls
03c, 03d
03e, 03f
Labs 3.3, 3.4, 3.5, 3.6  
7 11/11: NO CLASS
D: Centralization, 51%
D1: Re-entrancy
03g, 03h Lab 3.7  
8
D7: Front-running, D8: Time manipulation, D10: Unknown unknowns
D9: Off-chain attacks
Advanced topics
Vyper
03i
03j

04a, 04b
Labs 3.8, 3.9


Labs 4.1, 4.2
 
9
Symbolic execution (Manticore)
Final project
05a Labs 5.1, 5.2, 5.3
Labs 5.4, 5.5
Final project
 
10
Final project      

Course objectives

  • Examine the underpinnings of blockchain systems and their applications
  • Develop and deploy blockchain applications and smart contracts (DApps)
  • Analyze smart contracts for security vulnerabilities
  • Exploit smart contract vulnerabilities
  • Use symbolic execution to automatically reveal smart contract vulnerabilities
 

Policies

Grading
Attendance and participation 10%
Lab notebooks 60%
Code in repository 10%
Final Project 20%
Attendance and participation To encourage collaboration and to establish a positive learning community, attendance and participation throughout the term will be graded. In addition, mutual respect, tolerance, and encouragement are expected, while comments seeking to demean, embarrass, or otherwise disrupt others' ability to learn are not. Specific examples of participation include asking questions, helping other students out, and identifying mistakes in the course content either in class or on the Slack channel.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.

Assignments

Assignments and notebook
Assignments will be given covering the course material. You will perform each one, while maintaining a lab notebook (a single Google Doc) that documents your progress through the exercises.  Include screenshots and ensure that they include your wallet address, OdinID or your Google Cloud Platform project identifier in them.  You will submit your lab notebooks in parts on D2L. The notebooks will be graded based upon the following rubric:
  • Neatness and organization, including a generated table of contents.
  • Completeness
  • Inclusion of wallet address, OdinID or project identifier in screenshots
Code repository
For assignments that require code to be written, you will include your code via a private repository (via Gitlab) that is shared with the instructor and TA. The code will be graded upon the following rubric:
  • Overall functionality
  • Code documentation (such as Docstrings, comments)
  • Code readability and modularity
  • git repository activity (commits, commit messages, tags)
Final project
You (and/or a partner) will choose from a number of options for a project. Then, via a will create a narrated screencast of no more than 20 minutes per project, you will show the work you have done via a demo and a source code or level walkthrough. For group projects, each student must walkthrough the code or level he/she has written or solved. The screencast should be uploaded to the course's MediaSpace channel. Submit your final project files in Bitbucket under the directory "final". The project can be selected from the following:
  • Solving an additional SI CTF level with Manticore that has not been already included in the Docker container and creating a codelab walkthrough of it
  • Creating a DApp of your own using Vyper.
  • Creating a vulnerable CTF level of your own using Vyper.
Your project will also be graded using the following rubric:
  • Overall functionality
  • Code documentation (such as Docstrings, comments)
  • Code readability and modularity
  • git repository activity (commits, commit messages, tags)
  • Completeness of walkthrough including demonstration of code and your explanation of code that you have written.