Back to Course

Smart Contract Security

0% Complete
0/0 Steps
  1. Introduction to Smart Contract Security
    What are Smart Contracts and why are they Important?
  2. The Importance of Secure Smart Contract Development
  3. Overview of the Course
  4. Basics of Smart Contract Development
    Setting Up a Development Environment
  5. Introduction to the Solidity Programming Language
  6. Basic Syntax and Data Types
  7. Functions and Control Structures
  8. Common Vulnerabilities in Smart Contracts
    Reentrancy Attacks
  9. Transaction-Ordering Dependence (TOD)
  10. Unchecked Call Failures
  11. Integer Overflow and Underflow
  12. DoS Attacks
  13. Best Practices for Secure Smart Contract Development
    Proper Handling of Exceptions and Failures
  14. Use of Safe Math Libraries
  15. Proper Handling of User Input and External Calls
  16. Use of Testing Frameworks and Automated Testing Tools
  17. Use of Security Tools and Frameworks (Mythril, Oyente)
  18. Advanced Topics in Smart Contract Security
    Advanced Testing Techniques (Fuzz Testing, Symbolic Execution)
  19. Formal Verification of Smart Contracts
  20. Secure Design Patterns for Smart Contracts (Proxy Patterns, Upgradeability Patterns)
  21. Case Studies of Real-World Smart Contract Vulnerabilities and Exploits
  22. Conclusion and Next Steps
    Recap of Key Takeaways from the Course
  23. Further Resources for Smart Contract Security Best Practices

Participants 485

Show more
Home Smart Contract Security DoS Attacks
Lesson 12 of 23
In Progress

DoS Attacks

Yasin Cakal

A Denial of Service (DoS) attack is a type of cyber attack that is designed to disrupt the normal operation of a computer or network by overwhelming it with traffic or requests. In the context of blockchain and smart contracts, DoS attacks can be used to prevent users from interacting with a contract or network, or to cause the contract or network to malfunction.

Types of DoS Attacks

There are several different types of DoS attacks that can be used to target smart contracts and blockchain networks. Some common types of DoS attacks include:

  • Bandwidth attacks: These attacks involve overwhelming the target with a high volume of traffic, in an attempt to consume all of the available bandwidth and prevent legitimate traffic from reaching the target.
  • Resource depletion attacks: These attacks involve consuming all of a particular resource, such as memory or processing power, in order to prevent the target from functioning properly.
  • Distributed DoS (DDoS) attacks: These attacks involve using a network of compromised devices (known as a botnet) to simultaneously attack a target, making it more difficult to defend against.

How DoS Attacks Affect Smart Contracts and Blockchain Networks

DoS attacks can have a significant impact on smart contracts and blockchain networks. Some potential consequences of a DoS attack include:

  • Loss of access: A DoS attack can prevent users from accessing a contract or network, making it difficult or impossible for them to interact with it. For example, if a contract is being overwhelmed with requests, it may become unresponsive and users will not be able to execute functions or retrieve data from it.
  • Loss of funds: If a contract is unavailable due to a DoS attack, users may be unable to withdraw their funds or may be unable to complete transactions. For example, if a contract is being used to facilitate a token sale and is unable to process transactions due to a DoS attack, users may be unable to purchase tokens and the token sale may be disrupted.
  • Loss of reputation: A successful DoS attack can damage the reputation of a contract or network, making users less likely to trust it. This can lead to a loss of users and a decline in value for the contract or network.
  • Financial losses: Companies and organizations that rely on smart contracts or blockchain networks may suffer financial losses as a result of a DoS attack. For example, if a contract is used to facilitate a product or service and is unavailable due to a DoS attack, the company may lose revenue as a result.

How to Prevent DoS Attacks

There are several measures that can be taken to prevent DoS attacks on smart contracts and blockchain networks. Some strategies for mitigating the risk of a DoS attack include:

  • Rate limiting: Rate limiting involves setting limits on the number of requests that can be made to a contract or network within a certain timeframe. This can help to prevent an attacker from overwhelming the target with a high volume of traffic.
pragma solidity ^0.6.0;

contract RateLimiter {
    uint public requestCount;
    uint public maxRequestsPerSecond;
    uint public lastRequestTimestamp;

    constructor(uint _maxRequestsPerSecond) public {
        maxRequestsPerSecond = _maxRequestsPerSecond;
    }

    function request() public {
        require(now - lastRequestTimestamp >= 1 seconds, "Too many requests per second.");
        require(requestCount < maxRequestsPerSecond, "Too many requests in total.");
        requestCount++;
        lastRequestTimestamp = now;
    }
}
  • Throttling: Throttling involves reducing the rate of incoming requests to a contract or network if the number of requests exceeds a certain threshold. This can help to prevent a DoS attack by limiting the amount of traffic that can reach the target.
pragma solidity ^0.6.0;

contract Throttler {
    uint public requestCount;
    uint public maxRequestsPerSecond;
    uint public lastRequestTimestamp;
    uint public requestsPerSecond;

    constructor(uint _maxRequestsPerSecond) public {
        maxRequestsPerSecond = _maxRequestsPerSecond;
    }

    function request() public {
        requestCount++;
        if (now - lastRequestTimestamp >= 1 seconds) {
            lastRequestTimestamp = now;
            requestCount = 1;
        }
        requestsPerSecond = requestCount;
        require(requestsPerSecond <= maxRequestsPerSecond, "Too many requests per second.");
    }
}
  • Blacklisting: Blacklisting involves identifying and blocking IP addresses or other indicators of malicious activity. This can help to prevent DoS attacks by blocking traffic from known attackers.
pragma solidity ^0.6.0;

contract Blacklister {
    address[] public blacklistedAddresses;

    function blacklist(address _address) public {
        require(msg.sender == address(0), "Only contract owner can blacklist addresses.");
        require(_address != address(0), "Cannot blacklist address 0.");
        require(!isBlacklisted(_address), "Address is already blacklisted.");
        blacklistedAddresses.push(_address);
    }

    function unblacklist(address _address) public {
        require(msg.sender == address(0), "Only contract owner can unblacklist addresses.");
        require(isBlacklisted(_address), "Address is not blacklisted.");
        for (uint i = 0; i < blacklistedAddresses.length; i++) {
            if (blacklistedAddresses[i] == _address) {
                delete blacklistedAddresses[i];
                break;
            }
        }
    }

    function isBlacklisted(address _address) public view returns (bool) {
        for (uint i = 0; i < blacklistedAddresses.length; i++) {
            if (blacklistedAddresses[i] == _address) {
                return true;
            }
        }
        return false;
    }
}
  • Implementing security protocols: Implementing security protocols, such as firewalls and intrusion detection systems, can help to prevent DoS attacks by detecting and blocking malicious traffic.

Conclusion

DoS attacks can have serious consequences for smart contracts and blockchain networks, and it is important to take steps to prevent them. By implementing measures such as rate limiting, throttling, blacklisting, and security protocols, you can help to protect your contracts and networks from DoS attacks and ensure that they remain available and functional for legitimate users.

It is also important to keep your contracts and networks up-to-date with the latest security patches and best practices. This can help to prevent vulnerabilities that could be exploited by attackers to launch DoS attacks.

Finally, it is a good idea to perform regular security testing and audits of your contracts and networks to identify and address any potential vulnerabilities before they can be exploited. This can help to ensure the ongoing security and stability of your contracts and networks, and give users confidence in their security and reliability.

Exercises

To review these concepts, we will go through a series of exercises designed to test your understanding and apply what you have learned.

Write a function in Solidity that implements rate limiting. The function should accept a maximum number of requests per second as an argument, and should only allow a request to be processed if the number of requests in the current second is less than the maximum.

pragma solidity ^0.6.0;

contract RateLimiterExercise {
    uint public requestCount;
    uint public maxRequestsPerSecond;
    uint public lastRequestTimestamp;

    constructor(uint _maxRequestsPerSecond) public {
        maxRequestsPerSecond = _maxRequestsPerSecond;
    }

    function request() public {
        require(now - lastRequestTimestamp >= 1 seconds, "Too many requests per second.");
        require(requestCount < maxRequestsPerSecond, "Too many requests in total.");
        requestCount++;
        lastRequestTimestamp = now;
    }
}

To test this function, we can deploy the contract and call the request function multiple times in quick succession. If the rate limiting is working correctly, the contract should only allow the first maxRequestsPerSecond requests to be processed, and should return an error for any additional requests.

For example, if we set maxRequestsPerSecond to 5 and make 6 requests in rapid succession, the first 5 requests should be processed and the 6th request should return an error.

Write a function in Solidity that implements throttling. The function should accept a maximum number of requests per second as an argument, and should reduce the rate of incoming requests if the number of requests in the current second exceeds the maximum.

pragma solidity ^0.6.0;

contract ThrottlerExercise {
    uint public requestCount;
    uint public maxRequestsPerSecond;
    uint public lastRequestTimestamp;
    uint public requestsPerSecond;

    constructor(uint _maxRequestsPerSecond) public {
        maxRequestsPerSecond = _maxRequestsPerSecond;
    }

    function request() public {
        requestCount++;
        if (now - lastRequestTimestamp >= 1 seconds) {
            lastRequestTimestamp = now;
            requestCount = 1;
        }
        requestsPerSecond = requestCount;
        require(requestsPerSecond <= maxRequestsPerSecond, "Too many requests per second.");
    }
}

To test this function, we can deploy the contract and call the request function multiple times in quick succession. If the throttling is working correctly, the contract should allow a maximum of maxRequestsPerSecond requests to be processed in a single second, and should reduce the rate of incoming requests if the threshold is exceeded.

For example, if we set maxRequestsPerSecond to 5 and make 10 requests in rapid succession, the contract should allow 5 requests to be processed in the first second, and should reduce the rate of incoming requests so that only 5 additional requests are processed in the second second.

Write a function in Solidity that implements blacklisting. The function should accept an address as an argument and should add the address to a blacklist if it is not already on the blacklist. The function should also include a requirement that only the contract owner can add or remove addresses from the blacklist.

pragma solidity ^0.6.0;

contract BlacklisterExercise {
    address[] public blacklistedAddresses;

    function blacklist(address _address) public {
        require(msg.sender == address(0), "Only contract owner can blacklist addresses.");
        require(_address != address(0), "Cannot blacklist address 0.");
        require(!isBlacklisted(_address), "Address is already blacklisted.");
        blacklistedAddresses.push(_address);
    }

    function unblacklist(address _address) public {
        require(msg.sender == address(0), "Only contract owner can unblacklist addresses.");
        require(isBlacklisted(_address), "Address is not blacklisted.");
        for (uint i = 0; i < blacklistedAddresses.length; i++) {
            if (blacklistedAddresses[i] == _address) {
                delete blacklistedAddresses[i];
                break;
            }
        }
    }

    function isBlacklisted(address _address) public view returns (bool) {
        for (uint i = 0; i < blacklistedAddresses.length; i++) {
            if (blacklistedAddresses[i] == _address) {
                return true;
            }
        }
        return false;
    }
}

To test this function, we can deploy the contract and call the blacklist function with various addresses as arguments. We should verify that the contract correctly adds the specified addresses to the blacklist, and that only the contract owner can add or remove addresses from the blacklist.

We can also test the isBlacklisted function by calling it with various addresses as arguments and verifying that it returns the correct values.

Write a function in Solidity that implements a security protocol, such as a firewall or intrusion detection system. The function should accept a message and should return a boolean indicating whether the message is allowed or blocked based on the security protocol.

pragma solidity ^0.6.0;

contract SecurityProtocolExercise {
    mapping(bytes32 => bool) public allowedMessages;

    function allowMessage(bytes32 _message) public {
        require(msg.sender == address(0), "Only contract owner can allow messages.");
        require(_message != 0x0, "Cannot allow empty message.");
        require(!allowedMessages[_message], "Message is already allowed.");
        allowedMessages[_message] = true;
    }

    function blockMessage(bytes32 _message) public {
        require(msg.sender == address(0), "Only contract owner can block messages.");
        require(_message != 0x0, "Cannot block empty message.");
        require(allowedMessages[_message], "Message is not currently allowed.");
        allowedMessages[_message] = false;
    }

    function isAllowed(bytes32 _message) public view returns (bool) {
        return allowedMessages[_message];
    }
}

To test this function, we can deploy the contract and call the allowMessage and blockMessage functions with various messages as arguments. We should verify that the contract correctly adds and removes the specified messages from the list of allowed messages, and that only the contract owner can allow or block messages.

We can also test the isAllowed function by calling it with various messages as arguments and verifying that it returns the correct values based on whether the messages have been allowed or blocked.

Write a function in Solidity that implements a rate limiter with burst behavior. The function should accept a maximum number of requests per second and a burst size as arguments, and should allow a burst of requests up to the burst size to be processed without rate limiting.

pragma solidity ^0.6.0;

contract RateLimiterWithBurstExercise {
    uint public requestCount;
    uint public maxRequestsPerSecond;
    uint public burstSize;
    uint public lastRequestTimestamp;
    uint public requestsPerSecond;

    constructor(uint _maxRequestsPerSecond, uint _burstSize) public {
        maxRequestsPerSecond = _maxRequestsPerSecond;
        burstSize = _burstSize;
    }

    function request() public {
        requestCount++;
        if (now - lastRequestTimestamp >= 1 seconds) {
            lastRequestTimestamp = now;
            requestCount = 1;
        }
        requestsPerSecond = requestCount;
        if (requestsPerSecond > burstSize) {
            require(requestsPerSecond <= maxRequestsPerSecond, "Too many requests per second.");
        }
    }
}

To test this function, we can deploy the contract and call the request function multiple times in quick succession. If the rate limiter with burst behavior is working correctly, the contract should allow a burst of requests up to the burst size to be processed without rate limiting, and should apply rate limiting for any additional requests.

For example, if we set maxRequestsPerSecond to 5 and burstSize to 10, then the contract should allow a burst of 10 requests to be processed without rate limiting. If we make 11 or more requests in quick succession, the contract should apply rate limiting and should only allow 5 requests per second to be processed.

We can also test the rate limiter with longer intervals between requests. For example, if we set maxRequestsPerSecond to 5 and burstSize to 10, then the contract should allow a burst of 10 requests to be processed without rate limiting. If we make 11 or more requests in quick succession, the contract should apply rate limiting and should only allow 5 requests per second to be processed.

If we make fewer than 11 requests in quick succession, then the contract should not apply rate limiting. For example, if we make 5 requests in quick succession, then the contract should not apply rate limiting, even though the number of requests per second exceeds the maxRequestsPerSecond value.

To verify that the rate limiter is working correctly, we can call the request function multiple times in quick succession and verify that the contract applies rate limiting as expected. We can also vary the interval between requests and verify that the contract applies rate limiting appropriately.