#HITB2024BKK D2 - Investigating Propagated Vulnerabilities from Ethereum to Its Layer-2 Blockchains

preview_player
Показать описание
Ethereum is the most popular blockchain for hosting smart contracts. Despite its decentralization, Ethereum suffers from expensive transaction fees and low throughput in terms of TPS (transactions per second). As a result, third-party layer-2 blockchain networks have emerged in recent years, including self-contained networks such as BSC, Polygon, and Avalanche, as well as roll-up-based networks like Optimism, Avalanche, and Base.

In this talk, we will introduce our recent efforts to discover how Ethereum’s CVE vulnerabilities could propagate from Ethereum to BSC/Optimism/Base/Mantle. The discussion consists of the following three parts:

First, the architectural background between Ethereum and its layer-2 blockchain networks will be introduced (around 8 minutes).
Second, a novel tool, BlockScope (see the attached whitepaper), will be discussed in terms of its design and implementation (around 18 minutes).
Third, our vulnerability discovery in BSC/Optimism/Base/Mantle, including a total of 15 zero-day vulnerabilities (1 for BSC, 4 for Optimism, and 5 for Base/Mantle), will be introduced (around 24 minutes).

Lastly, we will open-source BlockScope for the first time at this conference.

===

Dr. Daoyuan Wu is currently a Research Assistant Professor in the Department of Computer Science and Engineering at the Hong Kong University of Science and Technology. He has been working on mobile and software security for ten years, blockchain and fintech security for four years, and LLM for Security and AI Security for 1.5 years. He has led the R&D of three representative tools: BackDroid, a groundbreaking search-based static analysis tool for Android; BlockScope, a code similarity-based tool for discovering numerous blockchain vulnerabilities; and GPTScan, the first LLM-based vulnerability analysis tool for smart contracts. With these tools, he has published papers in top-tier venues (e.g., NDSS, EuroS&P, DSN, USENIX ATC, FSE, ICSE, ISSTA), hacker conferences (Blackhat Europe and HitCon), and has reported around 100 CVEs, earning numerous bug bounty awards from Google, Facebook, Apple, Binance, Dogecoin, and Optimism/Base/Mantle.

---

Dr. Ning Liu is an Associate Professor in the Department of Public and International Affairs at the City University of Hong Kong. Her research interests lie in the areas of AI governance, digital security, and corporate security strategy.