Get Into The Attacker's Mindset

00:00

getting into the attacker's mindset is

00:03

probably the number one thing that you

00:06

can do to immediately boost the amount

00:09

of findings vulnerabilities and bugs

00:11

that you uncover you need to start

00:13

thinking offensively to uncover the bugs

00:16

and vulnerabilities that the developers

00:19

who are thinking defensively did not

00:21

uncover in this video we're going to

00:23

cover exactly the four things that you

00:26

need to do to get into the attacker's

00:29

mindset and then we're going to cover

00:30

two things that will prevent you from

00:33

getting into the attacker's mindset and

00:35

then we're going to cover a particular

00:37

finding that required me to really get

00:41

into the attacker's mindset and pull a

00:43

few knobs in order to pull it off and

00:46

actually have a valid finding and so

00:48

this way you're going to see exactly how

00:50

the attacker's mindset comes into play

00:52

and how it is actually applied in

00:55

practice all right but first of all who

00:56

am I and why should you listen to me

00:59

talk about out the attacker's mindset

01:02

well my name is Owen and over a year and

01:04

a half ago I founded Guardian Audits and

01:06

ever since then we've uncovered dozens

01:09

and dozens of critical and high

01:11

vulnerabilities in over a hundred

01:14

different smart contracts and over a

01:17

thousand different hours spent auditing

01:19

smart contracts and so my goal is to

01:22

take down everything that I've learned

01:24

along the way and give it to you so that

01:27

you can ultimately become a much better

01:30

smart contract auditor than I ever could

01:32

be in a fraction of the time alright so

01:34

without further Ado let's get right into

01:37

the attacker's mindset

01:43

[Music]

01:46

okay so we are talking about the

01:49

attacker's mindset but first of all what

01:51

really is it and why will it benefit us

01:54

the attacker's mindset is very simply

01:56

boiled down just a way of looking at a

01:59

code base where you're trying to break

02:02

as many things as possible and there's

02:04

an optimal way to do this this is of

02:07

course in direct opposition to the sort

02:10

of mindset of a defender or a developer

02:14

where they're looking to secure a

02:16

protocol and essentially verify that it

02:19

is indeed secure at its core what this

02:21

boils down to is looking to disprove

02:24

rather than prove and of course the

02:26

attacker's mindset is going to benefit

02:28

us because if we set out looking to

02:30

disprove the security of a protocol by

02:34

finding a valid vulnerability in it then

02:36

we're going to be a lot more likely to

02:38

uncover that vulnerability than if we

02:41

were to set out to verify or essentially

02:44

convince ourselves of the security of

02:47

the protocol okay so now let's discuss

02:49

the four key steps to get into the

02:52

attacker's mindset and then we'll

02:54

discuss two critical mistakes that are

02:57

pulling you right out of the attacker's

02:59

mindset okay so first of all of course

03:01

is to incentivize yourself accordingly

03:04

you want to ensure that before you even

03:06

go into the audit you have the correct

03:09

incentives that are setting you up for

03:11

Success where you really want to find

03:15

vulnerabilities what does this mean this

03:18

means that you structure the way that

03:20

you get paid or rewarded or however

03:23

you're being compensated for this audit

03:25

by the amount of vulnerabilities and the

03:27

criticality of vulnerabilities that you

03:29

uncover and so obviously if you're

03:31

competing in a contest or maybe if

03:34

you're charging per vulnerability found

03:36

of course this is a fantastic way to

03:39

correctly incentivize yourself

03:41

and sort of change the structure of your

03:44

mind and make you think by default like

03:47

an attacker because you are literally

03:49

getting compensated like an attacker

03:51

would be okay then second of all after

03:53

we've gotten the incentives right we've

03:55

set the Baseline for how a good

03:58

incentivized audit can occur now we just

04:01

have to personally believe that there

04:03

are bugs and vulnerabilities in the code

04:06

base itself of course if an attacker did

04:08

not believe that there were

04:09

vulnerabilities in a code base they

04:11

would move on to a new one in order to

04:13

find as many bugs and vulnerabilities as

04:16

possible you simply have to be convinced

04:18

that many bugs and vulnerabilities exist

04:21

in the first place okay and then the

04:23

third step is to collect knobs as we're

04:26

going through the code base so as you're

04:28

going through the code base and you're

04:29

getting that initial context you want to

04:31

note down everything interesting every

04:33

interesting piece of behavior anything

04:35

that's off any line that's missing you

04:37

want to note that down and save it for

04:39

later because as you're going to see

04:41

things like this can be combined with

04:43

other knobs in order to yield really

04:46

unique and critical attack vectors which

04:49

leads us into the fourth step which is

04:51

of course to combine your knobs now what

04:54

you have to do is take this list that

04:56

you've compiled and piece them together

04:58

find each individual knob that can fit

05:01

with another to create one of these

05:03

really cool puzzle piece sort of

05:06

exploits each of these knobs is going to

05:09

be a Lego brick that you can use to

05:11

construct a more complicated exploit all

05:14

right now that we've discussed that

05:15

let's talk about two key mistakes that

05:18

you might be making right now that are

05:20

preventing you from getting into the

05:22

attacker's mindset and these are really

05:24

the flipped version of the earlier steps

05:29

and so first of all of course if you're

05:31

not getting your incentives right you're

05:33

going to be starting off on a bad foot

05:36

and setting yourself up for failure so

05:39

what does this mean this looks like

05:41

charging all of the money for an audit

05:43

up front no matter how many findings and

05:46

vulnerabilities are uncovered so if you

05:48

think about the Baseline incentive here

05:50

you are purely incentivized to spend as

05:53

little time on the audit as possible and

05:55

your mentality is going to be to

05:56

convince yourself of the security of the

06:00

protocol you're going to subconsciously

06:02

want to believe after a certain amount

06:04

of time that you've spent on the

06:05

protocol that the protocol is indeed

06:08

secure you might not notice this

06:10

consciously affecting your actions but

06:12

this is exactly what makes the

06:14

difference between spending an extra day

06:16

on a piece of functionality that's

06:19

really involved just to get that last

06:21

little tiny knob that ends up being a

06:25

full-blown critical exploit and versus

06:28

if you weren't incentivized to find that

06:30

little tiny knob and get that critical

06:32

exploit you might end up subconsciously

06:35

convincing yourself that that area of

06:37

functionality is actually secure and

06:39

there's no need to spend many many hours

06:42

digging into it okay and then second of

06:44

all is of course to not believe that

06:46

vulnerabilities exist of course we've

06:48

talked a lot about this but I cannot

06:51

iterate this enough you have to believe

06:53

that there are vulnerabilities in the

06:55

code you're auditing you have to

06:57

distrust the developers always otherwise

07:00

you start to get into the headspace of

07:03

verifying rather than attacking and you

07:05

start to agree with the developers if

07:07

you find yourself subconsciously

07:09

agreeing with the developers immediately

07:12

turn that on his head and start to

07:13

question everything from the ground up

07:16

okay now that we've explored what

07:18

exactly the attacker's mindset is let's

07:21

have a look at it in practice and see

07:24

how it can yield some really interesting

07:26

unique exploits that are even missed in

07:28

audit contests okay so before we hop

07:31

into this particular finding and walk

07:33

through it walk through the steps that

07:35

it took me to actually come across this

07:38

finding we need to get some context on

07:41

the code base for so this is of course

07:43

from the GMX V2 code base from an

07:46

earlier audit as GMX was early on in the

07:49

development stage of the protocol before

07:52

it's released now if you want a full

07:55

Deep dive and breakdown of the GMX V2

07:58

code base and to really get enough

08:01

context and introduction to fully

08:03

understand this finding go ahead and

08:05

watch my intro to GMX V2 video on this

08:09

channel but to give some really really

08:11

quick high-level context just enough so

08:14

you can get the gist of this finding as

08:16

we go through it GMX is a perpetuals

08:19

exchange Traders can open positions and

08:22

they use orders to do that you can use

08:24

orders to increase positions and

08:26

decrease positions and you have all

08:28

sorts of market and limit orders as well

08:30

as stop losses and importantly GMX has a

08:34

two-step execution system where you

08:36

create an order it's it's sort of like a

08:39

request to have an order executed and

08:41

then a keeper comes in and executes your

08:44

order and these are in two independent

08:46

transactions and this is essentially

08:48

done to avoid a lot of front-running

08:51

attack vectors on the exchange so the

08:54

first knob here actually arises from

08:56

that two-step execution process the

08:59

keeper will essentially provide prices

09:02

from the Block in which you created your

09:06

order in order to execute your order so

09:09

what does this mean this means that

09:10

essentially there's a unique attack

09:12

Vector here where if I can delay the

09:15

execution of the keepers transaction I

09:18

can get a risk free trade let's have a

09:21

look at exactly what this looks like

09:24

right so if we have a timeline here and

09:27

let's say I simply created a straight up

09:30

Market order at this time here let's say

09:33

this is block 100 over here and then I'm

09:36

able to delay the Keeper's execution of

09:39

my order until this block over here

09:41

let's say it's block 110 essentially I

09:45

can execute have this order executed at

09:48

this time block 110 with the prices from

09:51

block 100. so in Block 100 the price of

09:54

ethereum might be a thousand dollars in

09:57

Block 110 the price of ethereum might be

09:59

eleven hundred dollars and so I could

10:02

see that the price of ethereum currently

10:04

in Block 110 is eleven hundred dollars

10:07

and then make a risk-free trade where I

10:10

say oh yes I would like my order that

10:13

was submitted here to be executed only

10:15

now at block 110 and end up getting an

10:19

Arbitrage of a hundred dollars per ether

10:22

risk free right I have the knowledge

10:24

that ether has appreciated 100 since

10:27

these prices here in Block 100 so that

10:30

is the most simple version of and a

10:33

risk-free trade that could occur and

10:35

that's essentially the first knob that

10:38

we're going to use in our list of knobs

10:40

right so as I'm going through the code

10:43

base this is something that I I just

10:45

know as a class of vulnerabilities that

10:48

exists on the exchange and so it's in my

10:51

list of knobs that I have to twist as

10:54

I'm going through the code base so let's

10:56

go into the first knob that I discovered

10:59

that essentially begetted what

11:02

ultimately became this vulnerability so

11:05

first of all I'm going to notice that

11:07

the empty position error is something

11:10

that gets reverted on so what does this

11:13

mean this means that when we revert here

11:16

this order is going to be retried

11:19

instead of ultimately Frozen or canceled

11:23

if it were a market order or something

11:25

like this so if we have a limit order

11:27

for example and it reverts with an empty

11:30

position error it's going to be retried

11:32

what does this mean this means that we

11:36

can delay the execution here so I'm

11:39

going to note that if I can get get a

11:42

limit order to revert with the empty

11:44

position error then I can delay the

11:47

execution of the Keeper's transaction so

11:50

I know it can delay it but I need

11:52

something to keep the prices that the

11:56

order is going to execute with outdated

11:58

so if the keeper has to keep making new

12:01

basically executions so the way the

12:03

keeper will work is they'll see that

12:06

this would revert with this error by

12:09

basically simulating this and they will

12:11

not execute this transaction until they

12:14

see that it doesn't revert and it

12:16

successfully goes through so how do I

12:18

get it such that the keeper will use

12:21

outdated prices when all of a sudden

12:23

they see that this no longer reverts

12:26

with an empty position error well

12:28

particularly for a limit order we can

12:30

see that in the set exact order price

12:34

function which is used to essentially

12:36

set the prices that are going to be used

12:38

to execute this order for a limit

12:40

decreased order we can see that we're

12:44

going to end up validating that the

12:47

price is ascending right so it is not a

12:50

limit increase it is not a stop loss

12:53

this is a limit decrease and let's say

12:56

it is for a long to make things simple

12:57

so we're going to validate that price is

13:00

ascending and so essentially this is

13:02

going to take the earlier price in the

13:04

range of prices that are provided by the

13:06

Oracle and the later price and the range

13:09

of prices provided by the Oracle and

13:11

assert essentially that price is

13:14

validating over this range and this

13:17

range must encapsulate my trigger price

13:19

so if we draw this out and we have a

13:21

look at what this looks like on a a

13:25

price graph so we'll say this is my

13:28

trigger price now what has to happen for

13:31

my limit decrease essentially like a

13:33

take profit to execute is price has to

13:37

be ascending right so now any arbitrary

13:41

range here is hypothetically a valid

13:45

range to execute this limit decrease

13:48

over as long as it's including my

13:50

trigger price so now I can see that if I

13:53

combine this price execution logic with

13:56

the fact that you could potentially

13:58

delay this execution with an empty

14:01

position error then I could potentially

14:04

get some sort of benefit from a

14:06

risk-free trade if price did something

14:09

like this so let's talk about this if I

14:13

have my limit decrease order waiting to

14:15

get executed and then price enters this

14:18

range here but I do not allow it to be

14:21

executed by reverting with the empty

14:23

position error then essentially price is

14:26

going to continue time is going to

14:27

continue on we're still reverting with

14:29

the empty position error the keeper is

14:31

not trying to execute this yet as they

14:33

see that it's reverting until we see

14:35

price goes down down and now let's say

14:39

we're at this point here every time

14:42

before this we were reverting with the

14:44

empty position error now you'll notice

14:46

something if we look at the price option

14:48

here there has never been a valid price

14:51

range to execute this over after you

14:55

know

14:56

so you know something like this point

14:58

here now there's no valid range after

15:01

this point where you could execute this

15:04

there's no range that is increasing that

15:07

includes our trigger price and so now if

15:10

all of a sudden we're to stop reverting

15:12

with an empty position error and allow

15:14

the order to be executed at this point

15:16

in time now we're going to be forcing

15:19

the keeper to use prices from in this

15:22

range and so of course this is a classic

15:24

risk-free trade I can execute an order

15:27

at this time with knowledge of what the

15:30

current price is only I'm executing it

15:33

with old prices so I'll get a price

15:37

somewhere in this range here and of

15:39

course I can modify my acceptable price

15:41

to get any particular price that I might

15:44

want okay so we have the means to make a

15:47

risk-free trade happen but the question

15:49

is where can we get that empty position

15:51

error to end up delaying this and how

15:55

can we talk toggle it such that if I

15:57

decide at this point in time that I want

15:59

this order to go through and the

16:01

risk-free trade to be realized then How

16:04

Can I toggle that empty position error

16:06

off and allow the order to go through so

16:09

these are things that I'm immediately

16:10

looking for now in the attacker's

16:13

mindset right I am looking to

16:15

maliciously really maliciously find how

16:18

I can make this sort of risk-free trade

16:20

happen so I'll notice one key thing when

16:23

I'm looking at the decrease position

16:25

this if statement here if our position

16:29

was closed of course we remove the

16:31

position from the order store and we

16:33

don't do any extra validation and that's

16:34

if the size in USD or the size and

16:37

tokens are zero however if there's a

16:39

position left over then we're going to

16:41

go ahead and do this critical check here

16:44

which is to validate position and if we

16:46

click into this we'll see that we

16:48

validate non-empty position and which

16:50

revert do you think that gives it gives

16:52

the empty position revert and so we have

16:55

three different knobs here that we can

16:58

twist in order to get the empty position

17:00

revert and cause this initial sort of

17:03

delay so now here's my goal after

17:05

realizing that I can get the empty

17:07

position revert when a position is left

17:10

with size so we must have size in USD

17:13

and we must have size and tokens enabled

17:16

to to go into this else branch and

17:18

ultimately do this validation now I know

17:21

that this cannot be zero and I know that

17:22

this cannot be zero in this case so

17:24

we're left with one option here the

17:27

collateral amount we need to be able to

17:29

manipulate the collateral amount to be

17:31

zero here while the size and tokens and

17:34

the size in USD are non-zero and then

17:36

once we're able to get into that state

17:38

we need to be able to retroactively

17:40

toggle that state off without touching

17:42

the order in order to ensure that this

17:45

can be executed retroactively so what I

17:48

first notice is if I go into the process

17:52

collateral function if we scroll down

17:55

here there's actually no check that I

17:59

can't just set the remaining collateral

18:01

amount to zero I'm not going to go

18:02

through this whole 300 line function but

18:05

you can essentially take my word for it

18:08

that we wrote a POC and it's actually

18:10

true you can essentially have an initial

18:14

collateral Delta amount that will allow

18:16

you to set the remaining collateral

18:18

amount to zero and so that's exactly the

18:21

knob that we needed to make this attack

18:24

work to give us some Ray of Hope so now

18:27

after processing collateral and getting

18:30

these values we set the remaining

18:32

collateral to zero right so this

18:33

remaining collateral amount is now zero

18:35

from our initial collateral Delta which

18:38

is essentially the amount of collateral

18:40

we want to remove using our order so

18:42

this gets set to zero on the position

18:44

and then when we do this check here

18:48

we're going to have some size left over

18:50

so we go here and we validate and we get

18:53

the empty position error so we're

18:55

starting to piece together the Lego

18:58

building blocks and we've almost

19:00

finished our Masterpiece of an attack

19:03

here but we still need some more Lego

19:05

bricks to come in and help us out we

19:07

have successfully found a way to

19:09

essentially make an order revert And

19:12

Delay that success here's what we've

19:14

done if we can use this as a timeline of

19:17

price action here's what we'll use as a

19:19

timeline of order execution

19:22

let's say before this we have a position

19:25

that has let's say we have two thousand

19:28

two thousand USD of size so this is the

19:31

size of our position and let's say we

19:34

have just 10 collateral tokens 10

19:37

collateral tokens of collateral maybe

19:40

this is ether let's say it's ether it

19:42

doesn't matter right so we have that and

19:44

then we have an order in the store and

19:46

let's say the order is for 10 collateral

19:49

tokens and only 1500 size

19:53

so now what we've got so far is we see

19:56

that if this order is to be executed at

19:59

this point in time right so let's say

20:02

you know the order would be executed

20:03

tried it would be normally attempted to

20:06

be executed at this point in time what

20:08

would happen is this order this 10

20:11

initial collateral Delta amount would

20:14

negate the collateral on the position we

20:16

would end up with zero collateral tokens

20:19

we would end up reverting on this

20:21

validate position function when we check

20:24

validate non-empty position the

20:26

remaining collateral Mount is zero and

20:28

we revert with the empty position the

20:31

empty position up in the older order

20:33

Handler is ultimately causing a top

20:36

level revert which means that the keeper

20:39

will not execute the order so as long as

20:42

this order lives in this collateral

20:45

amount here is 10 and the collateral the

20:47

initial collateral Delta amount on the

20:49

order is 10 then this will continue to

20:52

revert revert revert until let's say at

20:55

this point right here now we see that

20:58

prices moved in a favorable Direction

21:01

meaning that if we were to be executed

21:03

with prices from over here on the left

21:06

at this point in time on the right

21:09

we would make risk-free money we would

21:11

be able to buy ether at cheaper than the

21:15

the market rate or you'd sell ether at a

21:18

higher price than the market rate you

21:20

know something like this so now exactly

21:22

what we need is the knob to twist to be

21:25

able to toggle this off and be able to

21:28

make the empty position error not get

21:30

raised and so after scanning and looking

21:33

and looking for exactly that thing to

21:36

twist we can find that exactly here on

21:40

this if statement right here this is the

21:43

last Lego Brick of our attack Vector

21:47

what is this doing right here we're

21:49

seeing if the size Delta USD on the

21:52

order is the same as the size and USD of

21:55

the position

21:55

then what we're doing is we're setting

21:59

the initial collateral Delta amount to

22:01

zero ladies and gentlemen this is

22:03

everything we need this is exactly the

22:05

toggle that we need so how are we going

22:07

to achieve it so let's remember this one

22:10

case this is literally the case we need

22:12

if the order size is the same as the

22:15

position size then we can toggle our

22:19

risk-free trade so what can we do we can

22:22

decrease the position size to match the

22:27

order size so we'll see the position

22:28

size is 2000 USD the order size is 1500

22:32

USD at this point in time when we want

22:34

to toggle it normal

22:36

Market decrease to decrease our position

22:40

by 500

22:43

USD so our position now becomes at this

22:48

point in time it is now 1500 USD size

22:52

and 10 tokens in collateral so what does

22:57

this match up with it matches up with

22:58

perfectly the 1500 from our order over

23:03

here so we're going to hit this exact if

23:05

statement right here we're going to set

23:07

the initial collateral Delta amount to

23:09

zero and in fact it doesn't even matter

23:13

because we're going to go into this if

23:17

statement here and so we're not even

23:19

going to have any position left over

23:20

because ultimately the size in USD is

23:23

now going to be equal to zero and we're

23:25

not even going to enter the branch where

23:27

it's possible to throw the empty

23:29

position error okay so now ladies and

23:31

gentlemen this is literally the entire

23:34

exploit this is everything we need to

23:37

pull off a critical risk-free trade on

23:40

the exchange so I hope that wasn't too

23:43

too in depth to understand how exactly

23:46

we go through and piece each of these

23:48

individual Lego bricks together I

23:50

recommend you go through and watch this

23:52

a few more times in order to fully

23:54

understand the attack vector and really

23:56

try to notice how we're going through

23:59

and as we uncover bits we just keep them

24:02

in our backlog until we match them up

24:04

with something else that's potentially

24:06

related and notice overall how we're

24:08

really being malicious about this and

24:10

we're really going for and trying to

24:12

break things intently this is the core

24:15

of the attacker's mindset okay so that

24:18

covers everything to do with the

24:20

attacker's mindset everything I know

24:22

about getting into the attacker's

24:23

mindset and finding those really

24:25

interesting vulnerabilities I hope that

24:27

this helps you find something really

24:29

interesting and if you learned anything

24:31

new go ahead and just pop it in the

24:33

comment section below alright and of

24:35

course if you're looking to grow as an

24:37

auditor and connect with a community of

24:39

growing aspiring Auditors to get to the

24:42

next level of auditing skills or

24:44

whatever and go check out lab.guardian

24:47

audits.com where you can join over 500

24:50

smart contract security Auditors and

24:53

learn from everybody in the community

24:55

share your thoughts get experiences from

24:58

others and even team up with others to

25:01

participate in team Audits and get

25:03

rewarded for findings that you uncover

25:06

and of course if you're not 100

25:08

confident in your web 3 auditing

25:11

abilities I collaborated with a number

25:14

of top tier Security Professionals in

25:17

the field to bring you exactly the most

25:20

thorough training on Smart contract

25:23

security this training will literally

25:25

take you from just understanding

25:27

solidity to a full-blown solidity

25:30

auditing Chad as efficiently as possible

25:33

if you are looking to go the paid route

25:36

then this is absolutely in my opinion

25:39

the best paid resource hands down out

25:42

there on smart contract auditing so if

25:45

you are indeed looking to go the paid

25:47

route then of course you can take fifty

25:49

dollars off in the link in the

25:51

description below alright guys that is

25:53

all for this time I can't wait to see

25:55

you in the next one

25:59

foreign