paint-brush
Blockchain App Debugging: Bugs You Need to Be Aware Ofby@induction
1,829 reads
1,829 reads

Blockchain App Debugging: Bugs You Need to Be Aware Of

by Vision NPMarch 21st, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Blockchain-based mobile applications can be found in app stores, including mobile wallets, web 3.0 browsers, decentralized games, DEX, and DeFi apps, among others. These applications are not immune to bugs, which can render them vulnerable to attacks. Past incidents have demonstrated that security breaches arising from blockchain-based applications can lead to significant financial losses.
featured image - Blockchain App Debugging: Bugs You Need to Be Aware Of
Vision NP HackerNoon profile picture

The present time marks the contemporary era of blockchain technology. There is a proliferation of advanced consensus-based blockchain technologies.

With the surge in smartphone usage, various blockchain-based mobile applications can be found in app stores, including mobile wallets, web 3.0 browsers, decentralized games, DEX, and DeFi apps, among others.

However, these applications are not immune to bugs, which can render them vulnerable to attacks. Past incidents have demonstrated that security breaches arising from blockchain-based applications can lead to significant financial losses.


This article attempts to cover the various aspects associated with blockchain-mobile application debugging.

Classic App vs Blockchain App

To delve into the main topic, it's essential to comprehend the fundamental differences between classical and blockchain applications. In essence, classical applications rely on centralized servers, meaning that a central entity has complete control over them.

On the other hand, blockchain applications are decentralized, meaning that no single entity has control over the applications or their data. Trust is a crucial factor for both types of applications.

Classical applications rely on trust in the central authority or entity that governs the application and its data.

In contrast, blockchain applications rely on trust in the network of participants and the consensus mechanism that verifies transactions. Blockchain applications are designed to be trustless, meaning that they do not necessitate trust in a central authority.

Types of Blockchain-based App Bugs

Blockchain apps designed to support various OS like Android and iOS can exhibit a variety of bugs just like the other classical apps. Sometimes, certain bugs may go undetected for a long period. Here, we discuss a few of them.


  1. Security vulnerabilities:

These are the most common bugs. In the past, attackers have managed to drain funds from the wallet apps by bypassing the encryption algorithm of the system. Even a minor flaw can be a wormhole for attackers to steal sensitive data.


  1. User interface (UI) errors:

Poorly designed UI is responsible for making users confused to use the app properly. Users can click or select the wrong options to perform certain operations. For example, if the wallet app has no easier UI, users get difficulties in sending or receiving funds.


  1. Blockchain protocol bugs:

If there are issues or glitches in the blockchain protocol, it can impact the functioning of the blockchain app. One instance of this is when a bug emerges in a blockchain network like Ethereum which can lead to the failure of smart contract transactions.


This can prevent users from being able to access the funds stored in the wallet.


  1. Input validation bugs:

Imagine you are trying to send 0.5 BTC to one’s address, but due to the bug of a blockchain wallet, 1 BTC is sent! So, input validation bugs can bring a serious issue if it is not fixed at the right time otherwise attackers can allow users to a malicious input even by secretly changing the wallet addresses.


  1. Cryptographic vulnerabilities:

Blockchain apps are essentially built by adding encryption and decryption algorithms but sometimes, bugs persist in the codes to leak private keys or other sensitive information. The Solana-based wallets Slope and Phantom hacks in the last year are examples of this sort of bug.


  1. Malicious code injection:

Attackers can inject their own manipulated code into an application by exploiting vulnerabilities in its code, which is widely known as malicious code injection, and then they propagate the app from the malicious sites.


Fig by ESET: - Unsuccessful attempt to install a malicious wallet downloaded from untrusted sites with injected modified codes over a legitimate one on Android devices


This can finally lead to the theft of user funds or the unauthorized access of sensitive user data.


  1. Inadequate methods for recovery:

Blockchain applications do not rely on a central server to store data. Instead, they usually synchronize through a chain formed by connected nodes. To enable users to recover lost or uninstalled apps, private keys or secret phrases are provided.


However, if the recovery mechanism is not appropriately configured, attackers may use malicious methods to restore the wallets.


  1. Distributed Denial-of-Service (DDoS) attacks:

This is the most notorious way to exploit bugs in a blockchain app, causing it to malfunction. This attack floods the original server with a multitude of malicious servers to overwhelm it.


Well, these are the most common bugs associated with blockchain apps. Recently, the famous platform, BitGo, has patched a critical vulnerability that was discovered by the research team Fireblocks in the last year. Here, we discuss a couple of examples that can potentially teach us a lesson.

Critical Bugs Associated With BitGo:

The well-known platform in the crypto world, BitGo, has a huge number of retail and institutional users from all around the world. It offers various features to its users through its various products including apps for both iOS and Android devices.

The Fireblocks team claimed that they notified the bug (BitGo Zero Proof Vulnerability) the BitGo team that was related to the BitGo Threshold Signature Scheme (TSS) wallets in the last year, and attackers could easily bypass all the security measures preferred by the BitGo to access users’ private keys and sensitive data just by involving Javascript codes if it was not timely patched.

Image by Fireblocks team: They have chosen the malicious inputs for N and V.


The Fireblocks team described in depth how they discovered an exploit in the TSS protocol in BitGo's Elliptic Curve Digital Signature Algorithm (ECDSA) TSS wallet protocol by detecting a missing zero-knowledge proof in the protocol.


They were able to expose the private key through a very simple attack.


Debugging:

Indeed, the BitGo team has counter-commented against the claim of the Fireblocks team through their official blog post regarding the disclosure; everything is fine as users are suggested to update their wallet to the new version from the 17th of March.


They have successfully patched the vulnerability that Fireblocks has claimed. As a responsible and trusted company, they should make security their top priority.


The Parity Wallet Hack:

In 2017, the attacker was able to steal over 150k ETH from three prominent multi-sig contracts used to store funds from past token sales by exploiting a vulnerability in the smart-contract library code of Parity Multisig Wallet. The attacker performed two transactions to affected contracts for achieving ownership of a multi-sig wallet and moving all funds stored in the wallet. Here we have a close look into the codes of a WalletLibrary where the first transaction to initWallet as shown in the figure.

Code line 216 of WalletLibrary on GitHub

Looking like the function used in 216 is to extract the wallet’s constructor logic into a separate library and the wallet contract delegates all unhandled function calls to the library via delegatecall that we can see in the figure below.

Code line 424 of ParityWallet on GitHub

Now here is the root cause of the attack, the attacker was able to change the wallet’s owner just by using initWallet it because there were no checks to prevent him from modifying the contract's m_owners state variable to contain only his address and mandating only one confirmation to carry out transactions.


Debugging:

The best practice for debugging, in this case, could have been done by not including

delegatecall calling another contract function. Also, another way could be the prevention of extracting the wallet’s constructor logic into the library contract as we can see in the above figures. So, it is always important to check the codes before making them public.


These incidents mentioned above serve as a reminder to thoroughly test applications and ensure all security features are in place before their public release. Even a minor error can enable attackers to bypass encryption and gain access to the private keys of users worldwide, underscoring the importance of mobile debugging.


In the following, we provide an overview of the best practices for debugging blockchain applications involving the following:


  1. Using automated app testing tools:

Trusted app testing tools or debuggers can help to identify bugs very quickly. It helps to save time for timely fixing the issue. Generally, issues should be fixed as quickly as possible to save the funds and data of users.


  1. Reviewing the codes:

It is an effective method to identify any possible bugs and vulnerabilities within the code before its deployment on the blockchain network. Developers should test code repeatedly to make sure everything is ok.


  1. Enabling the strong encryption algorithm:

Most of the blockchain app hacking incidents happened due to the weak encryption of the blockchain apps. Weak encryption is responsible for revealing the keys or if the file exchange is taking place between the app and a certain centralized platform, it is very important to maintain strong encryption.


  1. Keeping the app up-to-date:

To ensure seamless performance, developers need to remain proactive in updating the app with the latest and advanced protocols. Therefore, it is highly recommended to test the app on various devices on a large scale.


  1. Consulting documentation:

To avoid the risk of misconfiguration and incorrect usage of API calls, it is crucial to refer to the up-to-date documentation provided by the blockchain technology that the app is based on. Therefore, it is essential to regularly check the documentation for the latest information.


  1. Testing app on a private blockchain:

To ensure optimal performance and stability, it is advisable to initially review the transaction patterns and operation of the app in a controlled environment using a private blockchain network.

Developers need to test the app in a private network, and then verify that it functions efficiently in a public blockchain network.


  1. Conducting the penetration test:

Conducting penetration testing on blockchain apps is a crucial step in securing both the app and the underlying blockchain technology.

It can be done by using proper penetration tools, for example, the OWASP ZAP tool can be used to identify potential bugs in smart contracts used by the blockchain apps.


  1. Identifying potential attack vectors:

Debugging the blockchain app is a crucial step, and developers should prioritize testing for potential attack vectors such as smart contract exploits, DDoS attacks, and private key theft while performing this test.

Challenge Associated With Debugging Blockchain Apps:

Debugging a blockchain app can be challenging due to the decentralized and immutable nature of the technology. If bugs are discovered, all devices must update to the latest version of the app.

While there is no risk of a single-point failure, there is still a risk that a specific device with an older version of the app could become infected in the network. Also, most blockchain apps use a self-executing program, i.e., a smart contract.

The bug associated with the smart contract can be problematic as they are based on blockchain technology, and it is very hard to debug.


On the other hand, debugging the blockchain app is challenging as the developers have to maintain the security concern, but it is hard to convince everyone to keep everything secret in the decentralized ecosystem.

Future of Blockchain Apps:

Although blockchain technology is still in the early stages of development and there is currently a lack of adequate tools for testing and debugging blockchain apps, the technology shows great promise for the future as it becomes more mainstream.


Almost all industries can get benefits from this technology, and mobile apps are more convenient to access the features. The following things shown in the diagram can help to shape the future of blockchain apps.

Advanced AI models like ChatGPT are currently available, with more expected to emerge shortly. The use of AI can enable the more efficient performance of various tasks, which may lead to more advanced and user-friendly blockchain apps.


Additionally, the availability of more advanced debugging and development tools will likely support the creation of even more advanced blockchain apps in the future.

Conclusion:

Debugging blockchain apps is a critical step to ensure their functionality, reliability, compatibility, and security.


Due to the various unique features of blockchain technology, blockchain app debugging can be a complex process, but there are tools and methods available to simplify the process.


By identifying potential attack vectors, testing on private and public blockchain networks, and staying up-to-date on blockchain documentation, developers can create reliable and secure blockchain apps that function as intended for users from all around the world.