DolphinChain

module
v0.0.0-...-30fafb3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2019 License: MIT

README

DolphinChain

dolphinchain.logo

DolphinChain is the first Vulnerable Blockchain Application in the world! dolphinchain.org

Version : 1.0.0

中文说明

Table of Contents

Overview

DolphinChain is a deliberately insecure blockchain application maintained by XuanMao Secure Lab designed to teach blockchain application security lessons. You can install and practice with DolphinChain.

DolphinChain was developed based on tendermint v0.31.2 (WARNING: ALPHA SOFTWARE), which is the latest version of tendermint at that time.

In this release (v1.0.0), there are about 10 bugs in DolphinChain. Any whilehat and developer of blockhain can try to exploit the vulnerabilities. It's main goals are to be an aid for security professionals improving skills and help blockchain developers better understand the processes of securing blockchain applications.

Installation

  1. Download and install golang

  2. Download and install DolphinChain.

  3. Get all dependencies of DolphinChain.

All you need is ready !

You can look for Installation for more details.

Usage

Deploy DolphinChain -> Find defect code -> Write verification script -> Verify vulnerability exists

  1. Finding Vulnerabilities: Blockchain vulnerabilities are mainly caused by code issues and logic problems.
  2. Write a verification script: There are two ways to test a script with PoC or Go test.

Of course we will expose all the Writeup. You can view it through our another Repository.

At the same time, we also summarized the historical vulnerability of tendermint, see Tendermint Bugs History

Tendermint Bugs History

Tendermint is a core component of the Cosmos network ecosystem and is primarily responsible for consensus and P2P. Since its development in 2014, the community has been active, code iterations are fast, and most importantly, security is highly valued. Therefore, by learning the security vulnerabilities and fixes of this chain, we can let other developers learn their ideas and avoid stepping on the pits that the predecessors have already stepped on.

Here is the bugs history of tendermint we collected. We spent almost a month finishing.

P2P consensus node RPC marshal message queue database message logic seed list mempool
null pointer X X X X X X X X X
null config X X X X X X X X
lack of err handle X X X X X X X X X X
server hang on X
Concurrent quantity limit X X X X X X
Abnormal value X X X X X X X
component logic X X X X
overflow X X
lock X X
DOS X X X X
memory leak X X X
initing X X X X X X X
dependencies X X
resource control X X X X X

Contribution

Welcome to submit any question via issue. Moreover, you can also develop more vulnerabilities with us.

Contributors :

Tri0nes、Javierlev

Backer





Connection

TODO

  • There may be some bugs and we are fixing.
  • Write Writeup for vulnerabilities existed
  • Sort out new vulnerabilities as follow-up development
  • Some particularly interesting ideas

License

DolphinChain is licensed under the MIT License. See LICENSE for the full license text.

Directories

Path Synopsis
abci
proto
Package test is a generated protocol buffer package.
Package test is a generated protocol buffer package.
cmd
merkle
Package merkle computes a deterministic minimal height Merkle tree hash.
Package merkle computes a deterministic minimal height Merkle tree hash.
secp256k1/internal/secp256k1
Package secp256k1 wraps the bitcoin secp256k1 C library.
Package secp256k1 wraps the bitcoin secp256k1 C library.
xchacha20poly1305
Package xchacha20poly1305 creates an AEAD using hchacha, chacha, and poly1305 This allows for randomized nonces to be used in conjunction with chacha.
Package xchacha20poly1305 creates an AEAD using hchacha, chacha, and poly1305 This allows for randomized nonces to be used in conjunction with chacha.
libs
cli
db
db/remotedb
remotedb is a package for connecting to distributed Tendermint db.DB instances.
remotedb is a package for connecting to distributed Tendermint db.DB instances.
db/remotedb/grpcdb
grpcdb is the distribution of Tendermint's db.DB instances using the gRPC transport to decouple local db.DB usages from applications, to using them over a network in a highly performant manner.
grpcdb is the distribution of Tendermint's db.DB instances using the gRPC transport to decouple local db.DB usages from applications, to using them over a network in a highly performant manner.
db/remotedb/proto
Package protodb is a generated protocol buffer package.
Package protodb is a generated protocol buffer package.
errors
Package errors contains errors that are thrown across packages.
Package errors contains errors that are thrown across packages.
events
Package events - Pub-Sub in go with event caching
Package events - Pub-Sub in go with event caching
flowrate
Package flowrate provides the tools for monitoring and limiting the flow rate of an arbitrary data stream.
Package flowrate provides the tools for monitoring and limiting the flow rate of an arbitrary data stream.
log
pubsub
Package pubsub implements a pub-sub model with a single publisher (Server) and multiple subscribers (clients).
Package pubsub implements a pub-sub model with a single publisher (Server) and multiple subscribers (clients).
pubsub/query
Package query provides a parser for a custom query format: abci.invoice.number=22 AND abci.invoice.owner=Ivan See query.peg for the grammar, which is a https://en.wikipedia.org/wiki/Parsing_expression_grammar.
Package query provides a parser for a custom query format: abci.invoice.number=22 AND abci.invoice.owner=Ivan See query.peg for the grammar, which is a https://en.wikipedia.org/wiki/Parsing_expression_grammar.
Package lite allows you to securely validate headers without a full node.
Package lite allows you to securely validate headers without a full node.
client
Package client defines a provider that uses a rpcclient to get information, which is used to get new headers and validators directly from a Tendermint client.
Package client defines a provider that uses a rpcclient to get information, which is used to get new headers and validators directly from a Tendermint client.
p2p
pex
upnp
Taken from taipei-torrent.
Taken from taipei-torrent.
Package privval provides different implementations of the types.PrivValidator.
Package privval provides different implementations of the types.PrivValidator.
rpc
core
# Introduction Tendermint supports the following RPC protocols: * URI over HTTP * JSONRPC over HTTP * JSONRPC over websockets Tendermint RPC is built using our own RPC library which contains its own set of documentation and tests.
# Introduction Tendermint supports the following RPC protocols: * URI over HTTP * JSONRPC over HTTP * JSONRPC over websockets Tendermint RPC is built using our own RPC library which contains its own set of documentation and tests.
lib
HTTP RPC server supporting calls via uri params, jsonrpc, and jsonrpc over websockets Client Requests Suppose we want to expose the rpc function `HelloWorld(name string, num int)`.
HTTP RPC server supporting calls via uri params, jsonrpc, and jsonrpc over websockets Client Requests Suppose we want to expose the rpc function `HelloWorld(name string, num int)`.
lib/server
Commons for HTTP handling
Commons for HTTP handling
tools
tm-monitor/eventmeter
eventmeter - generic system to subscribe to events and record their frequency.
eventmeter - generic system to subscribe to events and record their frequency.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL