OSINT for Blockchain
This article was created by a community contributor. You can reach us at X http://x.com/nqdu_
Author : http://x.com/nqdu_
WHAT BLOCKCHAIN IS
The so-called blockchain is a digital, decentralized, and distributed ledger that records transactions or data across multiple computers that act as a “node.” You can think of it as a decentralized database, and it was originally created to support the idea of Bitcoin. Now, blockchain has always made sure that 3 of its pillars are standing just right: decentralized, meaning that no singular entity controls the information; distributed, meaning that the information shared is replicated across multiple computers, ensuring resilience. Another thing worth mentioning is the transparency and immutability it introduced.
WHY UTILIZE BLOCKCHAIN
Most general people know blockchain through the product of it called cryptocurrency, but it actually has more uses than just backing the crypto coin we know today, such as
1. Supply Chain Management
Many hackathons in this specific field utilize blockchain as a tracker to track the product From the origin to the consumer, ensuring the authenticity and the transparency of the goods.
2. Voting Systems The utilization of blockchain in the voting system could ensure the transparency and the security of the voting process itself, as the data that are stored in the blockchain are immutable.
3. Digital Identity
Digital identities are currently popular in the tech world, not to mention that we are Always trying to find an easier way to verify someone till now.
4. Record management
This one is quite unique. Remember all the hardship maybe an HR or finance department or maybe some event organizer has to go through when there is a huge event coming up or maybe payroll is coming? Some hackathons nowadays often have the category of some sort of “record management,” either to make payroll much easier, track who has claimed the ticket for a concert, or maybe just to track a change of documents in the office. It’s not much longer till we see a payment that’s crypto-compatible, or maybe it’s already here.
SMART CONTRACT & TRANSACTION
Okay, so blockchain is the foundation; what’s being built up there? Every blockchain network has the capability to store and execute what we call a smart contract, a self-executing digital contract stored on a blockchain. Once a smart contract is deployed, the contract code cannot be altered (though this one is changed after the introduction of Upgradeable Contract; still, it doesn’t alter the original code, rather introducing a proxy-like communication). In any way, a smart contract cannot be owned by someone, but the deployer could give itself or someone a higher authority; think of it like an admin giving an admin role to another user, like a special privilege.
So, if we do an interaction here, who is going to validate the interaction? Well, we have a validator in a blockchain. A validator job (depending on which chain) is to validate a transaction. To put it simply, a transaction is an interaction happening in the blockchain that most of the time alters the data it stored (like CRU without D, as there is no such thing as deleting data once it’s recorded on the blockchain) and/or the transfer of assets, data, or value between two parties.
The validator then will verify the transaction, ensuring it complies with the blockchain’s rules and consensus mechanism. Once it’s verified, the validator will bundle it with other valid transactions and turn them into a new block. After that, the block is then added to the existing blockchain, extending the current data they have with the new one. There are some prerequisites before a node can be a validator in a blockchain, and they often differ, but one thing does not: they are getting incentives and rewards for doing their job.
Okay, now let’s deep dive into the so-called “transaction.” Where is its information stored? The answer is in a block. The blockchain is known for its immutability and integrity; this is achieved through chaining—“block,” thus blockchain, haha, get it? The block itself contains transaction data, metadata, and a cryptographic hash linking the current one with the previous block, making attempts to alter the data much harder because of this. What kind of transaction information is stored on a block, you asked?
There are some information stored, like
- From: Who sent the transaction
- To: Receiver (or who it communicate with)
- Transaction Hash
- Parent (previous block) hash
- Data: what message/activity it does
- Block ID
- Gas Consumed
- Timestamp
- Value (if any)
Don’t worry about the Important/Not Important table above; it was categorized based on what people usually searched when exploring the blockchain. To make you guys understand how the “block” and “chain” work, refer to the image below
Let’s say we deploy a smart contract, and we interact with it. The “genesis block” marked the first block in a blockchain where something began (like after smart contract deployment, we don’t have to care about this that much). The unique thing is that this block (genesis block) doesn’t have any parent (previous) hash, of course, since it’s the first. In the visualization above, we can see a simulation that generates a block (assume they do a transaction); it links the red block with the yellow block, with the yellow block containing the red block hash as a security measure to prevent tampering, and so on until the blue block. This is why such an attack like a Sybil attack (51% attack) is hard to do.
Let’s see an example of data of a block here. you can see it by yourself at
- https://sepolia.etherscan.io/tx/0x58fd8ef8337844a87911243535cd38adc7eabdd546106ed08a51ca258df26543
In this specific block, you can see the status of the transaction, block number, timestamp, from & to, the value of Ether being sent, fee, and gas price. Also, if a transaction is calling a function or interacting with a smart contract (as the transaction above), it normally would have something like the second white box there.
It has the amount of gas limit for the smart contract to execute and, finally, the fee for running the process in the EVM and other attributes such as the transaction types. Let’s focus on this part a little more. You can see some quite important things here
- Nonce -> Number of transaction of the sender “from” (wallet)
- Input data -> the action that’s being done
In this example, the input data is actually calling a function called “setState(string state)” in the smart contract, and if we try to decode the input using the function that exist in the etherscan, we can see that it actually containing a flag (This is just for demonstration purposes, don’t worry)
Another example to this: let’s say you are transferring money to someone; usually the process that’s going to happened is just a simple “transfer” like this
BLOCKCHAIN SECURITY TESTING
What is often tested in the blockchain is not only the core blockchain itself but also the smart contract. Initially, when a new blockchain is about to be launched, the main node (usually in Go/Rust, sometimes C++) is checked for any security and upgradeability flaws, but after that, the actual security check lies on the smart contract deployed above it. On paper, we can see that the top 10 (according to OWASP, that is) are listed below
However, if we see the bigger picture and not only the smart contract, the biggest reason someone gets rekt (hacked in blockchain community terms) is not actually listed above. The number one cause of hacks that happen in blockchain environments is actually due to the user itself not implementing the best practice of wallets. You see, with the wallet address comes the private key, and that is something that proves you approve a certain action to be done under your name. So in short, losing your private key or maybe signing a random transaction on your wallet may cause you to actually get hacked; hence, it is very recommended to read what you are about to sign, but again, blockchain data are hard to read, right? Well, that’s before the EIP-191 and EIP-712
The image above shows a comparison of what transaction messages used to look like—quite ancient, isn’t it? But see the one with EIP-191; you can now clearly see what the action that you are about to approve is, and even better with the EIP-712, where you can see much more detail and probably address the confusion of the message in EIP-191.
In conclusion, aside from ensuring that the smart contract/application you are about to interact with is secure, you also need to raise your security awareness when using your wallet, because this is where many people get rekt.
Study Case
Soon added trx blockhain
Last updated