How to hack TTC Protocol?

HackenProof is hosting a bug bounty program for a modern social networking protocol based on blockchain called TTC Protocol. Let’s take a short look at their whitepaper, describe the main concepts and some technical details. Then we’ll show you how to run a node to start bug hunting on TTC Bug Bounty Program.

1. TTC Protocol introduction

TTC is a decentralized nextgen social networking protocol. TTC provides a brand new social experience; the platform is completely decentralized. It was built to replace the old-style, “attention economy”-based social networks. TTC users will be able to get rewards for interacting with other users and their content.

2. Whitepaper overview

As new social networking protocol, TTC requires a high speed of transactions. BFT-DPoS model solves this issue.

A variety of social platforms are welcome to operate as DAPPs in the ecosystem of the TTC Protocol. DAPPs within the ecosystem include mainstream social networking services such as personal life sharing platforms, photo sharing communities, video sharing communities, and live streaming platforms.

TTC was built on the ERC-20 token standard to incentivize different participants in the ecosystem of the TTC Protocol. The TTC Protocol applies the user-oriented account system, which distinguishes external owner accounts and smart contract accounts. TTC Protocol allows one private key to correspond with multiple addresses, and also supports the authority transfer of the address owner.

There is a runtime environment for smart contracts called The TTC Virtual Machine (TTVM). It has Turing completeness, a high level of security, and high extensibility. TTVM supports multiple languages, such as Python, JavaScript, Solidity and Go, to embrace more developer communities.

TTC supports cross-chain, namely, it uses a distributed private key control protocol. Since it supports cross chain asset transfer and mortgage, Oracle, multi-token smart contracts, and it will not suffer from “51% attacks.”

3. Node installation

Official Go implementation of TTC – https://github.com/TTCECO/gttc

gttc – is golang implementation of the TTC protocol. It requires go (1.9x and 1.10x) and gcc.

Get the latest release of gttc:

wget https://github.com/TTCECO/gttc/archive/v0.0.4.zip

Unzip downloaded archive:

unzip v0.0.4.zip

Move files:

mv gttc-0.0.4/* $HOME/go/src/github.com/TTCECO/gttc

Change directory:

cd $HOME/go/src/github.com/TTCECO/gttc/cmd/gttc

Build gttc:

go build

Add folder to PATH:

export PATH=$PATH:$HOME/go/src/github.com/TTCECO/gttc/cmd/gttc

Run node in testnet:

gttc --testnet

To turn API run:

gttc --testnet --rpc 

Test the API:

curl -X POST --data '{"jsonrpc":"2.0","method":"net_version","params":[],"id":67}' -H "Content-Type: application/json" localhost:8545

Response:

{"jsonrpc":"2.0","id":67,"result":"3"}

gttc is based on geth, so API calls are identical.

4. Test

The most evident way to test the node is trying to send some malicious or wrong data into API. I’ve decided to use BurpSuite with its intruder and fuzzing wordlists from https://github.com/danielmiessler/SecLists.

I used a wordlist with Unicode characters with “eth_sendRawTransaction” method and got the following response:

{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32602,
"message": "invalid argument 0: json: cannot unmarshal hex string without 0x prefix into Go value of type hexutil.Bytes"
}
}

5. Report from hackenproof.com

An attacker can send a GetBlockHeadersMsg request in LES subprotocol with malicious parameters to attack any remote node and make it crash. This bug was found in geth right up to v1.8.10 and it was fixed in v1.8.11 by validating user input and skipping overflow in GetBlockHeadersMsg handler. As soon as gttc is using geth v1.8.9 I decided to try this vulnerability. The bug was reported and marked as CVE-2018–12018. The exploit to this CVE is attached in the description, but it doesn’t work now. So I decided to write a new one for gttc.

You can find the script on the github repository. To run the exploit you need to know enode of the target node.

python3 exploit.py --enode 'enode of your node'

The error message on the target node:

panic: runtime error: index out of range

goroutine 282 [running]:
github.com/TTCECO/gttc/les.(*ProtocolManager).handleMsg(0xc42081cf00, 0xc42038e300, 0x0, 0x0)
/root/go/src/github.com/TTCECO/gttc/les/handler.go:458 +0x8cc8
github.com/TTCECO/gttc/les.(*ProtocolManager).handle(0xc42081cf00, 0xc42038e300, 0x0, 0x0)
/root/go/src/github.com/TTCECO/gttc/les/handler.go:327 +0x727
github.com/TTCECO/gttc/les.NewProtocolManager.func1(0xc422f11da0, 0x10a7b40, 0xc423cb0700, 0x0, 0x0)
/root/go/src/github.com/TTCECO/gttc/les/handler.go:175 +0x23b
github.com/TTCECO/gttc/p2p.(*Peer).startProtocols.func1(0xc423cb0700, 0xc422f11da0, 0x10a7b40, 0xc423cb0700)
/root/go/src/github.com/TTCECO/gttc/p2p/peer.go:348 +0x66
created by github.com/TTCECO/gttc/p2p.(*Peer).startProtocols
/root/go/src/github.com/TTCECO/gttc/p2p/peer.go:347 +0x201

6. Conclusions

Now you know what is TTC, how it can be used, its main concepts and technical details. Also, we’ve covered TTC’s node installation and API usage. Now you can start bug hunting on the TTC public bug bounty program on HackenProof. You can try another inputs and methods to break nodes or you can find your own way to find a bug. Mind you, the HackenProof team is constantly writing “How to hack” articles about blockchain based products. If you are interested in bug hunting on blockchain based products you should check out the following posts How to hack VeChainThor and How to hack Smart Contracts. Stay tuned – more useful content is coming your way!