According to Baihuhui, in 2018, the economic loss caused by security problems in the digital currency industry was 2.249 billion US dollars, equivalent to a loss of 56 US dollars per user. what is this concept? The market value of Monroe, which ranks tenth in digital currency, is only $1.6 billion.
From the perspective of the timeline, the amount of losses due to security problems in 2018 has increased nearly three times compared to 2017. In the first half of 2019, the amount of losses has also exceeded $700 million, and as the market picks up, the losses caused by security problems have shown signs of a surge.
- OKEx CEO Jay Open Letter: The decision to launch Jumpstart is really tough
- The essence, risks and new opportunities of exchanges from the perspective of monetary finance
- The new pattern of staking: exchanges enter the market to explore the boundary, the pledge amount of service providers is not proportional to the income provided
- Speed | Cryptographic Currency Derivatives Exchange: Clearing Mechanism; Bitcoin and "Great Wealth Transfer"
- Ieo, which used to be ten times easier, is there anyone else involved?
- Hackers are getting smarter, with the largest number of exchange attacks ever in 2019
In this context, on the first anniversary of DVP, around the theme of “blockchain security evolution”, a series of activities were launched on July 20th, launching three major ceremonies, including online vulnerability mining contest and puzzle game challenge. And offline hackathon, set a million yuan prize pool, designed to give back to white hat hackers and communities to promote the safe development of the industry.
On Saturday (August 10th), the DVP hacker came to a successful conclusion. The conference was hosted by DVP, co-organized by OGC, PeckShield, MixMarvel, Contentos, Bibox, Ontology, and YeeCo, and was supported by many well-known projects and media. In the morning, the security industry from DVP, PeckShield, Baihuhui, Changting Technology, Tencent Zhanyi Lab, and top white hat hackers, to share important security issues; in the afternoon, officially began a fierce hackathon competition.
After two rounds of contests in the finalization of the loophole and the comprehensive competition (vulnerability mining + CTF competition), a total of 15 players from 6 teams won the first, second and third prizes respectively, and won the grand prize of more than 300,000 yuan. The first prize winners are less than kennyS after all; the second prize winners are fsname / melon / Chris_l, r4v3zn / Santanx / Xenc; the third prize winners are gs-ice2019 / gs-sun1and / gs-saf3d0s, Shirt, cybersecurity / YouLii / Jasper. It is worth mentioning that the smallest winner is only 16 years old.
6 real exchange vulnerabilities
Interestingly, the final loophole of the hacker's loopholes, the six critical hazards that were selected for the final selection, are real flaws in the world's top digital currency exchanges. It is said that at the scene of the game, there are also exchanges involved in the scene. From these vulnerabilities, you can feel the serious security situation of the current exchange more realistically. DVP has notified the relevant exchanges to fix the vulnerability as soon as possible. The basic effects of these vulnerabilities are as follows:
(1) One of the top ten exchanges in the world, through which the KYC information of the entire exchange can be obtained;
(2) A common vulnerability of a well-known exchange provider, through which the sensitive information of all the users of the exchange using its system can be obtained, affecting 180+ exchanges, including many hot emerging exchanges;
(3) A well-known exchange can use this vulnerability to tamper with the official app in the app store and replace it with a fishing app to steal user assets;
(4) A well-known exchange can obtain the server account password, database account password, etc. of a certain site through the vulnerability;
(5) A well-known exchange can use this vulnerability to conduct hacking attacks on users under certain interactions;
(6) A well-known exchange can issue a large number of buy and sell orders for the current exchange and conduct market manipulation. It can be seen that KYC leakage, fishing APP, account password leakage, hacking attacks, market manipulation and other security risks are real and ubiquitous, and top exchanges are no exception. Users' information security and asset security face great threats.
Chris_L, the white hat leader in the DVP online vulnerability mining contest, is good at exploiting loopholes in the exchange. He shared his own comparison of exploits in the past two years. It can be seen that the proportion of vulnerabilities in the information leakage category has increased significantly, from 15.6% in 2018 to 27.3% in 2019.
Chris_L said: "The exchanges have a lot of vulnerabilities. They don't pay much attention to security. Usually, 90% of the vulnerabilities are exposed without consciousness. Now, the vulnerability of the exchange is 90% because of improper configuration." It also said that there are almost all security vulnerabilities in exchanges in the digital currency field.
He gave six practical personal safety advice:
1. When logging in to a bank, exchange, wallet, etc., always use a secure link with https at the beginning;
2. Mobile devices, computers, hardware wallets and other networked devices are not free to use third-party unknown Wifi;
3. In the case of premise permission, you must install anti-virus software and refuse to "streaking";
4. When an abnormal situation occurs on the webpage or APP, timely confirm and terminate the major operations;
5. Do not open plug-ins, emails, and links that are unclear;
6. Large-scale digital currency assets should be transferred to well-known and reliable cold wallets.
Blockchain security issues 4 major causes
In the eyes of DVP CEO Daniel, there are many reasons for the blockchain security issue.
One is the open source feature: blockchain is a core element of building trust through open source, but open source also makes the vulnerability easier to expose and more vulnerable to attack.
Second, the lack of safety investment: the blockchain is in the early stage of industry development, the industry's investment in the underlying technology development and emphasis on the investment in security.
Third, there is a lack of safety resources in the industry: compared to the traditional Internet and IT sectors, security personnel engaged in the blockchain industry are still a minority. Even if the head project is difficult to get enough resources to build a comprehensive security team;
Fourth, the lack of security awareness: many projects do not have the complete task of building a complete security protection system in terms of ecological and technological expansion. Users do not have enough knowledge about the security of blockchain products.
Specifically, from the perspective of the entire Internet, the compound growth rate of security personnel in the past few years is about 6%, but the increase in demand is actually 15%. By 2021, there will be approximately 3.5 million security jobs in the world that cannot be filled, and there is a big gap. This is especially true from the perspective of the blockchain industry. There are more than 10,000 new blockchain projects, but less than 50 are truly providing security services.
The University of Cambridge Alternative Financial Research Center (CCAF) conducted a survey of blockchain digital assets, and its data is typical of the model. In terms of the proportion of people, the security of large blockchain enterprises accounted for 6-10%, and small enterprises accounted for 11-20%. From the perspective of safe investment budget, the security budget accounts for about 11-20% of the total budget.
According to the survey, only nearly 50% of small blockchain companies conduct annual external security audits. In large enterprises, this ratio is only 29%, which may be because they have the confidence to do internal security audits.
Interestingly, a large number of respondents chose “not applicable” or “no answer” for the frequency of auditing. This also reflects the project's doubts about the openness of the project. Overall, the willingness to disclose internal and external security audits is very low. The highest is about 30% of the storage category will disclose the external audit situation; the lowest is the exchange type, only 8%.
Evolution of blockchain security model
For the project, you can build your own security team. The advantage is that the response is rapid and controllable. The shortcomings are also obvious, that is, the safety coverage is low and the maintenance cost is relatively high. So there are some new trends.
For example, the centralized vulnerability reward platform, large enterprises and government agencies are slowly beginning to accept this model, the US Department of Defense has so far, at least four times on the three central security platform to issue a bounty project. The advantage of this model is that there are a lot of white hat hackers in each platform, so the security coverage will be wider. And the white hat will have a reward when it digs into the loophole, so the cost of return is relatively high. But because it is a centralized platform, how can white hat benefits be protected? this is a problem.
The logic of DVP is to establish a more decentralized platform. Because the community is established, the coverage will be wider, and the participants will be more comprehensive and the quality will be higher. In addition, it is easier to balance the balance between vendor appeal and white hat benefits. On the one hand, through asymmetric encryption communication, the confidentiality of the vulnerability will not be leaked. On the other hand, through the design of the blockchain smart contract, the interests of the white hat can be locked in it, and the economic model can be used to design a white hat. Have better incentives.
Specifically, the first is to adopt a new incentive model, “business is mine mining, loopholes are mining”. When the entire business process is completed, the white hat that contributes will receive certain rewards; the second is composed of vendors with security capabilities. The governance node, and the common node composed of ecological co-builders, participate in the maintenance and management of the network through pledge; the third is the participants of various communities, through the form of community behavior contribution, obtain a part of the DVP certificate, forming Good governance structure.
Over the past year, DVP has established a comprehensive security collaboration ecosystem. At present, there are more than 14,000 registered white hats, covering 1490 manufacturers and 162 registered manufacturers, effectively exploiting 4,312 vulnerabilities, issuing more than 1,170 ETH rewards and more than 1 million DVP rewards for white hats, avoiding potential losses of more than 10 billion yuan.
DVP is about to launch the "blockchain security evolution" global campaign to bring together the global white hat hacker community. In addition, in view of the serious security situation of the exchange, the "blockchain security evolution" series of activities will add a round of "TOP exchange vulnerability contest", adding tens of thousands of RMB rewards, designed to help top exchanges quickly find vulnerabilities, protection The majority of user assets.