DAPP trend list: all vulnerability wave fields on EOS may be reproduced

In this issue, there are two DAPPs in the wave field ecology that have been widely attacked by hackers.

On the evening of April 10, the hacker launched a random number crack attack on the wave field quiz game TronWow, which made a total profit of 2.16 million TRX . In the early morning of April 11, the hacker launched a counterfeit currency attack on the wave field game TronBank, and stolen about 170 million BTTs (worth about 850,000 yuan) in one hour .

A senior developer told the block to block BlockBeats, some events in the ecology since the EOS main online line, such as the rise of gambling DAPP, fund shouting, mining and bricking, wool party 薅 wool, and even hacking, are in The wave field has reappeared. In the case of the recent TRON eco-event, the types of bugs that appear with DAPP are also consistent.

Recently, TRON Ecology faced counterfeit currency attacks, random number cracking and other frequent problems in early EOS. The founder of security team PeckShield, Jiang Xuxian, told BlockBeats that TRON Eco has also had problems with unlimited tokens (such as TronCrush, Iseri Project and The TransferMint vulnerability on RockstarToken), in the future, does not rule out other related attacks (such as contract overflow, transaction blocking, etc.) in the TRON ecosystem .

Security breaches in Ethereum and EOS are likely to reappear in the wave field

Jiang Xuxian said that because the wave field is integrated with the design of Ethereum and EOS, the Solidity programming language is also used on the smart contract. The contract defects (including the overflow vulnerability, the asset is locked, and the contract are hijacked) in the original Ethereum. The same problem) is also likely to be repeated in the wave field.

That is to say, at the vulnerability level, the BEC and SMT security vulnerability batchOverflow (CVE-2018-20199) discovered by PeckShield in 2018 is likely to reappear in the wave field. The difference may be the value of the contract token itself.

In addition, the wave field also refers to the EOS consensus mechanism and the support for the quiz DApp, the security issues reported by PeckShield in 2018, and Jiang Xuxian also believes that there is a great chance to repeat itself. The attack by BTTBank and TronWow is probably just the beginning.

PeckShield has compiled an evolution timeline chart of EOS DAPP attacks. In the above picture, the attack modes in the red square are all likely to be reproduced on the wave field. The attack mode outside the red square is unique to the EOS public chain, and it is unlikely to be reproduced on the wave field.

Jiang Xuxian previously analyzed that the DAPP market in the wave field public chain is highly prosperous but has never been subjected to high-intensity attacks at the EOS public chain level. The attackers are currently migrating the mature attack methods of other public chains to the wave field and proceeding. Extensive attack testing, looking for contracts with weak security protection, after this stage, the attacker may further deepen the mechanism that the wave field itself may be exploited for higher intensity and threatening attacks.

In addition to the above mentioned, since the wave field is implemented in combination with the design of Ethereum and EOS, the respective security problems may appear in the wave field in some way . In particular, the wave situation can not be changed after deployment (similar to Ethereum), and the EOS-like consensus mechanism will directly affect the possible future attacks, including the deployment of attack contracts, and possible transaction rollback or blocking.

However, considering that each public chain has its own particularity, it is inevitable that the public chain can go online and operate stably. The angle of hacker attack may also be carried out in many aspects, including but not limited to the innovative design on the public chain, the underlying architecture. P2P protocol layer, etc.

The developer's fault does not mean that the wave field protocol is completely safe and reliable.

Regarding the recent wavefield DAPP security issue, it is mainly a developer's issue. The wave field official also said that the security issue of the contract appeared on the wave field DAPP, and has nothing to do with the agreement itself. The wave field agreement is completely safe and reliable.

Jiang Xuxian believes that the recent attacks are indeed developers' problems, but they cannot explain that the wavefield agreement is completely safe and reliable. It is more likely that the new co-chain level security issue remains to be seen. In many DAPP security incidents, the public chain team can do more timely attention to the known DAPP security issues, and at the same time actively consider the links that can be enhanced and improved at the public chain level.

Some developers believe that because the public chain is an open source community, the level of developers is uneven, the quality of DAPP is also uneven, and the loopholes committed by EOS developers are wrong, and the wave field developers will commit the same. Moreover, many DAPPs are not subject to admission review, and the threshold is very low. It is not excluded that DAPP has maliciously smashed at the beginning of development.

Jiang Xuxian reminded that for users, they should try to participate in those reliable DAPP applications. In the eyes of security researchers, it is likely that all DAPPs have more or less security problems or hidden dangers. Therefore, users should know more about whether DAPP itself considers the corresponding security module and response mechanism. Does the DAPP contract have independent audits by third parties, and pay attention to the community or IM communication group corresponding to DAPP to obtain relevant information and security updates in time. When there is a safety incident, you can stop the loss in time.

EOS leaderboard

The top three EOS charts in this issue are Hashbaby, Lore Free, and ENBank. EOS last week was 106,888 active users.

TRON leaderboard

The top three TRON charts in this issue are Gakex, TronWoW, and Bankroll. TRON last week was 33,145 active users.

ETH leaderboard

The top 3 of this ETH list are called My Crypto Heroes, IDEX, and CDP Portal. ETH last week was 12,154 active users.

IOST leaderboard

The top 3 IOST charts in this issue are called My Crypto Heroes, IOSTJoy, and IOSTROI. Just one month after the IOST main online line, the DAPP ecosystem has been very prosperous. In early April, IOST processed more transactions per day than Ethereum.

In addition, IOST has made new progress in Layer 2. On April 11th, IOST said it will access the Layer 2 solution of the privacy computing team ARPA to provide privacy protection and secure computing for the IOST public chain. Through secure multi-party computing (MPC) technology, ARPA provides IOST C-side and B-side users with private data security flow solutions based on cryptographic operations and blockchains to promote IOST public chain ecological construction.

Future developers on IOST will be able to call the ARPA Secure Computing Network for DAPP development that guarantees user privacy. Short-term ARPA entry points are enterprise-level private data sharing, such as multi-party joint credit reporting in the financial sector, joint KYC, multi-source data joint risk control in insurance, sensitive information query, and joint user portraits in the field of big data marketing. The project will be a long-term business development in the financial, marketing, medical and other fields of the B-end, as well as the exploration of personal data security management and realization of the C-side, and the distributed KMS of the wallet.