Difficulties and Solutions to Blockchain Security in Accidents

Source / Chain Catcher, the original title "Difficulties and Solutions to Blockchain Security in Accidents"

Author / Hu Tao

Unauthorized, declined to reprint

Looking at the security situation of the blockchain industry over the past year, there have been major security incidents almost every month. On-chain assets worth more than 10 billion have been stolen in different ways by the perpetrators. The main types include the underlying code of the public chain. Defects, DApp contract code defects, theft of private keys, running money with money, etc.

As crypto assets have become more and more important in the global financial system, they will inevitably attract the attention of more hackers. The security offensive and defensive battles faced by blockchain projects will become more frequent and difficult, but this is also an opportunity for the industry .

2019 is a significant year for the blockchain industry. Many governments and corporate giants have begun to devote more attention and resources to blockchain technology for the practical application of future blockchain technology in more scenarios. Create a relatively friendly environment.

However, before truly moving towards large-scale applications, the blockchain industry still has many real-life problems that need to be discussed and resolved, including security issues. As an emerging industry aiming to challenge the existing financial industry, the security of the blockchain industry is one of the most important factors affecting its own prospects. If there is negligence in security issues, it will likely cause it sooner or later. There was a short-term crash in the industry.

Looking at the security situation of the blockchain industry in the past year, there have been major security incidents almost every month. Chain assets worth more than tens of billions of dollars have been stolen in different ways by hackers or perpetrators. The main types include The underlying code of the public chain is defective, the DApp contract code is defective, the private key is stolen, and the funds are running away.

First on January 5 last year, Ethereum Classic suffered multiple 51% hashrate attacks, and 88,000 ETCs were used for double spending. During the same period, many spinach DApp games on EOS and TRON began to suffer frequent replay attacks, random number attacks, and blocking attacks by hackers due to weak contract code security. Since then, they have continued to occur throughout the year, resulting in contract development. The users and users suffered huge losses, such as the theft of 180 million BTT from TRON's BTTBank game contract, the tens of thousands of EOS from EOS application EOSDice, and the theft of more than 20,000 EOS from Poker EOS. According to Chengdu Chainan's statistics, there have been more than 100 smart contract vulnerabilities in the blockchain industry in 19 years, and total hacked losses have exceeded $ 10 million.

In March 19, assets were stolen from multiple exchanges such as DragonEx, Bithumb, and Biki. Among them, DragonEx lost a total of more than $ 6 million in digital assets. The reason for the theft was that the exchange's customer service obtained and opened it from a stranger. A backdoor installation package was bundled. Hackers used this backdoor to gain access to internal personnel to penetrate the internal network and successfully obtain the private key of the digital currency wallet. Bithumb was because of the layoffs of employees who had stolen EOS assets worth more than 18 million US dollars.

In May 19, Binance stole 7,000 bitcoins from Binance's hot wallet due to security vulnerabilities using phishing, viruses and other attack methods, with a total loss of 41 million U.S. dollars. In 18 years, Binance has encountered security problems caused by hacked API interfaces. Hackers have used Binance user assets to significantly increase the prices of small currencies such as SYS and VIA to achieve the purpose of arbitrage on other exchanges.

In the following June-July, wallets such as Plustoken Wallet, Polka Dot Wallet, MGC Wallet and other wallet projects have been running. These wallets used high interest to attract investors to store a large amount of assets in their own place, but the incident happened. Almost all the assets stored by investors afterwards could not be taken out. The amount of the Plustoken wallet involved was reportedly as high as tens of billions. Although some of the people involved were arrested by the police later, the encrypted assets that were taken away were suspected to have not been recovered.

From August to September, the Bitcoin wallet Electrum was hacked twice. According to statistics from various sources, at least 1,450 BTC were stolen by counterfeiting Electrum upgrade prompts, which was worth $ 11.6 million at the time. In November, the well-known South Korean exchange Upbit Exchange was hacked and 343,000 ETH were stolen, which was worth about 50 million US dollars at the time.

In December, a number of public chain projects encountered the embarrassment of asset theft. First, VeChain announced that it had been hacked on the 14th, and stolen 1.1 billion VET tokens, valued at $ 6.4 million. On the 20th, the official account of the NULS public chain was 2 million NULS tokens were stolen with a code defect at the bottom of the chain, and the loss was more than $ 500,000. It is embarrassing that both have previously stated that the code has undergone a third-party code security audit.

In the same month, the public chain IOTA main network experienced a split in consensus and could not be updated. TPS was close to 0. Vertcoin suffered a 51% attack. The attacker successfully replaced its 603 VTC main chain blocks with its 553 blocks, causing the project to lose $ 100,000.

From the foregoing summary, it is not difficult to see that the blockchain industry in 19 years has continuously staged various security incidents, and many of them have many well-known exchanges, revealing that many blockchain companies and projects have serious problems in crypto asset storage and the development of the underlying architecture. The problem.

However, the good news is that almost none of these security incidents pose an overall threat to the blockchain industry. The mainstream blockchain networks such as Bitcoin and Ethereum are also relatively stable. There may be only one incident that is considered a major threat. That is, Google announced in September this year that it would realize "quantum hegemony."

According to analysis, due to the use of the quantum superposition principle, quantum computers will exceed the limits of existing traditional information systems in terms of increasing information capacity, increasing computing speed, and ensuring information security. Its computing speed can reach "hundreds of millions of times" of traditional computers. . According to reports, Google's quantum computer Sycamore takes 3 minutes and 20 seconds to complete a specific computing task, and the fastest supercomputer in the world currently takes 10,000 years.

As a result, many voices believe that the elliptic curve encryption algorithm supporting the blockchain technology will be easily broken by quantum computing, and make the public and private key mechanism of the blockchain no longer able to effectively protect user assets. The blueprint for technological development will be destroyed by quantum computing.

However, some people in the industry pointed out that Google ’s statement was not reliable. Zhao Dong stated that quantum computers must crack the elliptic curve algorithm of bitcoin. It is necessary to operate more than 100,000 qubits. At present, Google ’s quantum computer can operate. Dozens, and the technical difficulty rises with the power of operand 2, so quantum computers still have a long time to break through the Bitcoin encryption algorithm.

But I have to admit that quantum computing, like the "Sword of Damocles" in the blockchain industry, is always a potential threat hanging on the head, which means that blockchain and encryption with "quantum resistance" The algorithm will have significant needs in the future, and industry professionals need to make breakthroughs as soon as possible.

Compared to distant quantum computing, the more realistic and urgent problem is the security of public chains and exchanges at the contract, agreement, and node levels. On the one hand, it is necessary to better protect asset security, and on the other hand, to better protect The stability of DApp services improves public confidence in the security of blockchain technology.

In the face of these security incidents, the solution is nothing more than two paths. One is to prevent in advance. All parties need to sum up experience and continuously improve potential vulnerabilities. For example, do not deliberately transform the industry's mature algorithms and architecture in order to pursue new concepts and new models. Use algorithms proven in academic circles or code libraries that have been extensively verified by engineering; promote the development of industry standards for encrypted asset storage, and those who are not eligible should cooperate with third-party asset custody service providers; strengthen the electronics of sensitive positions in daily operations Equipment security management further standardizes asset storage processes.

At the same time, the blockchain project should also make full use of external forces to strengthen the audit of the underlying code. Slow fog technology also pointed out that the blockchain project should issue a bounty program for security vulnerabilities. When hackers discover security issues, there is a channel for feedback. If there is no such channel, hackers will be more inclined to use vulnerabilities to attack the public chain instead of Find a way to contact the project party to feedback the problem.

Another type of path is after-the-fact remediation, combining the industry's multiple parties to freeze and recover assets, and squeeze the hacker's motive for attack by compressing the hacker's realizing space . As all the circulation information of the assets on the blockchain is traceable, after the address of the asset stolen by the hacker is disclosed by the stolen party, the exchange and other aspects will easily lock the digital asset and conduct on-chain flow combing and analysis. Frozen after transferring assets.

For example, in March of this year after the Korean Bithumb Exchange stole about $ 18 million worth of crypto assets, it immediately explained the situation to the cooperative exchanges and the police and maintained communication. Since then, many exchanges such as Huobi, KuCoin, ChangeNOW, etc. The assets related to Bithumb's stolen address were frozen, and ChangeNOW further stated that it had deposited these stolen assets into a secure cold wallet in accordance with instructions from law enforcement agencies. Although Bithumb did not announce the value of the recovered assets, in the theft of June 18, Bithumb announced that the value of the stolen assets of $ 31 million had been recovered by $ 14 million.

Although other stolen exchanges rarely disclose such information, it is not difficult to infer from the case of Bithumb that most mainstream exchanges have reached a consensus on cooperation and a substantial link to the issue of asset theft, which will make the assets stolen by hackers realizable. The channel is relatively tightly controlled, but if the hacker does not transfer the stolen assets to a centralized exchange, the outside world is still helpless in most cases, and with the further development of the DiFi industry, the hacker may also use mortgages, decentralized transactions, etc. Get more monetization channels.

The foreseeable solution lies in a hard fork. The public chain team can call on all nodes to upgrade and implement a hard fork on the main network to make the stolen assets "ineffective". For example, in December this year, NULS had a team account of more than 3.6 million yuan. After the assets are stolen, each node is notified to upgrade and hard fork. The remaining assets that have not been transferred to the exchange are no longer recognized by the new chain, and they have recovered more than 2.7 million yuan in losses for themselves. Earlier in 2016, Ethereum also implemented a hard fork due to the theft of The DAO project assets.

However, there is no precedent for a hard fork of a public chain due to the theft of exchange assets. This year, Zhao Changpeng issued a document when Binance stolen 7,000 BTC, saying that Binance would consider block reorganization / transaction rollback, etc. The method of recovering the stolen amount has caused an uproar and unanimous opposition in the industry. It can be seen that the fork and rollback of the blockchain is not very applicable in the scenario of asset theft.

In general, as crypto assets have become more and more important in the global financial system, they will inevitably attract the attention of more hackers. The security offensive and defensive battles faced by blockchain projects will become more frequent and difficult. The industry is also a good opportunity to prove its reliability and security in the global technology field with higher requirements and investment.