SheKnows | Thunderstorm, Attack, Vulnerability! What will protect you, my BTC?

In the past February, the exchange was thundered, attacked, and the private key was stolen. The DeFi project had loopholes and human error. A series of security incidents sounded the alarm for the management of the blockchain project.

On the afternoon of March 6, the SheKnows live room ushered in a blockchain security special event, inviting Slow Fog Technology partner Qi Fu, Bitpie founder Wen Hao, and DDEX co-founder Wang Bowen to discuss the topic of blockchain security. Look for security in an insecure world.

SheKnows | Thunderstorm, Attack, Vulnerability! What will protect you, my BTC?

Yesterday vs Today: Is the blockchain industry increasingly secure?

SheKnows: Is the blockchain industry more secure now than before?

Qifu: The essence of security is trust, the core of security is offensive and defensive confrontation, and the core of offensive and defensive is cost confrontation. Security is dynamic, and new security issues may be introduced as the business grows. Security is not absolute, there is never a 100% secure company or project. With the development of the industry, we need to continuously improve security awareness in order to effectively avoid more hacked incidents.

Wen Hao: Although it seems that there are still hacking incidents, security incidents, and currency theft cases to this day, compared to that year (such as the Mtgox era), it is actually a lot of orders of magnitude safer. The specific reasons are as follows: Cold wallet technology and solutions have made great progress; 2. More and more professional security teams have begun to appear; 3. Currency companies (especially exchanges) are richer, and it is also important to have more money. Because you have money, you can invest more resources in security. Although the industry is more secure, the security complexity facing the industry is many times higher. For example, smart contract security, multi-chain asset management, etc., have brought more challenges to today's industry security. All this requires everyone in the industry to work together.

Wang Bowen: The security of the blockchain industry is actually a black box. Every year, different platforms appear to have been stolen. From the earliest Mentougou to South Korea ’s Upbit theft of 50 million US dollars, the Binance 7000 bitcoin attack, to Fcoin Internal deficit. Including some recent attacks on DeFi smart contracts, such as bzx's lightning loan attack I analyzed last week, and SNX's arbitrage. Every year the demand for smart contract security is increasing exponentially.

IOTA is stolen and whale loses coins. Should ordinary users be worried?

background:

Event 1: A hacker took advantage of a vulnerability in IOTA's official wallet application Trinity to steal funds, and then officially announced the closure of the entire network.

Event 2: The giant whale named "zhoujianfu" on the forum claimed that it lost 1547 BTC and nearly 60,000 BCH. SIM card attack, suspected to use Blockchain.info service.

SheKnows: For Event 1, I saw the result of the slow fog analysis before that a transaction module in the new version of the official wallet has a problem. Can you talk about it specifically?

Qifu: The reason is that the third-party components were introduced into the official wallet of IOTA, and then the third-party components were hacked, which indirectly affected many users of their official wallets, leading to the theft of their private keys and passwords. The losses that have been calculated, the stolen IOTA is about 8.55 million, and the value is about 2.3 million US dollars. Technically, specifically, the IOTA official wallet has a built-in third-party transaction module MoonPay, which is equivalent to the function of an exchange in the wallet. The attacker steals and uses MoonPay's Cloudflare API Key to launch a man-in-the-middle hijacking attack, injects malicious JavaScript into the MoonPay JS file referenced by the IOTA wallet, and steals the user's seeds, passwords, etc.

SheKnows: What do you think about the theft of the Trinity wallet that caused the main gateway to stop?

Wen Hao: Actually it should be a problem with the MoonPay module. MoonPay is a third-party transaction module. It is a third-party service that helps overseas users to buy and sell coins. In addition to Trinity, there are actually other wallets that use Moonpay. The attacker used MoonPay's Cloudflare API key to complete a series of hijacking attacks and injected malicious JavaScript code. A detailed report can be found in the Slow Mist article. In fact, this is why the security ceiling of JavaScript wallets is actually very low over the years.

SheKnows: The giant whale lost huge assets due to SIM card attack. Will other ordinary users suffer from this attack? What kind of wallet is safe?

Qifu: The SIM card attack method is actually quite popular, but you do n’t have to worry too much in China, because the domestic operators have gone through all kinds of confusion in the early operators, and even the internal operators have done evil, including some of our related ones. Legal and regulatory, everyone's mobile phone number will not be easily copied by others. This phenomenon was quite common in our country about 10 years ago. However, the strength of foreign operators may not be as strong as ours. Everyone knows that the level of infrastructure in our country is very strong. Many overseas operators are private companies operating, and their technical strengths are not necessarily so high, including related internal agreements, which may be very old versions, and risk control management may be backward, and there will indeed be overseas Mobile phone number was copied by social engineering and other methods.

Regarding the choice of wallet security, I think it is necessary to combine the user's own level of familiarity. If it is a user who has not been in contact with the blockchain and has a small amount of money, it is recommended that the assets be hosted on a world-renowned exchange, and various secondary authentication, Login protection measures; if you have a certain understanding of the blockchain and have a corresponding understanding of the decentralized wallet, you can choose an internationally well-known decentralized wallet, put the coins in it, and back up the mnemonic offline, Private key; the third is a large amount of funds and high security requirements, you can choose an internationally renowned hardware wallet, or a professional asset custody platform.

FCoin is thundered, OKEx and Bitfinex are attacked by DDoS, what is the security of the exchange?

background:

Event 1: The FCoin exchange stated that due to funding difficulties, the capital reserve could not be redeemed for user withdrawals.

Event 2: Exchanges such as OKEx and Bitfinex frequently suffered DDoS attacks and related services were affected.

SheKnows: Do you have a new perspective on the "transaction is mining" model? What kind of impact will FCoin's thunderstorm have on the track of the exchange?

Wang Bowen : "Transaction is mining" is a model innovation. Many people have also participated in Fcoin transaction and mining. This model is unsustainable because the demand for artificial overdraft transactions is overdrawn and the proceeds of the next day are overdrawn to the former. One day, so the essence is to drum and pass flowers. The thunderstorms in Fcoin runs are mainly caused by the imperfect internal statistical system and risk control system. The internal deficit is serious, and the final run will be an internal problem of Fcoin itself. This kind of problem will not happen on DeFi products, because all assets are publicized to everyone from the first day. Everyone can see how many users, how much money each user has accessed, and how much they have borrowed. Money, so the platform has no possibility of evil. Publicizing all your accounts to everyone on the first day is the best billboard for DeFi funds security.

SheKnows: What exchanges are relatively secure? What security risks does a decentralized exchange (DEX) face?

Wang Bowen: Until the exchange was stolen, all security protection propaganda was not falsifiable. Because if the exchanges open source hot and cold wallet management systems, hackers will also have a special way to target. Therefore, the best option may be to diversify the risk, and control the hot and cold wallets by yourself. If you do not trust your wallet management capabilities, you can diversify assets at several oldest and most secure exchanges, such as Kraken and Coinbase.

The risk of DEX, we put the security of smart contracts as the highest priority. We have cooperated with several industry-leading security audit institutions Peckshield and Secbit. So far, we have executed 450,000 on-chain transactions on Ethereum without any security issues. We also cooperate with white hats in the industry to make open reward programs to give developers certain rewards for providing security clues.

bZx is attacked, Curve trades abnormally, and DeFi encounters a crisis of trust?

background:

Event 1: The DeFi project bZx was attacked twice. After the incident, DeFi insurance platform Nexus Mutual honored the $ 31,000 user claim in the bZx incident.

Event 2: An abnormal transaction occurred on Curve, a decentralized stablecoin trading platform. This transaction used USDC worth USD 89,000 for BUSD worth USD 465,000. Some DeFi industry insiders speculate that the attack may be related to the Zap smart contract provided by the DeFi protocol iEarn.

SheKnows: Will the recent DeFi security incidents trigger a trust crisis in DeFi?

Qifu : DeFi's original intention was to open finance, which lowered the threshold for people to conduct financial transactions. At the same time, supervision has become less stringent. Many things in DeFi are still in the exploration stage. One thing will always be encountered at the beginning. Many unexpected things, this is inevitable, and there is no need to waste food. DeFi still has a long way to go. What needs to be done at present is to fully learn the lessons of these security incidents, set up risk control mechanisms in the contract, and do a full security audit before the product goes online to prevent such attacks from repeating itself. .

Wen Hao: I don't think the security incident of DeFi will lead to a crisis of trust in DeFi, just like the DAO incident of the year (both led to the ETH fork), but it did not cause the logical crisis of smart contracts. Because this type of security incident is itself caused by either business logic or smart contract security, so you can't even believe DeFi because something is wrong. If there is a loophole in the contract, change the contract. Well, there is a problem with the logic, then repair the logic, the foundation of DeFi itself is still the same. Of course, due to the complexity of the blockchain and smart contracts, the security risks of working on this are many times higher and more difficult than traditional software development. Therefore, developers must pay more attention to security. Collaborate with excellent security teams like SlowMist and strive to build a more secure and reliable DeFi service.

Wang Bowen : bzx may be the most discussed DeFi attack recently. Hackers made 10,000 ETH through lightning and earned 1800 ETH. This is a very sophisticated financial engineering attack method. In fact, the hacker played the game according to the rules of the game, and his profit was allowed by all the rules. Therefore, it will not cause a crisis of trust in DeFi, and will only introduce more new participants, such as more security audits and more insurance products.

SheKnows: What is the difference between DeFi (Decentralized Finance) and CeFi (Centralized Finance) security issues?

Qifu : The difference between DeFi and CeFi security issues is actually very similar to the difference between centralized exchanges and decentralized exchanges. First of all, in terms of fund management, the centralized platform hosts all users' assets. Its cold and hot wallet architecture and Authority management is very important, and the requirements of the risk control system are also very high. Because decentralized platforms do not have user funds in custody, there are fewer issues to consider in this regard. The second is security risks outside the system, regardless of centralization. Decentralization will have a certain dependence on external resources (such as: currency prices, oracle data, etc.). When an external system that depends on it has an accident, whether it can be found and "fault tolerant" in time is also an important test.

Wen Hao: The security of DeFi is more important than the security of smart contracts and the security of business logic. If you have a smart contract code vulnerability, the assets above may be ruined. However, as mentioned earlier, bZx has been attacked twice, which is a logical defect that is exploited by an attacker and then carried out. And here, Lightning Loan is a very good idea and a good example of DeFi creativity, but if there are logical loopholes, then there will be high risks. CeFi's security doesn't need to worry about this, CeFi's security is more similar to exchange security, because users store coins on the CeFi platform, and you should mainly worry about hackers stealing coins.

SheKnows: What kind of security risks does the DeFi project currently have?

Qifu : Summarizing the DeFi security incidents in recent years, we can find the following security risks: 1. Vulnerabilities and risks at the logical level of smart contracts; 2. Defects in business models (such as arbitrage); 3. Predictor Problems; 4. Defective governance mechanisms.

SheKnows: How do you see the significance of DeFi insurance to the DeFi ecosystem?

Bowen Wang: DeFi is essentially inclusive finance. Inclusive finance has many segments of business scenarios in the modern financial market. For Buffett, his favorite investment target is the insurance industry, because the insurance business essentially collects money first. After payment. So there are more options on how to better spread risk and increase returns. Many people do n’t understand DeFi and are unfamiliar with it. It's also because they're new and many people don't understand. DeFi insurance is a way to increase the confidence of ordinary users.

Stolen $ 9.8 billion in 3 years. How do ordinary users protect their assets?

background:

The latest report from KPMG shows that hackers have stolen at least $ 9.8 billion in cryptocurrency since 2017. The security of digital assets is becoming increasingly important.

SheKnows: How should ordinary users protect their digital assets? If you find your digital assets are stolen, what action should you take immediately?

Qifu: Choosing a storage method that suits you is the key. If you unfortunately find that your digital assets are stolen, if the assets are placed in the exchange, you should first contact the exchange to investigate and analyze the reason for the theft; if the assets are placed in a decentralized wallet, it is likely that the private key and mnemonic were leaked At this time, you can contact the slow fog hack@slowmist.com mailbox, our AML system can monitor and track the stolen assets, and will try to block when the assets are entered into the trading platform.

Wen Hao: Here, I can give you a few opinions on wallet protection:

1. Please use a well-structured wallet solution with a secure reputation; 2. Be sure to keep the mnemonics; 3. Daily coins are stored in hot wallets, and large coins are stored in open source hardware cold wallets, if needed For higher security levels, use encrypted accounts. 4. Multi-person coin management is managed by hardware cold wallet + multi-signature. There are many cases of this type of coin loss.

If you find that digital currency assets are stolen, you should first contact the relevant companies in the industry as much as possible to see if it can help you get more and more complete relevant information, and then go to the police. Of course, all these people you have to count on stealing your coins are stupid, leaving enough clues, otherwise it will be very difficult to retrieve them. In addition, like Slow Fog also has an AML risk control system, and Slow Fog also cooperates with wallets and exchanges including Bitpie to conduct relevant risk control cooperation. Therefore, it should also be reported to Slow Fog and Bitpie as soon as possible, everyone can Let's see if we can stop the transaction and exchange of related assets.

Wang Bowen: Many digital assets are stolen after being stolen, and few can be recovered. The only thing that can be done is to protect the previous assets, manage your hot and cold wallets, store them in different locations, store them in safes, and protect them from fire and water. Prevent deinking.

SheKnows: In response to the current security environment of the blockchain, guests are invited to make their own suggestions.

Qifu: Slow Vision's vision is to become a secure infrastructure of the blockchain ecosystem. As a representative of the high-quality blockchain industry, Slow Vision is currently working closely with relevant national units to develop blockchain industry standards, blockchain technology national standards, and blocks. The national standard of chain security contributes to the development of blockchain technology and the implementation of projects, and jointly guarantees the orderly and healthy development of China's blockchain industry. Only the continuous and healthy development of the industry can bring dividends to us early practitioners.

Wen Hao: With regard to the current security environment of the blockchain: I personally feel that it is still necessary for companies in the industry to work together. Although I mentioned that the security level of the industry has improved a lot compared to that year, the truth is that it is far from really good security The level is still a lot different, there are still many things you can do to make the entire industry safer!

Bowen Wang: My suggestion is from the user's point of view, and it is also a golden sentence in the industry: Only the private key you own is your digital asset. I wish you all the best way to master your private key in 2020.