Smart contracts allow for trusted transactions without third parties, which are traceable and irreversible. So what are the security issues in the smart contract program? What should I do if there is a security problem? How to use the formal verification method to provide (military-level) security verification for smart contract programs and improve the security of smart contract codes?
On the evening of May 30th, Yang Xia, the founder and CEO of Chengdu Chainan Technology, a security partner of the Ant Blockchain Innovation Competition and the title of “Woman Hero” in the field of blockchain security, shared the above issues in the live broadcast of the contest. The program also shared how to build a safety ecosystem with the ant blockchain BaaS platform.
The data shows that the security losses caused by security incidents from 2011 to 2018 amounted to $4.2 billion, of which 1/3 of the losses caused by smart contract security incidents can be seen, and the seriousness of the smart contract security issue can be seen. With the massive outbreak of blockchain application, potential security issues cannot be ignored.
Take Ethereum as an example, there are dozens of categories of smart contract security vulnerabilities, more than 30 subcategories.
The original intention of a smart contract is to establish a trust basis between people. If the security and function of one's own security are not guaranteed, this procedure is hard to trust. How to effectively solve the security problem of smart contracts is an industry worthy of further discussion.
As a company specializing in blockchain security, Chengdu Chainan Technology uses a formal verification method to perform one-click security testing on smart contract security.
Formal verification is the use of mathematical methods to prove that it is correct or incorrect based on one or some formal specifications or attributes. It is a systematic process that uses mathematical reasoning to verify that design intent (user functional requirements) is properly implemented in the implementation (smart contract).
Previously, formal verification was often used to verify the functional correctness and safety of critical procedures in aerospace, aerospace, and military control systems to ensure that the system was certified to the most demanding safety levels. Since the blockchain system involves a large amount of capital transactions, it is crucial to use formal verification techniques to provide "military-level" security detection for the code of the blockchain system.
In terms of code security detection, the opposite of formal verification is "testing."
The downside of the test is that there is no way to exhaustively, only the existing bugs can be displayed, but it can never be proved that the bug must not exist. Formal verification is a proof of mathematical reasoning, which guarantees that there must be no security problems with specified attributes, and can prove whether the program correctly meets functional requirements and design goals.
Formal verification usually takes three steps:
The first step is to establish a formal specification of the system's functional requirements and design. The second step is to formalize the code implementation, including a formal description of the state of the system, and the function of each function. Describe, and give the conditions before and after each function needs to be satisfied; The third step, through the theorem auxiliary prover, proves that the code implementation correctly satisfies the formal specification to prove whether the function meets expectations.
But in fact, there is a lot of manual participation here, the efficiency is very low, and the cost is very high.
According to Yang Xia, when she was doing formal verification for the military field, she was charged according to the number of lines of code. When the formal verification of the blockchain system was done, the manual method was used to verify a 600- The 700-line smart contract took about a week.
Obviously, this is simply not possible to achieve engineering needs. To this end, after nearly two years of research and development, Chengdu Chainan Technology has launched the automatic formal verification platform VaaS, which can automatically model the code and prove it automatically.
When VaaS verifies a smart contract, it is divided into two parts, one is security attribute verification and the other is functional correctness verification.
For security attribute verification, the smart contract code is first automated and then modeled for security vulnerabilities in conventional smart contracts.
For the verification of functional correctness, manual participation is required, and the industry is still unable to reach the level of human participation. VaaS abstracts and automates the description of the user's code and functions in the verification of the correctness of the project. Then, through the formal verification expert, the definition of the precondition condition is used, and then the auxiliary prover is used to prove.
With these two foundations, one-click automated formal verification can be achieved.
According to Yang Xia, VaaS is the most advanced formal verification product in the world. It can support multiple blockchain platforms such as Ethereum, Fabric, BCOS, and Ant BaaS. The accuracy rate can reach over 95%. And one-click automation can pinpoint the code's vulnerabilities and location.
In addition, Chengdu Chainan Technology also launched the Eagle Eye Eagle Emotional System (Beosin Eagle Eye), which uses big data and artificial intelligence to provide secure real-time warning and monitoring of data and assets on the blockchain to protect users' assets. Safety. In addition, the smart contract development platform (Beosin IDE) was launched to customize the development environment for smart contract for the blockchain platform.
It can be seen that Chengdu Chainan Technology has built an integrated and complete protection system from blockchain development and safety detection to operational safety monitoring.
With its strong technical strength in the field of blockchain security, Chengdu Chainan Technology has won the favor of big manufacturers, and experts in the ant blockchain can't help but praise:
“It’s no exaggeration to say that your safety products are indeed the best in the world!”
Chengdu Chainan Technology has also successfully become a security partner of the Ant Blockchain Innovation Competition. It has customized a smart contract automation form verification platform for the ant BaaS platform. It can detect routine security problems in one click, and is a blockchain application for the ant BaaS platform. Provide in-depth security audits and services.
According to Yang Xia, this new platform is expected to be developed in June and will be stationed on the ant BaaS platform.
At the same time, on June 6, Chengdu Chainan Technology participated in the ant blockchain innovation competition Chengdu Road Show (registration link: event registration link: https://www.huodongxing.com/event/3494458774400 ), welcome all walks of life Interested in blockchain friends use the ant BaaS platform for blockchain application development, you can scan the QR code below to enter the group communication.
(nail scan code into the competition group)