Popular Science | Blockchain Security Getting Started Notes (2)

Although more and more people are involved in the blockchain industry, because many people have not touched the blockchain before, and have no relevant security knowledge, the security awareness is weak, which makes it easy for attackers. There is space to drill. In the face of numerous security issues in the blockchain, Slow Fog has launched a blockchain security entry notes series to introduce ten blockchain security related terms, so that novices can adapt to the security of the blockchain crisis.

Series review:

Blockchain Security Getting Started Notes (1) | Slow Mist Science

Public Block Public Blockchain
Public Blockchain (referred to as the public chain) refers to the consensus blockchain that anyone in the world can read at any time, anyone can send a transaction and can obtain valid confirmation. The public chain is generally considered to be completely decentralized. The data on the chain is open and transparent, and cannot be changed. Anyone can read and write data through trading or mining. Tokens are generally used to encourage participants to compete for accounting to ensure data security. Because the workload of detecting all the public chains is very large, it is impossible for a company to monitor the entire blockchain ecological security problem, which makes it very likely that hackers will find loopholes in many public chains. On April 1, 2017, Stellar experienced an inflation loophole that an attacker used to create the 2.25 billion Stellar cryptocurrency XLM, which was worth about $10 million.

Image courtesy of SlowMist Hacked
Exchange Exchange
Similar to stock exchanges that buy and sell stocks, blockchain exchanges are platforms for the trading of digital currencies. Digital currency exchanges are further divided into centralized exchanges and decentralized exchanges. Decentralized exchanges: Trading behavior occurs directly on the blockchain, and digital currencies are sent directly back to the user's wallet or to smart contracts that are stored on the blockchain. The advantage of trading directly on the chain is that the exchange does not hold a large amount of digital currency for the user, and all digital currencies are stored on the smart contract of the user's wallet or platform. Decentralized transactions are decentralized at the level of trust through technical means. It can be said that there is no need for trust. Each transaction is transparent through the blockchain. It is not responsible for keeping the user's assets and private keys. The ownership of the user funds is completely In my own hands, I have very good personal data security and privacy. Currently decentralized trading on the market, all WhaleEx, Bancor, dYdX and so on.

Centralized exchanges: Most of the current hot exchanges are exchanges that use centralized technology. Users usually register on the platform and after a series of identity authentication procedures (KYC), they can start trading digital currency on it. . When a user uses a centralized exchange, the currency exchange does not necessarily occur on the blockchain. Instead, the user may only modify the asset numbers in the exchange database. What the user sees is only the change in the number on the book. Prepare sufficient digital currency for remittance when the user withdraws money. Most of the current mainstream transactions are completed in the centralized exchanges. Currently, the centralized transactions on the market are all currency, fire, OKEx and so on.

As the exchange is the hub of the connected blockchain world and the real world, it stores a large amount of digital currency, which is very easy to become the target of hackers. Up to now, the global digital currency exchange has suffered losses of more than 2.9 billion dollars due to security problems. (Data source SlowMist Hacked).

Image courtesy of SlowMist Hacked
In the field of digital currency, the pace of attack by the attackers has never stopped. Under the fierce attack and defense confrontation, the defensive side is absolutely weak, and its attack methods are various. We will introduce them in the following articles. Professional hackers often open targeted attacks on digital currency exchanges. Therefore, the slow fog security team recommends that all exchanges strengthen security construction, and do a good job in risk control and internal control security, so as to: "early detection, early warning, early stop loss." For related exchange defense suggestions, please refer to: "Slow fog red alarm: exchange hacked defense recommendations"

Node Node
In the traditional Internet field, all data running of an enterprise is concentrated in a centralized server, and this server is a node. Since the blockchain is a decentralized distributed database, it is composed of thousands of "small servers". Each node in the blockchain network is equivalent to every computer or server that stores all block data. The production of all new blocks, as well as the verification and accounting of transactions, and broadcasting them to the entire network are all done by the nodes. The nodes are divided into "all nodes" and "light nodes". The whole node is the node that owns all the transaction data of the whole network, then the light node is only the transaction data node related to itself. Since every whole node retains the entire network data, which means that one of the nodes has problems, the entire blockchain network world can still operate safely, which is also the charm of decentralization.

Remote Procedure Call (RPC) is a computer communication protocol. The Ethereum RPC interface is a window in which Ethereum nodes interact with other systems. Ethereum provides various RPC calls: HTTP, IPC, WebSocket, and so on. In the Ethereum source code, server.go is the core logic responsible for the injection of API services, as well as request processing and return. Http.go implements HTTP calls, websocket.go implements WebSocket calls, and ipc.go implements IPC calls. The Ethereum node provides a JSON RPC interface by default on the 8554 port. The data transmission is in JSON format. It can execute various commands of the Web3 library and provide information on the blockchain to the front end (for example, wallet clients such as imToken and Mist).

Ethereum Black Valentine's Day Vulnerability ETH Black Valentine's Day
On March 20, 2018, the Slow Mist Security team observed an automated attack on the counterfeit currency. The attacker used the Ethereum node Geth/Parity RPC API to identify the defect and maliciously called eth_sendTransaction to replace the coin for two years. The value of the stolen and unreturned Ethereum is as high as $20 million (based on the current ETH market value) and there are 164 token types. The total value is difficult to estimate (many tokens are not yet officially traded on the exchange). issued).

Through the MOOZ system unique to the Slow Fog Safety Team, about 4.2 billion IPv4 spaces were scanned and detected. More than 10,000 Ethereum nodes were exposed on the public network and the RPC API was opened. These nodes all have a high risk of being directly attacked by money. This automated piracy attack, implemented using Ethereum RPC authentication flaws, has caused very serious economic losses to users worldwide.

Vulnerability details and fixes can be clicked:

A billion-dollar coin theft case caused by the ecological defects of Ethereum

Ethereum Black Valentine's Day Event Statistics and New Attack Methods

Note: This series of articles has been released simultaneously on imToken Fans, Coin, Babbitt, Planet Daily, Seebug, FreeBuf, Security, Coin World, Mars Finance, 哔哔News, Unitimes and other platforms.