Popular Science | Blockchain Security Getting Started Notes

As more and more people participate in the blockchain industry, the new vitality of the industry, as well as the lack of relevant knowledge and lack of security awareness, gives attackers more opportunities. In the face of frequent security incidents, Slow Fog introduced the blockchain security entry notes series to introduce the blockchain security related terms to let the novices adapt to the block network crisis security world!

Series review:

Blockchain Security Getting Started Notes (1) | Slow Mist Science

Blockchain Security Getting Started Notes (2) | Slow Mist Science

Blockchain Security Getting Started Notes (3) | Slow Mist Science

Blockchain Security Getting Started Notes (4) | Slow Mist Science

Blockchain Security Getting Started Notes (5) | Slow Mist Science

 

Smart Contract Smart Contract

Smart Contract is not a new concept. As early as 1995, cross-disciplinary legal scholar Nick Szabo proposed that smart contracts are a set of promises defined in digital form, including where contract participants can execute. These promised agreements. In the field of blockchain, the essence of smart contract can be said to be a piece of code running in a blockchain network. It realizes the automatic processing of traditional contracts by computer instructions and completes the business logic given by users.

With the increasing number of blockchain smart contracts, there are more and more security issues exposed. Attackers can often exploit the vulnerability intrusion system to cause huge losses to smart contract users. According to SlowMist Hacked, only ETH is currently available. The losses on the three chains of EOS and TRON due to the attack of smart contracts are as high as $126,883,725.92 . The same attack features are more likely to be successful and cross-chain. We will introduce some in recent years. Common smart contract attack techniques.

Deal Rollback Attack Roll Back Attack

Roll Back Attack, hence the name, refers to the ability to roll back the status of a transaction. What does it mean to roll back specifically? Rollback specifically refers to restoring a state that has already occurred to what it did not happen. Then, the transaction rollback means to change the transaction that has already occurred into an unoccurring state. That is, the attacker has already had a payment action, but by some means, the transfer process has an error, thereby rolling back the entire transaction process and achieving the purpose of transaction rollback. This attack method is mostly caused by the smart contract on the blockchain. In the game, when the user's betting action and the contract's lottery action are within one transaction, that is, inline trading. The attacker can detect the certain status of the smart contract when the transaction occurs, learn the lottery information, and choose whether to roll back the bet transaction according to the lottery information.

This attack technique was often used on the EOS DApp in the early days, and then gradually spread to other public links such as the wave field. Up to now, 12 DApps have been attacked. The slow fog security team recommends that developers not put the user's bet and draw. In the same transaction, the attacker is prevented from realizing the transaction rollback attack by detecting the lottery status in the smart contract.

Trading Clash Attack Transaction Congestion Attack

Transaction Congestion Attack is an attack method for EOS on the game contract that uses Defer to draw prizes. The attacker can send a large number of defer transactions before the defer lottery transaction of the game contract by some means, malicious encroachment. The CPU resources in the block make the defer lottery transaction that should be executed in the specified block within the smart contract cannot be executed due to insufficient resources, and can only be executed until the next block. Since many game intelligence contracts on EOS use block information as the random number of the smart contract itself, the execution results of the same defer lottery transaction in different blocks are different. In this way, when the attacker knows that he can't win the prize, he will force the smart contract to re-open the prize by sending a large number of defer transactions, thus achieving the purpose of attack.

The attack was first discovered when the hacker loveforlover launched an attack against EOS.WIN. Then the same attack method was successfully obtained several times. According to SlowMist Hacked, there were 22 quiz DApps in 2019, thus losing a lot of money. Slow fog security team It is recommended that smart contract developers not use defer transactions for key operations that perform differently in different blocks, reducing the risk of contract attacks.

Random number attack Random Number Attack

Random Number Attack is an attack against the random number generation algorithm of smart contracts to predict the random number of smart contracts. At present, many games on the blockchain use the information on the chain (such as block time, future block hash, etc.) as the random number source of the game contract, also called the random number seed. A random number generated using such a random number seed is called a pseudo random number. Pseudo-random numbers are not really random numbers and there is a possibility of being predicted. When a random number is generated using a predictable random number seed, once the algorithm for generating the random number is guessed by the attacker or obtained by other means such as reverse, the attacker can predict the upcoming game according to the random number generation algorithm. Random numbers, to achieve random number prediction, to achieve the purpose of the attack.

On November 11, 2018, the attacker launched a continuous random number attack on EOS.WIN, which earned a total of 20,000 EOS. The slow fog security team recommended that smart contract developers use secure random number sources as contract random numbers, such as Use the random number seed in the chain to generate random numbers to upload to the chain, reducing the risk of the contract being attacked.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Market

Exploring the evolution of the stablecoin market structure: Why can USDT always dominate the first place?

Stablecoin competition is an endless topic, as the industry struggles in its second decade, hoping that the market ca...

Blockchain

Discussing the SEC's lawsuit against Binance: Years of regulatory balance disrupted, optimistic about the final outcome

Currently, the SEC and Binance's feud only reflects one fact: the imbalanced "ambiguous" regulatory relationship in t...

Market

Interview with Circle CEO by Fortune What role does stablecoin play in the cryptocurrency market?

This article discusses the differences between the cryptocurrency crash in 2022 and the late 1990s internet bubble, t...

Policy

FTX's Big Sell Grayscale and Bitwise Assets On the Market for $744M

FTX creditors have requested approval from an investment advisor for the sale of trust assets and related procedures.

Blockchain

Why is the bitcoin trading volume of Korean first-tier exchanges difficult to recover?

Source: LongHash As the country with the third-largest crypto exchange in daily trading volume (after the United Stat...

Opinion

US SEC Chairman's pessimistic tone: Cryptocurrency businesses often non-compliant, filled with opacity and risk

During a Q&A session at the 27th annual Financial Markets Conference held by the Federal Reserve Bank of Atlanta ...