Blockchain vulnerability collection

1.

One of the characteristics of blockchain projects (especially public chains) is open source. Through open source code, to improve the credibility of the project, so that more people can participate. But the open source code also makes it easier for attackers to attack blockchain system. In the past two years, there have been a number of hacker attacks. Recently, the anonymous currency verge (xvg) was attacked again. The attacker locked a vulnerability in the xvg code, which allowed malicious miners to add false timestamps on the block, and then quickly dig out new blocks. In a few hours, the attacker obtained nearly $1.75 million worth of digital currency. Although the subsequent attack was successfully stopped, no one can guarantee whether the attacker will attack again in the future

of course, blockchain developers can also take some measures

one is to use professional code audit services,

the other is to understand the security coding specifications and take preventive measures

the security of cryptographic algorithm

with the development of quantum computer, it will bring a major security threat to the current cryptosystem. Blockchain mainly relies on elliptic curve public key encryption algorithm to generate digital signature for secure transactions. Currently, the most commonly used ECDSA, RSA, DSA, etc. can not withstand quantum attacks in theory, and there will be greater risks. More and more researchers begin to pay attention to cryptographic algorithms that can resist quantum attacks

of course, in addition to changing the algorithm, there is another way to improve the security:

refer to bitcoin's treatment of public key address to rece the potential risk of public key disclosure. As users, especially bitcoin users, the balance after each transaction is stored in a new address to ensure that the public key of the address where bitcoin funds are stored is not leaked

security of consensus mechanism

the current consensus mechanisms include proof of work (POW), proof of stake (POS), delegated proof of stake (dpos), practical Byzantine fault tolerance (pbft), etc

POW faces 51% attack. Because POW depends on computing power, when the attacker has the advantage of computing power, the probability of finding a new block will be greater than that of other nodes. At this time, the attacker has the ability to cancel the existing transaction. It should be noted that even in this case, the attacker can only modify his own transaction, but not the transaction of other users (the attacker does not have the private key of other users)

in POS, attackers can attack successfully only when they hold more than 51% token, which is more difficult than 51% computing power in pow

in pbft, when the malicious nodes are less than 1 / 3 of the total nodes, the system is secure. Generally speaking, any consensus mechanism has its own conditions. As an attacker, we also need to consider that once the attack is successful, the value of the system will return to zero. At this time, the attacker does not get any other valuable return except destruction

for the designers of blockchain projects, they should understand the advantages and disadvantages of each consensus mechanism, so as to select an appropriate consensus mechanism or design a new consensus mechanism according to the needs of the scene

security of smart contract

smart contract has the advantages of low operation cost and low risk of human intervention, but if there are problems in the design of smart contract, it may bring greater losses. In June 2016, the Dao, the most popular funding project of Ethereum, was attacked. The hacker obtained more than 3.5 million Ethereum coins, which later led to the bifurcation of Ethereum into Eth and etc

there are two aspects of the proposed measures:

one is to audit the security of smart contract, and the other is to follow the principle of smart contract security development

the security development principles of smart contract are: to be prepared for possible errors, to ensure that the code can correctly handle the bugs and vulnerabilities; Release smart contracts carefully, do well in function test and security test, and fully consider the boundary; Keep smart contracts simple; Pay attention to the threat intelligence of blockchain and check and update in time; Be clear about the characteristics of blockchain, such as calling external contracts carefully

security of digital wallet

there are three main security risks in digital wallet: first, design defects. At the end of 2014, a user lost hundreds of digital assets e to a serious random number problem (repeated r value). Second, the digital wallet contains malicious code. Third, the loss of assets caused by the loss or damage of computers and mobile phones

there are four main countermeasures:

one is to ensure the randomness of the private key

The second is to check the hash value before installing the software to ensure that the digital wallet software has not been tampered with

The third is to use cold wallet

The fourth is to back up the private key

2. Now there are many people doing his blockchain, and his loopholes make money. I think we can really make money, but her family should also choose through formal channels.

3.

Recently, Vulcan team of 360 company found a series of high-risk security vulnerabilities in EOS, a blockchain platform. It is verified that some of the vulnerabilities can remotely execute arbitrary code on EOS nodes, that is, they can directly control and take over all nodes running on EOS through remote attacks

In the early morning of May 29, 360 reported this kind of vulnerability to EOS official for the first time, and assisted it to repair the security risks. The person in charge of the EOS network said that the EOS network will not be officially launched until these problems are fixed

EOS super node attack: the virtual currency transaction is completely controlled

in the attack, the attacker will construct and publish a smart contract containing malicious code, and the EOS super node will execute the malicious contract and trigger the security vulnerability. The attacker then uses the super node to pack the malicious contract into a new block, resulting in the remote control of all nodes in the network (alternative super node, exchange recharge withdrawal node, digital currency wallet server node, etc.)

because the system of the node has been completely controlled, the attacker can "do whatever he wants", such as stealing the key of the EOS super node and controlling the virtual currency transaction of the EOS network; Obtain other financial and privacy data in the participating node system of EOS network, such as digital currency in the exchange, user key stored in the wallet, key user information and privacy data, etc

What's more, an attacker can turn a node in the EOS network into a member of a botnet, launch a network attack, or become a free "miner" to extract other digital currency

source: Science and Technology News

4. Personally, I think it's good for Tencent to lead the blockchain security, to realize the active detection and detection of public chain vulnerabilities, to weaken the trend of decentralization of blockchain, to strengthen the supervision of blockchain technology application, and to ensure the legal compliance of activities and transactions in the chain.

5. One of the characteristics of blockchain projects (especially public chains) is open source. Through open source code, to improve the credibility of the project, so that more people can participate. But the open source code also makes it easier for attackers to attack blockchain system. In the past two years, there have been a number of hacker attacks. Recently, the anonymous currency verge (xvg) was attacked again. The attacker locked a vulnerability in the xvg code, which allowed malicious miners to add false timestamps on the block, and then quickly dig out new blocks. In a few hours, the attacker obtained nearly $1.75 million worth of digital currency. Although the subsequent attack was successfully stopped, no one can guarantee whether the attacker will attack again in the future
of course, blockchain developers can also take some measures
one is to use professional code audit services,
the other is to understand the security coding specifications and take preventive measures
the security of cryptographic algorithm
with the development of quantum computer, it will bring great security threat to the current cryptosystem. Blockchain mainly relies on elliptic curve public key encryption algorithm to generate digital signature for secure transactions. Currently, the most commonly used ECDSA, RSA, DSA, etc. can not withstand quantum attacks in theory, and there will be greater risks. More and more researchers begin to pay attention to cryptographic algorithms that can resist quantum attacks
of course, in addition to changing the algorithm, there is another way to improve the security:
refer to bitcoin's treatment of public key address to rece the potential risk of public key disclosure. As users, especially bitcoin users, the balance after each transaction is stored in a new address to ensure that the public key of the address where bitcoin funds are stored is not leaked
security of consensus mechanism
the current consensus mechanisms include proof of work (POW), proof of stake (POS), delegated proof of stake (dpos), practical Byzantine fault tolerance (pbft), etc
POW faces 51% attack. Because POW depends on computing power, when the attacker has the advantage of computing power, the probability of finding a new block will be greater than that of other nodes. At this time, the attacker has the ability to cancel the existing transaction. It should be noted that even in this case, the attacker can only modify his own transaction, but not the transaction of other users (the attacker does not have the private key of other users)
in POS, attackers can only attack successfully when they hold more than 51% of the token, which is more difficult than 51% of the computing power in pow
in pbft, when the malicious nodes are less than 1 / 3 of the total nodes, the system is secure. Generally speaking, any consensus mechanism has its own conditions. As an attacker, we also need to consider that once the attack is successful, the value of the system will return to zero. At this time, the attacker does not get any other valuable return except destruction
for the designers of blockchain projects, they should understand the advantages and disadvantages of each consensus mechanism, so as to select an appropriate consensus mechanism or design a new consensus mechanism according to the needs of the scene
security of smart contract
smart contract has the advantages of low operation cost and low risk of human intervention, but if there are problems in the design of smart contract, it may bring great losses. In June 2016, the Dao, the most popular funding project of Ethereum, was attacked. The hacker obtained more than 3.5 million Ethereum coins, which later led to the bifurcation of Ethereum into Eth and etc
there are two aspects of the proposed measures:
one is to audit the security of smart contracts, and the other is to follow the principles of smart contract security development
the security development principles of smart contract are: be prepared for possible errors to ensure that the code can correctly handle the bugs and vulnerabilities; Release smart contracts carefully, do well in function test and security test, and fully consider the boundary; Keep smart contracts simple; Pay attention to the threat intelligence of blockchain and check and update in time; Be clear about the characteristics of blockchain, such as calling external contracts carefully
security of digital wallet
there are three main security risks in digital wallet: first, design defects. At the end of 2014, a user lost hundreds of digital assets e to a serious random number problem (repeated r value). Second, the digital wallet contains malicious code. Third, the loss of assets caused by the loss or damage of computers and mobile phones
there are four main countermeasures:
one is to ensure the randomness of the private key
the second is to verify the hash value before software installation to ensure that the digital wallet software has not been tampered with
the third is to use cold wallets
the fourth is to back up the private key.

6.

On June 8, 360 exposed the high-risk vulnerability of EOS, which caused a lot of hot discussion among networks. In the early morning of June 2, Beijing time, EOS officially acknowledged to the 360 security team and offered a reward of US $30000, strongly calling on the security community to work together to ensure the continuous improvement of EOS software security

360 exposed EOS vulnerability, if exploited, can control every node and every server in the EOS network, not only take over the virtual currency, various transactions and applications in the network, but also take over all participating servers in the node. It can be said that if someone makes a malicious smart contract, all the digital currencies in it can be taken away directly

the attack of EOS vulnerability can spread among multiple nodes and super nodes at the speed of seconds. The continuous propagation from the control node to the generation of new blocks is a continuous and chain explosion action. It is likely to take over all nodes and complete the operation in 20 seconds

imagine that when the attacker has obtained the supreme authority in the entire EOS network, it is equivalent to mieba putting together all six cosmic protoliths, and can change rapidly in the universe and do whatever he likes

source: China News

7. It's not true. Money won't fall from the sky. Don't think too much. If you can make money by wechat, you will know these routines.

8.

It was reported on May 29 that recently, Vulcan team of 360 company found a series of high-risk security vulnerabilities in EOS, a blockchain platform. It is verified that some of the vulnerabilities can remotely execute arbitrary code on EOS nodes, that is, they can directly control and take over all nodes running on EOS through remote attacks

the hidden dangers of blockchain network security need to be paid attention to

EOS is a new blockchain platform known as "blockchain 3.0". At present, its token market value is as high as 69 billion yuan, ranking fifth in the global market value

in the blockchain network and digital currency system, nodes, wallets, mines, exchanges and smart contracts all have many attack surfaces. 360 security team has found and exposed several serious security vulnerabilities for digital currency nodes, wallets, mines and smart contracts

this time, the 360 security team found a series of new security vulnerabilities in the smart contract virtual machine of EOS platform, which is a series of unprecedented security risks. No security researchers have found such problems before. This type of security problem not only affects EOS, but also may affect other types of blockchain platforms and virtual currency applications

360 expressed the hope that through the discovery and disclosure of this vulnerability, the blockchain instry and security peers will pay more attention to the security of such issues, and jointly enhance the security of the blockchain network

content source: surging news

9. More than 10000 people have been cheated by the block linkage in the circle of friends. So, you must be careful on the network. You can think of a way to see if it is useful

10. "Aggression" is a traditional RTS style game, players should be able to collect, build, proce, expand and other basic tasks, together with the formation of their own experience of power and aggression against others. So how to get resources in the game? The following small series for you to bring a detailed explanation of the aggressive mining system, players in need to take a look at it, I hope to help you.