Ethereum's big vulnerability: hackers have stolen more than 20 million billion US dollars, and more than 10 thousand nodes can be cracked, more than 20 million

Ethereum's big vulnerability: hackers have stolen more than 20 million billion US dollars, and more than 10 thousand nodes can be cracked, more than 20 million

Ethereum's big vulnerability: hackers have stolen more than 20 million billion US dollars and more than 10 thousand nodes can be cracked. On June 19, March 20, the security company's slow fog Technology issued a warning that hackers were exploiting ethereum's ecological defects, using machines to automatically steal ethereum accounts on the Internet, as of January 1, 207, the account balance was worth about $20 million. In addition to ethereum, the hacker's wallet account has 164 types of other tokens, because many of them are not listed and their values cannot be measured.

According to the slow fog scan results, there are still more than 10 thousand ethereum nodes around the world at a similar risk, and the balance may be stolen.

(Ethereum founder Vitalik Buterin)

According to the report, hackers have used some institutional defects in the ethereum ecosystem to automatically steal funds:

First, hackers use machines to query the ethereum wallet addresses on the network in batches. This action is performed by scanning ports 8485 and 8486. Port scanning is a hacker technology that can be used by a large number of ready-to-use tools.

Second, after scanning open ports, use the eth_getBlockByNumber (query block height), eth_accounts (query wallet address), and eth_getBalance (query wallet balance) commands to perform the corresponding action.

Query the ethereum development documentation and find that ethereum supports the RPC mode. After the ethereum account has enabled this mode, you can automate some operations, for example, the coin is automatically transferred to the wallet after the mining pool is dug up.

Third, keep sending the eth_sendTransaction command. If the command takes effect, the balance in the wallet will be transferred to the attacker's wallet.

Some people may ask how hackers bypass the key because key transfer requires key transfer?

Originally, ethereum accounts supported the unlockAccount command to facilitate some mechanized transactions. In currency exchange, some people use computers for high-frequency transactions to obtain fluctuating spreads (this is also true for high-frequency stock exchanges, sometimes trading dozens of times in a minute ).

Ethereum is in high-frequency trading (or automatic transfer of funds from a mining pool). You do not need to enter a password for a period of time. The duration is determined by the user. If a hacker sends a "balance transfer" command within this period of time, the ethereum account (wallet or web account) will automatically perform this operation, transfer the ethereum in the wallet to the hacker's wallet.

In June 21, 2017, the hacker used this technique to steal 36 funds from the famous mining pool f2pool within four hours.

(F2pool official website claimed to be the world's largest mining pool)

The Mozi system scans about 4.2 billion IP addresses around the world and finds more than 10 thousand ethereum nodes with this security risk. The balance on these nodes may be stolen.

So how should users prevent such attacks? Experts suggest that you perform the following operations:

1. Change the default rpc api port. The configuration method is -- rpcport 8377 or -- wsport 8378 (Making port scan ineffective)

2. Change the rpc api listening address to intranet. The configuration method is -- rpcaddr 192.168.0.100 or -- wsaddr 192.168.0.100.

3. Configure iptables to restrict access to the rpc api port. For example, only 192.168.0.101 is allowed to access port 8545 (only commands sent from specific IP addresses are allowed ):

Iptables-a input-s 192.168.0.101-p TCP -- dport 8545-j ACCEPT

Iptables-a input-p TCP -- dport 8545-j DROP

4. Do not store the account information (keystore) on the node (because the account is not on the node, unlockAccount will not be used)

5. Use sendTransaction and sendRawTransaction of web3 to send transaction signed by private key for any transfer (restrict insecure transfer commands)

6. Physical Isolation of private keys (such as cold wallet and manual transcription) or high-strength encrypted storage to ensure key security

On the Internet, the hacker found that most ethereum users did not agree with this security warning. Some people even commented on the Weibo message of the cosine of the founder of the slow fog technology, and satirized them.