Blockchain security incidents and code audits
According to statistics, in 2018, there were nearly a hundred security incidents 156 in the global blockchain field, with losses exceeding 2 billion U.S. dollars. Compared to 2017, 6991 increased by 538%. The underlying technology of 3780 Bitcoin, the "blockchain", faces security risks from the data layer, network layer, consensus layer, incentive layer, contract layer, and application layer. Security attacks are emerging in an endless stream and cannot be prevented. Security attacks mainly occur at the application layer, where smart contracts are the hardest hit area for blockchain security.
Simple Application Server
USD1.00 New User Coupon
* Only 3,000 coupons available.
* Each new user can only get one coupon(except users from distributors).
* The coupon is valid for 30 days from the date of receipt.
Security incident
MtGox event
MtGox was the world's largest bitcoin trading platform at the time, processing bitcoin transactions accounting for 70% of the world. In 2014, MtGox suffered the most serious hacking attack, and then MtGox announced the suspension of trading, citing vulnerabilities in its security software. Two weeks later, the website suddenly shut down and MtGox filed for bankruptcy.
According to MtGox estimates, the company’s Bitcoin investment loss is approximately US$480 million, including 750,000 units of Bitcoin from customers and 100,000 units held by the company itself, which together account for approximately 7% of global Bitcoin issuance. This incident led to a frustration of investor confidence, and Bitcoin plummeted 36%.
The DAO event
DAO, the English full name is Decentralized Autonomous Organization, decentralized autonomous organization. This decentralized organization relies on smart contracts to run on the blockchain. There is no legal entity. We can understand it as a "decentralized company". The DAO is a crowdfunding project initiated by the blockchain company Slock.it.
On June 17, 2016, hackers used a smart contract script vulnerability to steal 3.6 million Ether through an ICO (Initial Coin Offering) project, which exceeded one third of the total Ether raised by the project. Affected by this incident, the price of Ethereum plummeted by about 30% the next day.
The DAO incident was so impactful that it even alarmed the US SEC, although they were not here to investigate who stole the tokens. However, this also has a great impact on subsequent token crowdfunding projects, and the project parties will pay more attention to legal risks.
51% attack
In May 2018, the Bitcoin Gold (BTG) development team announced that the attacker controlled a large percentage of the computing power of the BTG network, and launched a "51% double-spending attack" against the exchange. The attack stole more than 388,200 BTG from the exchange, worth up to $18.6 million.
The principle of the "51% attack" lies in the distributed accounting mechanism adopted by the digital currency. Take Bitcoin as an example. The Bitcoin network is a decentralized distributed ledger, and every record needs to be confirmed by a "referendum". When you control over 50% of the computing power of the entire network, you have the power to manipulate and tamper with the Bitcoin network. The damage that a "51% attack" can cause is enormous. Once you succeed in the attack, you can modify your transaction records and make double payments (ie double spending).
Code audit
Most of the security incidents in the blockchain are due to loopholes in the source code that allow hackers to take advantage of it. The smart contract is protected by the blockchain itself, so the smart contract code can be open sourced and read to the maximum. However, the openness of the code makes it easy for hackers to grasp the defects of the code, and further use the code defect trigger conditions to change the execution result of the smart contract, which makes the blockchain project have huge economic risks. Therefore, the open source of smart contract code requires high reliability of the code, and this reliability requires 100% accuracy.
However, it is too difficult for programmers to write a code that is completely free of loopholes. Even if all possible precautions are taken, unanticipated loopholes will always appear in complex software. Therefore, the importance of code audit is self-evident.
Code audit, as the name implies, is to check the security flaws in the source code, check whether the program source code has hidden safety hazards, or there are places with coding irregularities, through automated tools or manual review, the program source code is checked and analyzed one by one, and found Security vulnerabilities caused by these source code defects, and provide code revision measures and suggestions.
Code audit is of great significance to the development of blockchain: On the one hand, code audit can save security investment and reduce repair costs. Research shows that when the application is released and then the code is repaired, the repair cost is about 30 times that of the design coding stage. Therefore, changing passive protection to active defense and controlling security risks from the source can save costs to the greatest extent; on the other hand, code auditing can reduce system security risks. Repair code layer defects in time through code audit, thereby greatly improving the overall security of the system and avoiding huge economic losses.
Conclusion
More and more blockchain security incidents are forcing the development of code auditing. At present, intelligent code auditing, that is, the use of computers for robustness inspection is the most important way of code auditing, but there are not many domestic companies that master this technical standard. Code auditing urgently needs further popularization and development.
