‘‘When we talk about “blockchain security,” what are we talking about?
Decentralized, untamed, these nouns come out of everyone's mouth, as if the security of the blockchain is a self-evident truth; self-study scholars will also move out the four kinds of "anise" Writing, from SHA to ECC, the listeners are all impressed. The blockchain seems to be regarded as a good medicine from the moment of birth. However, the reality is cruel. Whether it is Bitcoin or Ethereum, hackers are everywhere, and news of digital currency theft is often reported.
Blockchain security issues become the key to industrial development
Since the advent of virtual assets, hacking of exchanges to steal virtual assets has emerged in an endless stream, and it is impossible to prevent! Among them, the earliest advent of the virtual assets with the largest market value was more than 1 million stolen, worth about 7 billion US dollars. For other currencies, the criminals are also very embarrassed.
The security of the blockchain system depends not only on the blockchain algorithm itself, but also from the code implementation to the contract logic to the supporting facilities. When the blockchain technology comes out of the white paper and becomes a reality technology, There are far more problems. According to the barrel theory, how much water a wooden barrel can hold does not depend on the longest piece of wood, but on the shortest piece of wood.
In the world of blockchains, each person's identity is just a number, cryptographically called a key, and once someone gets your key, he can pretend to be your identity to do anything, including flowers. Light your every penny.
What is the security of the key? Taking the ECDSA algorithm as an example, each key consists of 256 bits 01. If it is randomly guessed, the probability of guessing is only 1/115792089237316266660066408626602828282606886466848266086008062602462446642046, which is about 1/1077.
According to estimates, the Earth consists of approximately 1050 atoms, and the entire universe is composed of only 1080 atoms. The probability of guessing the key is almost the same as the probability of guessing an atom in the universe.
However, this does not mean that we can sit back and relax. A number of online wallet theft cases broke out at the end of 2014. The reason is that the implementation of the random number generator is not really “random”. Nowadays, the rise of quantum computers has brought new challenges. If thousands of bit-bit quantum computers are available, many algorithms, including ECC, may become illusory.
The same is true in the world of blockchains. Whoever has 51% of the right to speak can change their trading records and launch a "double flower" attack. Different consensus mechanisms have different definitions of discourse rights. In PoW, it is computational power, while in PoS, it is the number of tokens held.
The 51% attack is by no means a fantasy. Taking Bitcoin as an example, with the scent of money attracting numerous technology manufacturers to enter the market, mining has become a battlefield for professional players. The top three mines monopolize the computing power of the whole network. On the Crypto51 website, we can find the cost of launching a 51% attack on various digital currencies, launching an hourly power attack on the $350 million Bytecoin, which costs only $257. These numbers are not imagined. Out of reach.
The last line of defense against 51% of attacks is that the success of the attack is likely to cause the value of the digital currency to return to zero. In the long run, the attacker will suffer huge losses. However, Verge has been repeatedly attacked, bit gold is also difficult to escape, in the face of the frequent 51% attack, the last line of defense appears weak.
In the 2018 blockchain field, the economic losses caused by the attack on smart contracts were about $1.1 billion, accounting for 55%.
In Japan, Coincheck was hacked in January, causing a loss of about $523 million.
At 10:58 pm on March 7 this year, Black Hat used the attack on the well-known blockchain asset trading platform, and the account on the operating platform, at least $100 million, caused the entire market to fall.
In South Korea, the Bitmumb exchange was hacked on June 28, causing a loss of about $32 million.
In the United States, Bitcoin Gold was attacked in May this year, exploiting vulnerabilities to steal more than $18 million.
According to the blockchain safety net data, in 2017, the number of major security incidents in the blockchain occurred 16 times, resulting in an economic loss of 634 million US dollars. In 2018, there was an upward trend in the index. The number of major security incidents occurred only 46 times in January-May, with losses of up to $2 billion.
From a global perspective, there are more and more blockchain security attacks, and the losses caused by them are increasing. For the emerging industry of blockchain, in the process of initial development, whether it is a wallet or an exchange, it has been constantly attacked by hackers. What is the cause of this phenomenon?
01 Blockchain security service supply is seriously insufficient
There are 10,000+ blockchain projects worldwide, and the current number of blockchain security companies is only about 50.
02 Ransom virus is a family industrialization trend
According to 360 Tianqing team disclosure data, Globelmposter, Crysis, GandCrab, and Satan are the four most active ransomware families in the first half of 2018, accounting for more than 90% of the total amount of ransomware transmission in the first half of the year.
03 Virtual asset theft is difficult to prevent
In the first half of 2018, many virtual asset exchanges such as Coincheck, Binance, and Coinrail were hacked and lost about $700 million. The user's personal account was hacked, and the criminals used the virus to steal virtual asset wallet information and transfer the funds to their own accounts.
04 Double flower attack risk still exists
After 51% of the computing power is controlled by the criminals, the criminals can attack the virtual asset platform, and the data that has been completed by the transaction can be destroyed and re-paid, so that double service can be obtained.
The emergence of smart contracts has made the blockchain endless possibilities, but it has also brought countless loopholes, so that the founder of Litecoin Li Qiwei rebuked Ethereum as a "hacker's paradise". Also Xiao He."
According to BCSEC statistics, the economic losses caused by the smart contract loopholes in the blockchain industry in the first half of 2018 reached US$1.16 billion, accounting for 54.66% of the blockchain security issues, making it the number one hardest hit area for blockchain security.
In June 2016, the attacker used a loophole in the splitDAO function of TheDAO smart contract, the largest crowdfunding project in the blockchain industry, to continuously separate funds from the asset pool of The DAO project and transfer it to their own children. In DAO, in just three hours, more than 3 million Ethereums were transferred out of The DAO asset pool, and Ethereum was forced to fork because of the accident. Code is Law, unlike the iterative update in traditional software development, in order to ensure the credibility of the code, the contract in Ethereum will not be modified once deployed. Of course, we can't run a smart contract once it's released, and it's flawless to run. A flawed code may push the entire contract to the point where it can't be lost.
If you need to upgrade your smart contract, you need to take a snapshot of the current smart contract and then transfer the snapshot of the old contract to the new contract after deploying the new smart contract. This process will affect the user's confidence in the project. When a vulnerability is discovered, it is a dilemma that every project developer will face if it is a strong contract to deploy a new contract or ignore it and hope to keep it hidden.
"Black hat" and "white hat"
Fortunately, the blockchain security issue has attracted more and more people's attention. When hackers, or "black hats", exploit vulnerabilities to exploit profits, some security experts and technical geeks come together to become blockchain security defenders and defenders. They try to find vulnerabilities in advance and notify project parties. In order to be used by the "black hat", they are the "white hat" of the blockchain.