What we talk about when we talk about blockchain security?

FMZ
What we talk about when we talk about blockchain security?
Decentralized, untamed, these nouns come out of everyone's mouth, as if the security of the blockchain is a self-evident truth. The blockchain seems to be regarded as a good medicine from the moment of birth. However, the reality is cruel. Whether it is Bitcoin or Ethereum, hackers are everywhere, and news of stolen digital currency is frequently reported.
The security of the blockchain system does not depend solely on the blockchain algorithm itself, from code implementation to contract logic to supporting facilities. When the blockchain technology emerges from the white paper and becomes a technology in reality, there are far more problems. According to the barrel theory, how much water a barrel can hold does not depend on the longest piece of wood, but on the shortest piece of wood.
password! password!
In the world of blockchains, each person's identity is just a string of numbers, called private key in cryptography, and once someone gets your private key, he can pretend to be your identity to do anything, including spending every penny of your money.
How about the security of the private key? Taking the ECDSA algorithm as an example, each key consists of 256 bits of 01. If it is randomly guessed, the probability is only 1/115792089237316266660066408626602828282606886466848266086008062602462446642046, which is about 1/1077.
According to estimation, the Earth consists of approximately 1050 atoms, and the entire universe is composed of only 1080 atoms. The probability of guessing the key is almost the same as the probability of guessing an atom in the universe.
However, in the blockchain, the key is not enough. In order to realize mutual transfer between accounts, it is necessary to generate a public key and a wallet address according to the private key. The above-mentioned ECDSA is an algorithm for generating a public key from a private key. The public key will be in public when it is transferred out. How difficult is it to infer the private key from the public key? FMZ
If the implementation of the algorithm is not flawed, even the most effective attack method is still in high difficulty.
However, this does not mean that we can sleep without any anxiety. A number of online wallet theft cases broke out at the end of 2014. The reason is that the implementation of the random number generator is not really “random”. Nowadays, the rise of quantum computers has brought new challenges. If quantum computers are available, many algorithms, including ECC, may will exist in name only.
51% FMZ
Churchill said that democracy is not a good thing, but it is the best we can find so far.
The same is true in the world of blockchains. Whoever has 51% of discourse power can easily change their trading records. Different consensus mechanisms have different definitions of discourse power. In PoW, it is computational power, while in PoS, it is the number of tokens held.
The 51% attack is not a fantasy. Taking Bitcoin as an example, with money attracting numerous technology manufacturers to enter the market, mining has become a battlefield for professional players. The top three mines monopolize the power of nearly half of the whole network. On the Crypto51 website, we can find the cost of launching a 51% attack on various digital currencies, launching an hourly power attack on the $350 million Bytecoin, which costs only $257. These figures are not unreachable in imagination.
Source: https://www.crypto51.app, Screenshot time: 2018/9/12 9:08
The last line of defense against 51% of attacks is that it’s likely to cause the value of the digital currency to return to zero if attack success. In the long run, the attacker will suffer huge losses. However, Verge has been repeatedly attacked, bitcoin gold is also difficult to escape, in the face of the frequent 51% attack, the last line of defense appears weak.
Smart contract
The emergence of smart contracts has made the blockchain endless possibilities, but it has also brought countless loopholes, so that the founder of Litecoin Li Qiwei rebuked Ethereum as a "hacker's paradise".
According to BCSEC statistics, the economic losses caused by smart contract loopholes in the blockchain industry in the first half of 2018 reached US$1.16 billion, accounting for 54.66% of the blockchain security issues, making it the number one hit area for blockchain security.
In June 2016, the attacker used a loophole in the splitDAO function of TheDAO smart contract, the largest crowdfunding project in the blockchain industry, to continuously separate funds from the asset of The DAO project and transfer it to their own DAO. In just three hours, more than 3 million Ethereums were transferred out of The DAO asset pool, and Ethereum was forced to fork because of the accident.
Code is Law. Unlike the iterative update in traditional software development, in order to ensure the credibility of the code, the contract in Ethereum will not be modified once deployed. Of course, we can't expect that smart contracts can be perfected once they are released. A line of flawed code may lead the entire contract to disaster.
If you need to upgrade your smart contract, you should take a snapshot of the current smart contract and then transfer the snapshot of the old contract to the new contract after deploying the new smart contract. This process will affect the user's confidence in the project. When a vulnerability is discovered, it is a dilemma that every project developer will face: whether to decide quickly and deploy a new contract or ignore it and hope to keep it hidden.
"Black hat" and "white hat"
Fortunately, the blockchain security issue has attracted more and more attention. When hackers, namely "black hats", exploit vulnerabilities to exploit profits, some security experts and technical geeks come together to become blockchain security defenders. They try to find vulnerabilities in advance and notify project parties not to be used by the "black hats", they are the "white hats" of the blockchain.
The digital currency market, which was once full of "making myths of wealth", has become cooler, the bubble with the technology of block chain as a gimmick gradually disappears, and the issue of security has gradually emerged. Safety is the foundation of technological development. Things like one line of code ruining a project frequently occurs, and it rings an alarm bell to us. Only with careful precaution in security problems, can blockchain placed high hopes go further. FMZ

评论

发表评论

此博客中的热门博文

FAQ about Bitcoin(1)

图片
Find answers to recurring questions and myths about Bitcoin. www.fmz.com General What is Bitcoin? Bitcoin is a consensus network that enables a new payment system and a completely digital money. It is the first decentralized peer-to-peer payment network that is powered by its users with no central authority or middlemen. From a user perspective, Bitcoin is pretty much like cash for the Internet. Bitcoin can also be seen as the most prominent  triple entry bookkeeping system  in existence. Who created Bitcoin? Bitcoin is the first implementation of a concept called "cryptocurrency", which was first described in 1998 by Wei Dai on the cypherpunks mailing list, suggesting the idea of a new form of money that uses cryptography to control its creation and transactions, rather than a central authority. The first Bitcoin specification and proof of concept was published in 2009 in a cryptography mailing list by Satoshi Nakamoto. Satoshi left the project in late 2010 with...
阅读全文

FAQ about Bitcoin(3)

Transactions  FMZ Why do I have to wait for confirmation? Receiving notification of a payment is almost instant with Bitcoin. However, there is a delay before the network begins to confirm your transaction by including it in a block. A confirmation means that there is a consensus on the network that the bitcoins you received haven't been sent to anyone else and are considered your property. Once your transaction has been included in one block, it will continue to be buried under every block after it, which will exponentially consolidate this consensus and decrease the risk of a reversed transaction. Each confirmation takes between a few seconds and 90 minutes, with 10 minutes being the average. If the transaction pays too low a fee or is otherwise atypical, getting the first confirmation can take much longer. Every user is free to determine at what point they consider a transaction sufficiently confirmed, but  6 confirmations  is often considered to be as safe as wai...
阅读全文
图片
Digital currency quantitative arbitrage There are many global digital currency exchanges, and the same currency in market is not always effective in pricing due to many factors affecting. The same pair has spread among two or more exchanges. As long as there is a spread, there is arbitrage. Arbitrage through spreads is basically risk free in the digital currency market.  ( www.fmz.com )        Suppose the EOS/USDT pair: the price in Huobi is 11, the price in Binance is 10, and the EOS has spread of 1 USDT between the two exchanges. Suppose you hold 1 EOS in Huobi, following the principle of selling high and buying low, sell 1 EOS in Huobi to get 11 USDT, spend 10 USDT to buy 1 EOS in Binance, then you net earned 1 USDT, and the amount of EOS remains unchanged. Although there is such a spread, manual arbitrage often has many uncertainties due to the time-consuming, poor accuracy and price changes of manual operations. Through the quantitati...
阅读全文