On September 5th, the POD conference hosted by Odaily and strategically co-organized by 36Kr Group was held in Beijing. In the conference security sub-forum,Senior analyst Hao Fangzhou officially released the "2018 Blockchain Technology Security Service Industry Report" and gave a special speech.
"Blockchain Technology Security Service Industry Report 2018" analyzes the security issues corresponding to business scenarios such as exchanges, smart contracts, wallets, and mining pools in accordance with the logical order of "event review-attack methods-defense strategies", and discusses the security issues of blockchain technology. Overview and business cases of the chain security service industry.
In the sharing, Hao Fangzhou introduced some findings of the research institute, such as the method used by hackers to attack the decentralized platform, which is very different from the traditional centralized platform, sometimes relying on some innovative thinking, he cited In the example of hackers attacking Binance and Fomo3D this year, hackers even used financial knowledge and grasped the loopholes in the underlying design mechanism.
According to his research, the high incidence of blockchain security incidents is concentrated in the business layer and contract layer. From the perspective of the business line, it is the trading platform and smart contracts.
Hao Fangzhou also pointed out that "the possible evolution path of the centralized trading platform is to embrace supervision, and at the same time approach traditional financial institutions such as banks, including doing a good job of real name, trusteeship, and establishing its own physical defense mechanism."
The following is the full text of the speech, enjoy:
Good afternoon, ladies and gentlemen, welcome to the security session. Our Odaily Research Institute has always hoped to present a more real blockchain world to everyone in a more intuitive way. A series we produced is called "Odaily Graphics", which uses graphs to show industry structure, layout of large companies, code plagiarism, etc. Some people have seen these graphs in the circle of friends. Today, on behalf of the Institute, I am here to release the 2018 Blockchain Technology Security Service Industry Report.
Safety is a relative concept, and its opposite is risk, but these two words are relatively abstract, so we hope to turn them into a more similar concept in our minds, so what do safety and risk look like? The role switching between offense and defense is a core in football, and this core is the control of the ball.
Now, when we translate this set of logic to blockchain security, we will find that the core is the control over information and assets. The security in the middle is protected by mines and chains, and the outer circle is all kinds of risks. These include technical risk, policy risk, moral hazard, speculative risk, operational risk and more. Risks have certain characteristics, and are often compounded at multiple points, unexpected and endless, which requires security to be comprehensive, multi-process and multi-link.
However, very important security issues are often not taken seriously.We will find that rights and responsibilities are often unclear, and standards are difficult to quantify. Therefore, when we write articles, we often ask a question, saying that security issues are a bit like Schrödinger’s security. What does this mean? It is only when an accident occurs that we realize how serious this problem is, but before the accident, we do not know that a company, a product, or a service are in an intermediate state where it is difficult to judge their safety.
Having said that, we need to make it clear that when we talk about network security, it is easier to understand who plays the role of offense and defense. Attackers are generally hackers. Defenses include governments, enterprises, third-party security companies, and users. Own.
Here I would like to ask everyone here, has anyone ever encountered digital assets being stolen. If you forget the private key, it doesn’t count, right? Has anyone’s legal currency assets been stolen online, whether it’s online banking, P2P or Alipay?
We have never encountered this thing. In fact, we can see from the data that the total market value of digital assets has exceeded 230 billion US dollars. According to the report of Tencent Security and Zhichuangyu in the first half of the year, before July, the amount of stolen digital assets was almost 1.1 billion U.S. dollars, which meansIn the first half of the year, the number of lost coins was almost five thousandths. Kushen’s data seems to be higher than this. If it is a relatively centralized system, in fact, the centralized attack and defense comes from more rigorous attack and defense tests. Generally, there are legal guarantees and compensation from financial institutions. Online assets often follow the Bind offline objects. Therefore, it is actually very difficult for hackers to directly attack the Internet, but it is easier to go offline.
so,
so,If you want to attack the blockchain, sometimes you have to rely on some innovative means.
Here I will give two examples. The first one is the "Binance incident" in March this year. It should be in the early morning of March 7th. Withdrawal from Binance is an innovative means of combining technology with some financial tools. The second example is the Fomo3D that you just mentioned. When this is over, many people suspect that hackers will squeeze out other players and finally get a large bonus. This is a gameplay combined with the underlying design mechanism. Because there is not only information but also value on the chain, and the code is not perfect, many institutions are not as comprehensive as they advertise, and relevant policies are still temporarily absent, causing huge economic losses once they fall.
Part of the insecurity of the blockchain comes from subjective reasons, that is, people do not pay enough attention to it. Basically, the investors who enter the market are those with a little spare money, and there are still a small number of people who actually sell their houses and enter the market.
So how to protect it? The breakthrough point of the attack is generally the position where the defense builds a fortress. Now we see a picture, respectively, from 2011 to this year, and before July of this year, the analysis of the attack surface and point of the blockchain.
According to the technical architecture, the business layer & contract layer are the hardest hit areas. According to the business scenario, trading platforms & smart contracts are the places where accidents occur frequently.
For the convenience of readers, we refer to the perspective of security service companies when classifying, and also discuss according to industry needs and business scenarios.
Therefore, the report analyzes the blockchain technology security issues corresponding to business scenarios such as exchanges, smart contracts, wallets, and mining pools in the logical order of "from event review, to attack methods, and to defense strategies".
The amount of information in this part of the report is relatively large, so I only pick two small points to share briefly here:
Let’s talk about the exchange first.The entry of decentralized exchanges is aimed at the security pain points of centralized exchanges. Their next focus should be to improve the experience and get more traffic. The evolution direction of centralized exchanges should be close to traditional financial institutions such as banks, and do a good job in real name, KYC, custody, cold and hot isolation solutions and other physical defenses.
Let's talk about smart contracts.Once a smart contract is run, it cannot be modified, so code audit and formal verification are becoming more and more important. For public chains, you must also consider the security issues that may arise in the underlying design and token economy. It is best to consult the security team in advance. It will also become a trend for security services to get involved in blockchain projects earlier.
There are more conclusions in the report, which will not be expanded here.
In the last part of the report, we sort out the general situation and typical companies of the blockchain technology security service industry.
It is found that everyone has their own perspectives and areas of expertise. Some focus on formal verification and released automatic detection engines; some focus on ecological security and privacy; many companies that started as cold wallets specialize in private key security storage solutions; There are also projects that use the idea of decentralization to attract geeks, build communities, and check and fix bugs together.
We selected five typical cases among the 10 representative companies of blockchain security services included, and conducted interviews and analysis. This part also includes the experience and opinions output by the leaders.
Finally, I would like to thank Kushen, Slow Mist, Zhichuangyu, PeckShield, 360, CertiK, Warp Speed Future, Security Chain, and Bepel for accepting our interviews, giving wisdom support, and providing guidance for the report. I would also like to thank my colleague, the lead author of this report, analyst Li Xueting.
I will also make a small announcement. More research reports, illustrations, news reports, project introductions and in-depth articles are on the way. thank you all!
