Exclusive | How to read the actual case of each risk level in the audit report.

Earlier, we introduced Fairyproof Tech’s classification of risk levels. Some readers will be curious: what is each risk like?

In this article, we give some specific cases for each level of risk to illustrate what fatal risk, high risk, moderate risk and low risk are.

Fatal risk is the highest and most dangerous of all risks, and it needs to be resolved immediately by the project party without delay.

The most common risk of this type is some places in the contract that obviously may cause the compilation to fail, or where obvious errors in the logic prevent the code from running logic to be completed correctly. If this risk is not dealt with, it is almost impossible for the contract of the project party to be compiled and run or run normally.

For example, in contract implementation, the mismatch of variable assignment types, compilation problems caused by compiler version definitions, etc. are all such risks.

Exclusive | Aave's total locked-up volume exceeded US$1.4 billion: According to DappBirds DeFi Data special data, Aave's total locked-up volume exceeded US$1.4 billion, and the total value of locked assets in DeFi reached US$8.601 billion, an increase of 4.80% from yesterday. Among them, Maker, Aave, Curve, Compound, and Synthetix ranked the top five with US$1.450 billion, US$1.410 billion, US$1.070 billion, US$821 million, and US$772 million respectively. [2020/8/25]

Since Fairyproof Tech seldom writes such risks in the later reports, but requires the project party to solve them immediately once they are discovered, it is difficult to directly see such risks in our later reports. Only in our Such risks were listed in earlier reports.

High-risk risks are second only to fatal risks in terms of danger. They are very likely to bring serious problems to the project and need to be resolved by the project party.

The most common risk of this type is logic errors in contract implementation, such as calculation errors.

Exclusive | Bakkt futures contract data overview: Jinse Finance reports, Bakkt Volume Bot data shows that on March 26, the single-day trading volume of Bakkt Bitcoin monthly futures contract was 6.09 million US dollars, a month-on-month decrease of 21%, and the open interest was 420 million, an increase of 1%. [2020/3/27]

For example, staking mining is a function in many DeFi contracts. The basic logic of staking mining is that the user mortgages a certain digital asset into the mining pool, and then the contract will calculate the amount according to the ratio of the user's mortgaged assets to the total mortgaged assets. Calculate how many rewards the user should get. If this ratio is miscalculated or implemented incorrectly, users will not be able to get the correct rewards, which will seriously affect the reputation of the project.

We seldom list high-risk risks in the report now, but once we discover such risks, we will ask the project party to correct them immediately. Readers can see detailed examples of such risks in our earlier reports.

Exclusive | Jinse Finance’s mining revenue data broadcast on February 18: Jinse Finance reported that, according to Inbit data, based on the BTC reference price of 68,600 yuan and the electricity price of 0.38 yuan/kWh, the current market price and return rate of mainstream BTC mining machines on sale This cycle is: Whatsminer M20S-68T (new stock 12,600 yuan, pay back in 270 days), Innosilicon T3+-57T (new spot 9,300 yuan, pay back in 290 days), Avalon 1066-50T (new spot 6,300 yuan, 233 days to pay back), Ant S17Pro-56T (new spot 12,500 yuan, 333 days to pay back). [2020/2/18]

The moderate risk is one level lower than the high risk level. It may bring potential problems to the project, and the project party must finally solve it.

This kind of risk is more common with the problem of administrator authority control.

For example, DeFi protocols usually have the function of issuing tokens. The address that usually controls the issuance of tokens is the administrator, so in this type of contract, the authority of the administrator is quite large. In some code implementations, due to the complex functions of the project and the needs of operation and maintenance, the administrator not only has the right to decide whether to issue tokens, but also has the power to decide whether to give other addresses the power to issue tokens .

Exclusive | Li Xiangming: The development of cryptocurrency compliance is about to usher in a new historical stage: Recently, Coinbase stated that the US Securities and Exchange Commission and the Financial Industry Regulatory Authority have approved Coinbase’s acquisition of brokerage Keystone Capital, Venovate Marketlpace and Digital Wealth LLC. The acquisitions would allow Coinbase to offer cryptocurrencies that are considered securities and bring its business under federal regulation. Li Xiangming, the founder of Private Cloud and an information security expert, said in an exclusive interview with Jinse Finance: The approval of the transaction by the US Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (Finra) means that Coinbase has been removed from the digital currency trading platform. In one fell swoop, it has transformed into a fully licensed legal and formal cryptocurrency brokerage, and can eventually even cooperate with regulatory agencies to tokenize existing traditional securities products and complete the integration of traditional finance and cryptocurrency. The future development prospects and imagination are very broad.

Coinbase’s move will also lead to the rapid imitation of global mainstream exchanges. Next, we will continue to see mergers and acquisitions of traditional brokerages by mainstream digital currency exchanges, and mergers and acquisitions of digital currency exchanges by traditional large brokerages. The wave of mergers and acquisitions between traditional financial institutions and digital currency exchanges will intensify around the world, accelerating the integration of the encrypted economy and traditional finance.

Generally speaking, the United States has realized that the future trend of cryptocurrencies is irresistible. This decision represents that the US government’s discussion on the regulatory plan for cryptocurrencies has ended, and a consensus and specific regulatory plans have been formed. I personally appreciate the SEC’s decision and welcome. The United States’ inclusion of cryptocurrencies in the securities field for regulation also represents to a certain extent the development direction of governments’ digital currency regulation methods, and will have a huge demonstration effect on the regulation of cryptocurrencies in countries around the world, especially major countries in the future. The regulatory development of cryptocurrencies is about to usher in a new historical stage. [2018/7/18]

This creates a security risk: if the authority of the project administrator is stolen or the administrator himself has a moral hazard and abuses this power, the issuance of tokens will be out of control.

This kind of risk is introduced by the contract logic, but the implementation of the logic has to be like this, and sometimes in the early stage of contract deployment, in order to allow the project to operate efficiently, it is necessary to maintain this administrator authority for a period of time, which brings Here comes the potential risk.

The project party is also cautious when operating with this risk, walking on thin ice. It hangs over the heads of the project party and users like a sword of Damocles, and there is a risk of falling at any time.

For such risks, we strongly recommend that the project party transfer administrator rights to the community (such as DAO) or multi-signature wallets after a period of operation to avoid such risks.

Low risk is the lowest level of all risks. Usually it is manifested as some detailed problems, warning messages, etc. For the time being, problems of this level can not be solved, but the project party will finally solve such problems in a new version in the future.

The details and specific issues involved in this type of risk are relatively scattered and trivial. We often have problems with function or variable naming.

The naming of functions or variables is usually not perceived by ordinary users, but in some cases it will cause some troubles for the project party to maintain code or other (such as third-party) contracts to call these functions.

Usually, the problem with the naming of functions or commands is that "the word does not convey the meaning", that is, the naming is different from the logical role it actually plays in the contract. For example, if a function is to set the value of a variable, we usually name this function as "setXXX" (set XXX), but due to a typo or other reasons, the project party named it "getXXX" (read XXX), which makes the name of the function read differently from its real function.

After such a code has been used for a long time, when the project party goes back to maintain or modify it, if you don’t look at the code carefully, you will misunderstand the function of the function and call it by mistake.

Therefore, Fairyproof Tech also recommends that the project party revise at a convenient time for such risks.

Author:

Tan Yuefei, CEO of Fairyproof Tech

Master of Industrial Engineering from Virginia Tech, Blacksburg, VA, USA. He used to be a software engineer of AIBT Inc (San Jose, CA, USA), a Silicon Valley semiconductor company in the United States, responsible for the development of the underlying control system, the program implementation of the equipment manufacturing process, and the design of the algorithm, and was responsible for the overall technical docking and communication with TSMC. Since 2011, he has been engaged in the research of embedded, Internet and blockchain technology, a teacher of the "Introduction to Blockchain" course of Entrepreneurship College of Shenzhen University, a visiting researcher of Blockchain and Intelligence Center of Sun Yat-sen University, and an executive director of Guangdong Financial Innovation Research Association  ;. Personally owns 4 blockchain-related patents and 3 published works.

About Fairyproof Tech:

Fairyproof Tech Technology Co., Ltd. is a company focusing on blockchain ecological security. Fairyproof Tech has served many emerging and well-known projects mainly through the integrated comprehensive solution of "code risk detection + logic risk detection". The company was established in January 2021, and the team was created by a team with rich experience in smart contract programming and network security.

Team members participated in initiating and submitting a number of standard drafts in the Ethereum field, including ERC-1646, ERC-2569, and ERC-2794, among which ERC-2569 was officially accepted by the Ethereum team.

The team participated in the initiation and construction of a number of Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges, and other projects, and participated in the security audits of multiple projects. On this basis Based on the rich experience of the team, a complete vulnerability tracking and security prevention system has been built.

Tags：

Ethereum Exchange