Fairyproof Tech CEO Tan Yuefei: DeFi investors must read the project audit report

Jinse Finance live report, on April 10th, hosted by Jinse Finance, TRON as the general title, HBTC, SumSwap, SubGame chief partner company "2021 Together Innovation Conference" was held in Shanghai. With the theme of "Innovation and Advancement of DeFi", the conference gathered hundreds of outstanding blockchain companies and many industry leaders to discuss the six major track topics of DeFi ecology, Polkadot, NFT, exchange public chain, ETH 2.0, and Layer2. In the "DeFi+NFT" themed session in the afternoon, Tan Yuefei, CEO of Fairyproof Tech, gave a keynote speech on "How Novice Users Can Understand the Audit Report of DeFi Contracts". Tan Yuefei pointed out in his speech that in 2020, DeFi security losses will exceed 200 million US dollars. Most of these security incidents come from attacks on smart contracts. There are many security incidents in smart contracts. There are three reasons: the first is the smart contract itself, and the second is the area. The technical characteristics of block chain, the third is social factors. First of all, once a smart contract is deployed, it cannot be withdrawn. Secondly, the blockchain structure makes it impossible for the project party to know the social identity of the attacker and the transaction is irreversible. Finally, there is a lack of social constraints on the application of smart contracts, such as the lack of protection for digital assets, and the lack of constraints and norms for blockchain applications. The details of the speech are as follows: Tan Yuefei: The topic I will share with you today is how to read the audit report of the DeFi contract. When we talk about audit reports, we are actually talking about the security of DeFi. When we talk about security, we often feel that this concept is relatively abstract, so I will show you some data. The Ethereum Fair (ETF) airdrop test contract has been deployed on the Ethereum network: Golden Finance News, according to Ethereum Fair official news, has completed the deployment of the airdrop contract on the Ethereum network, and the contract will be synchronized to the Ethereum Fair network after the fork is completed , eligible users can perform operations related to receiving airdrops. [2022/9/5 13:09:46] The entire big pie is the loss caused by all and blockchain security accidents throughout 2020. Please pay attention to all losses. The red area on the left of DeFi is DeFi The loss, 238 million US dollars, accounted for 40.9% of the loss caused by the entire blockchain security, almost half of it. Before 2020, DeFi security accidents were far less exaggerated, but the emergence of DeFi led to such serious security accidents. It’s not so intuitive yet, let’s look at some more specific examples, let’s look at it from the bottom, the funds in the fund pool were transferred on December 26, 2020, attacked on December 21, 2020, and sushi was attacked in January 2021, WFI was attacked again in February. The data I listed is not to point out how these projects themselves are. I want everyone to pay attention to the time when these projects were attacked. Have you found that from October 2020 to March 2021, Every month, a relatively well-known DeFi project is supplied, which is enough to illustrate the frequency and frequency of security incidents in the DeFi field. The frequent occurrence of security incidents not only affects the reputation of the project party, but also directly affects the interests of investors. Next, I will share with you why there are so many security incidents in smart contracts. It is determined by special factors. Our Fairyproof Tech team believes that, There are three main reasons for the occurrence of security incidents, the first is the operating mechanism of the smart contract itself, the second is the characteristics of the blockchain technology, and the third is the social constraints of the application of the smart contract. Ant Group Announces Upgrade of Privacy Collaboration Platform FAIR in Shanghai: Golden Finance News, at the 2022 World Artificial Intelligence Conference (WAIC) in Shanghai today, AntChain Privacy Collaboration Platform FAIR announced an upgrade of its overall architecture, platform openness and large-scale computing performance have been further enhanced . It is reported that the privacy collaboration platform FAIR is developed by the AntChain team of Ant Digital. It deeply integrates the advantages of the two technologies of privacy computing and blockchain to solve the problem of "availability and invisibility" in the process of data transfer and multi-party collaboration. issues of data ownership and authenticity. [2022/9/2 13:05:18] Let’s first look at the operating mechanism of the first smart contract itself. Smart contracts have a very big feature, which is different from our traditional IT applications. We use When comparing traditional applications, we use a game or APP. Suddenly, one day during our use, the project party told us that the APP issued an announcement and that there was a problem with the APP. In this case, the project party removed the APP from the APP It is removed from the store and let everyone use the old version. They remove the problematic version and use the new APP after modification. After arriving on Ethereum, it cannot be withdrawn. It cannot be withdrawn like the application in traditional IT. Once the smart contract starts to execute, it is irreversible. Or we can understand that we found that there is a problem with the smart contract. The contract is deployed on Ethereum, and the loopholes are discovered by hackers. When hackers use the loopholes to attack it, we can see the funds in the fund pool being stolen. We can do nothing. We shut down the server in the traditional field, but on the Ethereum , Such a thing cannot happen, we cannot shut down Ethereum. Fairyproof Tech: Iron Bank contract risky project references should be cautious: Fairyproof Tech analysis found that the cause of this accident was the existence of Iron Bank-related contracts newly introduced by the Cream protocol. Vulnerabilities are exploited by hackers. Iron Bank boldly adopted the unsecured + whitelist method to allow users to borrow from the fund pool. On the one hand, this method improves the utilization rate and flexibility of funds, but on the other hand, it increases the risk exposure of project lending, and attempts to hedge such risks in a partially centralized manner. Fairyproof Tech believes that because the Iron Bank contract has not been online for a long time and has not been tested by the market, there is a greater risk. Therefore, we remind all teams that reference the code of the Cream project not to launch the Iron Bank function for the time being to strengthen risk control. We will post further details later. [2021/2/13 19:41:17] I don’t know if everyone noticed that when promoting Ethereum, many people don’t understand what Ethereum is. He used a simple sentence, Ethereum is a world computer that never stops, Never downtime, once running cannot be stopped. The second point is related to the blockchain technology itself. When we talk about blockchain technology, we first look at the first application of blockchain technology, which is Bitcoin. Thinking of the first feature is anonymity, of course, from a purely technical point of view, this is pseudo-anonymity. In the case of quasi-anonymity, the real personal information is hidden under certain circumstances. What does anonymity mean? When we conduct each transaction in the blockchain, we can only see the addresses that initiated the transaction or participated in the transaction in all publicly available information, but we have no way to compare this address with The real identity of the person holding the address who executes the transaction is linked in social life. We don't know who the holder behind this address is, what is his name, what is his ID number, and which country he is in, so for this reason he is anonymous, which leads us to, in the blockchain, Once a security incident occurs in a smart contract, we know that there is a hacker attack and we only see the address of the attack. We don't know who the holder behind the address is, and we don't know what the hacker's real social identity is. Stablecoin protocol Lien officially launches Lien APP and DEX FairSwap: According to official news, the DeFi stablecoin protocol Lien (LIEN) launched the Lien APP based on the Ethereum mainnet, officially launched the Lien protocol and DEX FairSwap, allowing users to use the Lien protocol to create Ethereum options and stablecoins. [2020/9/4] The technical characteristics of the smart contract itself I just mentioned, as well as the technical characteristics of the blockchain, lead to very special characteristics of security accidents. From a technical point of view, there is another point of view that we usually raise in various public places There are relatively few, but in our team's view, it is precisely the most complicated and difficult to control at present, which is social constraints. I will list two things here. Existing laws and regulations lack the protection of digital assets. When I talked about this issue, some friends said that in our country, the information that has paid attention to digital currency laws in the past one or two years will say that our country The Civil Code introduces specific measures to protect digital assets, but please note that some of these provisions and the Civil Code, whether it is the laws of our country or the laws of other countries in the world, compare with them in terms of strength and breadth of protection for traditional assets It is incomparable, so the protection of digital assets in countries all over the world is not standardized, imperfect, and incomplete in law. The second point is that existing laws lack the application and supervision of blockchain. Existing laws apply to all traditional applications, Internet applications, he has a binding, there is a specification, but such a law on the specification of smart contracts, there is almost no one in any country in the world, recently in the United States , Some states in the United States have grown into certain legal effects of smart contracts, but this is just eating crabs, just an attempt, and any problems in the actual implementation or future implementation will generate new problems or new methods , we don't know yet, and there is a blank in this regard. The current price of FAIR is 0.34 yuan, an increase of 21.84%. According to the data of the OKEx trading platform, the latest transaction price of FAIR is 0.34 yuan. The highest price in 24 hours reached RMB 0.34, and the lowest price was RMB 0.28, an increase of 21.84%. Fair.Game is based on Ethereum, uses decentralized technology and smart contracts to ensure the fairness of the game, combines the characteristics of blockchain and online games, and solves the problems of opaque numerical algorithms and equality between players in traditional games. [2018/1/23] Therefore, the problems of the smart contract itself, the problem of the blockchain technology itself, and the lack of social dating of the smart contract application lead to a very special place in the security of the smart contract, so the accidents caused are so frequent, caused so much harm. What I just shared with you is some particularity of security. Let me share with you that our team currently divides all accidents in the field of smart contract security into three categories. The first category is known risks, and the second category is Potential risks, the third category is man-made risks. What are known risks? Known risks We are now in the technical field technical team or the industry have summarized some safety characteristics, characteristics of some accidents, and some laws summed up based on all previous safety accidents. We know these Knowing the characteristics and characteristics of these accidents, we can easily judge them, so we call them known risks. What are the potential risks? These risks have never appeared before, maybe in the smart contracts we run, but we don’t know, or these risks have not been triggered because of immature conditions. This is a potential risk. The third is human risk. I have listed 11 risks. In fact, it does not mean that there are only these 11 risks in the field of smart contracts. I have listed these 11 risks. There are many analyzes and explanations in the industry for each risk, so I won't go into details here. We give some more detailed examples to talk about known risks and potential risks and human risks. Let's take a look at this risk. Did the friends here enter the currency circle in the last round before April 2018 (yes). The bull market in that round was crazy, to what extent, not only many new users came in, but also the traditional A bigwig in the IT industry In this field, the US chain has a very deep relationship with a certain traditional IT company. What did he do? He released a smart contract with a major security loophole. What loophole? During the calculation process of one line of code, a safe mathematical library was not used, resulting in calculation overflow, and the tokens caused by the overflow were issued in a huge amount, causing the price to plummet. This is April 22, 2018. Prior to this, such accidents were called potential risks. Now after this accident occurs, in the industry we use technology to analyze the causes of safety accidents as well as possible symptoms and characteristics. We now call them known risks, which are known risks. typical risk. In the second case, on March 12, 2020, both Bitcoin and Ethereum were reported to be iron, Bitcoin fell below $4,000, and Ethereum fell to $100. After Bitcoin and Ethereum plummeted, MakerDAO had a crazy run mechanism, and finally Discovery is a matter of mechanism design. Then Sweet Potato was attacked. In June 2020, YAM was attacked. Sweet Potato is a very famous project. After this project was attacked, its founder tweeted a paragraph, sorry, we failed. How it came about is mainly because there is a lack of denominator in logical operations, it's that simple. The third case is that YFI ran without problems for more than half a year during the whole round of last year, but there was a problem in February this year. This incident occurred because the price of stablecoins was manipulated due to the emergence of an application method of good loans. There is also TSD being attacked. When we review the contract code, if we do not have a particularly deep understanding of logic, the division algorithm of the sweet potato attack is wrong, and it is almost difficult to find out. The other three are more difficult. There is a problem with the governance mechanism, not Code problems, this problem is more difficult to find, for such problems we attribute it to potential problems, potential problems have existed before, today, and will continue in the future, even including so many contracts we operate, although many of them have passed a lot The audit of the company, but we are still worried that there are still many potential hidden dangers in it, but these hidden dangers have not been triggered due to immature conditions. Potential problems are the biggest challenge to the entire security industry and the entire blockchain industry, and it is also where we focus the most..

Tags：

SHIB