Qi Fu, partner of SlowMist: NFT may be the next direction, but it will take time to implement.

DeFi is very popular. This summer, the industry seems to be involved in this ecology, innovation, revolution, and various projects ebb and flow. However, behind the bustle, there is an undercurrent.

On April 18, 2020, Uniswap revealed a smart contract vulnerability, which was exploited to steal hundreds of thousands of dollars in assets; the next day, Lendf.me was stolen by a programmer (not a hacker) due to the same vulnerability Tens of millions of dollars in assets; because of a smart contract loophole, Yam, which was extremely popular, quickly died out within 36 hours of being online. the

Security is already the sword of Damocles hanging over DeFi. Where there are pain points, there is a market. In this carnival, the "slow fog stamp" has become a symbol of protection.

Recently, at the "Together for Entrepreneurs Conference" held in Xiamen, Jinse Finance interviewed Keywolf, a partner of SlowMist Technology, about DeFi security.

Slow Mist: Be wary of Bitcoin RBF risk: According to BitMEX, an obsolete block appeared in Bitcoin at block height 666833, and a double-spend transaction of 0.00062063 BTC was generated. According to the transaction content-zce provided by BitMEX, the values of the nSequence field of the two double-spend transactions are both less than 0xffffffff -1. The SlowMist security team preliminarily believes that this double-spending transaction may be an RBF transaction in Bitcoin. [2021/1/20 16:38:01]

The following is the transcript of the interview.

Jinse Finance: What are the main procedures for SlowMist to audit a project? What are the ultimate criteria for whether a system is secure? the

BKEX entered the Slow Mist Zone and released a bounty program for security vulnerabilities and threat intelligence: According to official news, in order to further protect the security of user assets and improve the level of platform security risk control, BKEX entered the Slow Mist Zone and released the "Security Vulnerability and Threat Intelligence Bounty Program" ", the maximum reward for serious bugs is 10,000 USDT. This bug bounty is mainly for the BKEX website and APP. [2020/8/12]

Qi Fu, partner of SlowMist Technology: For DeFi, we are more concerned about the security of assets, in simple terms, the security of principal. How the user's income is related to the economic model of the project, so we first pay attention to whether there will be problems such as overflow when calculating the user's income in the smart contract, which is also a common problem in the contract. Secondly, we will pay attention to whether the project party has a back door, whether it is doing evil, and whether it is stealing user funds.

Analysis | SlowMist AML: Most of the 342,000 ETH stolen from the South Korean exchange Upbit stayed in 16 wallet addresses: Starting at 3 pm Beijing time yesterday (11/28), Upbit attackers began to transfer the stolen 342,000 ETH For coin laundering, SlowMist AML found through sorting out the data on the chain that most of the stolen ETH currently stays in 16 wallet addresses, and a small part is transferred to the exchange for "random dust pollution". All current hacker wallet addresses can be viewed on the Etherscan summary page. [2019/11/29]

When receiving a user project audit request, we will first understand the project through the project official website, introduction and other materials. After the preliminary review is passed, we will evaluate the complexity of its smart contract code and enter the business process, quotation, scheduling, etc. After the communication is ok, start the project audit.

News | SlowMist Alert: Digital currency users pay attention to the risk of email phishing and credentialing: The SlowMist security team caught a well-known digital currency exchange’s improper email sending configuration today, resulting in the leakage of a large number of user mailboxes. In view of the particularity that users in the digital currency industry like to register on multiple platforms, please beware of the risk of email phishing and credential stuffing! [2019/11/1]

If any problems are found during the audit process, they will immediately tell the other party and inform the solution. After the corrections are completed, they will be reviewed and finally an audit report will be issued. At the same time, we now require the other party to open source the code. In addition to regular security vulnerabilities, the audit should also focus on whether the code and business logic design are consistent, as well as the external risks introduced by combination, so as to identify weak points and increase the threshold of attackers to improve overall security. the

Based on the recognition of SlowMist, everyone feels that the projects audited by SlowMist will be more at ease, so now we try our best to protect possible risks, including some admin permissions, etc. Now it is popular to use time lock. For further action, 24 or 48 hours must pass. After it is uploaded, everyone can see it. Everyone is paying attention to this aspect now, and we also pay special attention to it.

Jinse Finance: According to relevant statistics, there were about 8 DeFi-related security incidents in August. From a security perspective, what do you think of the development of DeFi?

Qi Fu, partner of SlowMist Technology: DeFi is a relatively new thing compared to the public chain. In the process of development, there will definitely be some risks and unknown things. After all, everyone is not so experienced in the face of a new thing. From the perspective of DeFi security, it is understandable that such security issues arise during the development of new things.

Like Bitcoin and Ethereum, they also had security problems in the early days. Bitcoin also had additional issuance loopholes before. Ethereum also had the famous The DAO incident, and ETC was forked.

Not everyone has rich experience at the beginning, including those who try to attack it, and they will not know the attack method very quickly, but they have also done some research and attempts on their own. So in the early days, there must be risks in paying attention to and participating in, but we cannot deny a new direction because of these problems. The entire industry or the direction of DeFi will definitely become more and more perfect, including security companies or high-quality project parties, and high-quality technical teams participating in it will be able to improve the overall level. the

The other is a way for everyone to avoid security issues, that is, the project party must have its own security awareness, and try to have some budget to find a security company, such as our SlowMist, to do some corresponding security audits, at least for now Some known attack methods are given to it to evade.

Jinse Finance: Which projects are you optimistic about next? the

Qi Fu, partner of SlowMist Technology: At this stage, mining should not last too long. You may be familiar with this kind of gameplay. For more new ways of playing, everyone will continue to engage in this kind of liquidity mining, and no one will play it in the later stage. From Ethereum to TRON to Binance Smart Chain, or to other new public chains such as Ontology and NEO, these domestic public chains have all started to join this track, but most of the gameplay is still the same. There are only so many funds, and now so many projects come out, there will be equal distribution or transfer. In the end, if there are no new ways to play, everyone will be tired of aesthetics, and the annualized rate may become lower and lower.

Now many people are talking about another hot NFT. Everyone pays attention to NFT because it can be traded now. In my opinion, this is a direction, and there is still a certain distance to the real landing.

In this industry, hot spots are sometimes not driven by technology, but are often brought about by making money.

Tags：

XRP