First release | What is the probability of encountering a vulnerable DeFi contract? What is the probability of being attacked after the audit?

The editor who is in the United States with 100,000 confirmed cases of the new crown has to go out by plane due to hard core reasons. Before the trip, I was always worried about whether I would be infected, but on the way, I was bluffed by the turbulence of the plane encountering violent airflow.

Although I silently comforted myself that the probability of an air crash is very low, and the probability of contracting new coronary pneumonia is not so high, I still remembered four words: "Murphy's Law"

Under the trend of modern technology development, the assets locked in the blockchain field are becoming larger and larger. With the development of the blockchain, the crisis hidden behind the computer is increasingly showing its ferocious face.

In the smart contract, any small bug may cause irreparable losses to the project or investors.

Under this warning, the CertiK security team used the CertiK Skynet system  (Skynet) to monitor and analyze the token smart contracts newly added to Uniswap from 00:00 to 24:00 on December 4, 2020, Beijing time .

During the time period of this analysis, a total of 29 smart contract token projects were generated.

After Skynet analysis by CertiK, a total of 16 smart contracts were found to have loopholes or defects!

About 55% of the smart contract projects have more or less loopholes or defects, of which about 10% have serious loopholes, and 45% have defects such as excessive authority of project owners and excessive authority centralization.

First release | Antminer S17 real machine map for the first time exposed with dual-tube fan and all-in-one design: Following the official announcement of spot sales on April 9, Bitmain’s upcoming new Antminer S17 has new developments. It is reported that the real machine map of the Antminer S17 was first exposed on the Internet today.

Judging from the exposed pictures, the Antminer S17 continues the double-barrel fan design of the previous generation product S15, and adopts the body design of an all-in-one machine. Some people in the industry believe that the double-barrel design can effectively shorten the wind range, the temperature difference between the inlet and outlet of the mining machine will be smaller, and the performance of the machine will be greatly improved.

Previously, the product manager of Bitmain said in an interview with the media that compared with the previous generation, the new product S17 has greatly improved in terms of energy efficiency ratio and computing power per unit volume. [2019/4/3]

The smart contract project name and contract address of this analysis are as follows:

The analysis results are as follows: 

First Release | Antminer S17 Performance Exposure Using new heat dissipation technology and global optimization customization scheme: Jinjin Finance News, a few days ago, Bitmain’s upcoming Antminer S17 performance exposure. According to Moments, the product manager of Antminer S17, the new product will adopt a new generation of heat dissipation technology and global optimization and customization solutions. It is understood that the heat dissipation technology may refer to the packaging technology of the chip, or it may be the heat dissipation structure design of the machine. As for the "global optimization and customization" plan of the S17 product, no details were disclosed. There are voices commenting that this may be a preparation for the decisive battle of the wet season. [2019/3/22]

Although it is difficult to estimate the security situation of smart contracts in all time ranges based on one day's situation, it is possible to know the whole picture at a glance.

The following analysis focuses on three relatively important vulnerabilities:

Figure 1: burnFrom() function

In Figure 1, the burnFrom function is restricted by the ownerOnly modifier, and only project managers are allowed to execute this function. The internal logic implementation of this function allows any modification of _totalSupply and the _balances value of a given account indirectly by setting the values of account, balance and subtractValue.

Golden debut EOS super node election vote rate reached 6.49%: Golden Finance data broadcast, as of 15:50 on June 13th, Beijing time, EOS voter rate reached 6.49%. EOS Gravity Zone and EOS Canon, as two super node campaign teams from China, temporarily ranked fifth and sixth. Among them, the total number of votes for EOS Gravity Zone was 9.03 million, accounting for 2.96%; the total number of votes for EOS Canon was 8.77 million, accounting for 2.87%. EOSflytomars, which had sprung up before, temporarily ranked 17th, with a total of 6.3 million votes, accounting for 2.07%. Among the top 30 super node campaign teams, eight teams are from China. [2018/6/13]

Figure 2: The fallback function in the powerpoolttl contract

Figure 2 shows the fallback function of the powerpoolttl contract. When an external user calls the smart contract, if the call does not call any function in the contract, or only transfers tokens to the contract, the fallback function will be called. The logic on line 70 shows that when the fallback function is called, the tokens transferred to the contract during the call will be transferred directly to the address of teamAddress.

IMEOS debut EOS Go announces two new check-in conditions:According to Jinse Finance partner IMEOS report: Today, EOS Go announced two new check-in conditions on steemit:

1. Plan to ensure security: whether the candidate node publishes an article on steemit to introduce the node’s security method and plan. The “safety method” standard is an opportunity to show EOS voters the knowledge of security best practices and the organization’s implementation plan;

2. Position: Describe the position of the node to share inflation rewards and/or distribute dividends to EOS token holders (candidate nodes are published on steemit). The following two issues are mainly elaborated:

Will the organization provide payments to EOS token voters for any reason, including BP elections and community advice?

Does the organization have a written no-ticket payment policy? If so, please provide a link. [2018/4/27]

In this project, tokens can be transferred by executing the transferFrom() function. According to the definition of the transferFrom() function in Figure 3, line 211 needs to execute the getFee function to determine the fee to be deducted for each token transfer. From the definition of the getFee() function in Figure 3, we can see that the logic of determining the cost depends on the definition of the Management.getFee() function called in line 241. The logic definition of the current Management.getFee() function is changed according to the address value stored in the manager variable. The address value stored in the current manager variable is shown in Figure 6.

IMEOS’s first BM said that EOS contracts have integer overflow protection: According to IMEOS, a cooperative media of Jinse Finance, recently ETH has experienced multiple ERC20 smart contract processing overflow errors, and BM commented on Twitter: The new ETH contract bug may destroy the entire Token The supply of tokens allows holders to leave valueless Token. This is why the code cannot become law, and it immediately means that the EOS erc contract is not vulnerable to this attack. Some people in the EOS official group also expressed concern about whether EOS has integer overflow protection? BM Response: There are plenty of C++ template classes that encapsulate types and check for overflow. [2018/4/25]

However, the smart contract pointed to by the address value stored in the manager variable has not been authenticated on etherscan, so it is impossible to know the source code of the smart contract, and then it is impossible to know the definition of the Management.getFee() function.

Since the logic behind the Management.getFee() function cannot be known, the project owner may adjust the fee for each token transfer by manipulating the return value of the Management.getFee() function, and perform malicious operations.

Figure 3: transferFrom() function

Figure 4: getFee() function in the StandardToken contract 

Figure 5: Management smart contract interface and getFee function interface

Figure 6: The address value stored in the current manager variable

Figure 7: The smart contract pointed to by the address value stored in the current manager variable

Everyone knows one of the most well-known examples in 2020-after the DeFi project Yam was launched at 3:00 on August 12th, Beijing time, although the project’s blog post warned that no audit had been conducted on its contract, the crazy Yield farmers $76 million was deposited into the project in less than an hour.

As expected later, Yam lost hundreds of millions of dollars in just 36 hours because of a small loophole.

Security audits are now standard for high-quality DeFi projects. The current boom in DeFi projects continues unabated. In order to seize hot spots and opportunities, many projects have rushed online without rigorous testing and auditing.

In these projects, most of the vulnerabilities cannot be found by common testing methods and tools. Only by looking for professional audit experts to conduct rigorous mathematical model proofs can this vulnerability be discovered. Formal verification is currently the only software verification method proven to produce credible mathematical proofs.

Therefore, using blockchain detection tools based on formal verification methods to verify security vulnerabilities in projects should become a necessary step for every project before going to the chain.

Every single reason a project is attacked or loses assets is because of a very small code bug.

In the computer field, on average, there will be 1-25 bugs in every 1000 lines of code. In other words, this probability ranges from one in a thousand (0.1%) to two and a half percent (2.5%).

What about those projects that have undergone security audits and passed?

CertiK selected three security companies that disclose audit information for data statistics.

This time, a total of 377 audited projects (including repeated audit projects) of the three companies were counted.

Eight of these projects were hacked despite being audited at least once.

These 8 audited but attacked projects lost a total of 69 million US dollars.

According to the data of these three audit companies, the proportion of being hacked after the audit is calculated: 8/377 = 2.12%

The probability of a bug in the code and the probability that the project has passed the audit but is still attacked are roughly equal to 2%. Here is a simple example:

According to statistics from SquareTrade, in the United States, 5,761 mobile phone screens died in just one hour. Assuming that the average American has a mobile phone, and there is no habit of dropping the same mobile phone repeatedly. Then within 50 days, an American guy has a 2% chance of breaking the screen of his mobile phone.

But the service life of a mobile phone must be more than 50 days. What if it is used for a year? This probability has suddenly increased to 15%! After more than three and a half years of use, the probability exceeds 50%!

This confirms Murphy's Law above - the inevitability of small probability events: when the time base is long enough, bad things will always be your turn.

The odds of an air crash are one in five million (0.00002%).

In contrast, the probability of a code having a vulnerability and the probability of a project having passed an audit but still being attacked is a full 125,000 times that of an air crash!

If you are afraid of a plane crash when the plane is turbulent, you might as well use 100,000 times more worry to protect your project.

After such a comparison, do you still think that the project does not need additional protection?

Do it for the future, rule the chaos.

In addition to static auditing, dynamic security protection can better prevent attacks. The dynamic security tool developed by CertiK: quick scan - security oracle - CertiKShield, from early warning to real-time evaluation to insurance plan, can provide all-round security for project parties.

Tags：

TRX