Q&A | Trias Security Expert Talks About Blockchain Security Problems
In the past 2018, security events occurred frequently in the blockchain industry. Exchanges, wallets, contracts and public blockchain projects all faced severe security challenges.
Some people said that shortage of funds would be weakening the security protection ability as the bear market of blockchain was approaching, blockchain security would be no longer that hot and it would no longer attract such wide attention.
However, judging from all the relevant data, various threats related to blockchains such as blockchain security events, ransomware and mining Trojans still exist.
To overcome the threats, Trias security experts said that the security awareness promotion should be a consensus of the industry and only this promotion could promote the sound development of the whole blockchain industry.
To better understand some typical security events that occurred last year, we invited a security expert from Trias to explain it and talk about his own views on some issues of the industry.
Q1: Some time ago, Ethereum Classic (ETC) suffered majority attacks and many people said online that it would be a micro-ecological nightmare of all the POWs. What is your opinion on it?
The POW, in essence, is to select a lucky node from all the clusters that provide hashrate resources. Because the POW algorithm has no transaction termination confirmation (i.e. being able to be overthrown by the pursuant longest chain in the later period) state, if the total hashrate of the POW algorithm is too low, the POW algorithm will be easily attacked. The whole blockchain can be hijacked through some methods such as leased hashrate and thus the blockchain system security will be severely affected.
In my opinion, the root cause of the above problems is the mechanism problem of the POW consensus algorithm. If the total hashrate of a blockchain system is not high, it would be better to use the algorithms such as PoS, DPoS and PBFT, but not the POW consensus.
Q2: Viewing from the account security problem, there is some severe potential security hazard in the secret key. The root cause of the problem is that some secret key generating tools allow users to adopt weak mnemonic word combinations.
Last year, some EOS accounts suffered rainbow table attacks, because some EOS wallets adopted weaker mnemonic word combinations. Then what is the rainbow table attack? Do you have any good advices on the generation, use, and protection of private keys?
The so-called rainbow table attack is to pre-generate corresponding public and private keys by pre-traversing all the common mnemonic word combinations and then look for the accounts that the rainbow table record has collided with in the network. Once an account is collided with by a rainbow table, it means that the attacker has got the private key that controls the corresponding account and the account security is under threat.
It would be best to use a random character string to generate users’ private keys. If a user is allowed to define the key by inputting characters, the user must input sufficiently complex mnemonic words. The use of private keys must follow the principles of the local key use. Private keys should not be transferred in the network. Private keys should be encrypted and saved locally and they should be saved and used offline according to the requirements.
Q3: We have just talked about account security problems. Then how does Trias protect the privacy of user transactions?
Trias has adopted some secret address method to deal with the addresses of the sender and receiver so that the address information of the two transaction parties is hidden.
Trias encrypts the transaction amounts by using some zero-knowledge proof method.
In a transaction process of Trias using hidden addresses and the zero-knowledge proof, miners can only verify and record the executed transactions and they cannot obtain any other effective information.
Q4: You have said in the above that the threat to smart contract security is serious at present. We all know that it was shown in 2018 that the integer overflow vulnerability similar to the BEC token contract might exist in EOS. Could you tell us what the integer overflow vulnerability is and what consequences it may bring?
In the current ubiquitous smart contracts, all the contents of the value calculation and storage are calculated and stored in the range of unsigned integers. If the provided digital input or calculation results exceed the defined number of bytes (that is, the value calculation range exceeds the value range that can be normally expressed), some value overflow may occur and result in zeroing or generating an extra-large number.
Once a case like this occurs in a contract, it is very likely that the case will affect the processing logic and value states in the contract and trigger some verification security problems.
Value overflow and underflow problems are typical smart contract security vulnerabilities. Therefore, I hereby suggest that you should use the safe value calculation library as much as possible when you develop some smart contracts related to value calculation, and conduct a complete lifecycle-type compliance inspection to easily and effectively avoid occurrence of the problems of this kind.
Q5: If we divide the blockchain security into four grades: very safe, safe, worrisome and hazardous, what grade do you think the current blockchain industry belong to?
Viewing from my personal angle, I think the current blockchain security is in the worrisome grade.
At present, the whole blockchain industry is in a booming stage. The direction to which the participants from various fields pay close attention is the production implementation of the blockchain system. As for the security, except the work done by the top companies of the industry, the work done by the other parties, especially the work in the smart contract security aspect, is worrisome. Because the overall security awareness of the developers is not sufficient, the security threat in this aspect is the most severe at present.
However, that is only the current situation. I believe that the security level of the whole industry can be effectively enhanced through the efforts of all the participants such as strengthening the security awareness of blockchain and contract developers and giving full play to the public test and evaluation roles of communities and the roles of professional blockchain security enterprises.