How Code Audit can Leave Hackers with Nowhere to Hack
In the past few months, DeFi projects have sprung up one after another, making the headlines in turns and becoming the focal point of Internet financial technology. In terms of the DeFi ecosystem, the market for protocol (application) products such as liquidity mining, decentralized exchanges, and credit lending has been very hot, drawing investors in droves. However. Behind the investment craze, however, DeFi security incidents have been on the rise. Under hackers’ crazy attacks on vulnerabilities in various parts of the contracts, many DeFi projects and platforms suffered huge losses.
DeFi security incidents are on the rise
Harvest Finance P2P attack: On October 26, 2020, Harvest Finance was attacked by hackers who took advantage of its existing vulnerabilities to make the platform’s native token FARM plummet by 65% in less than an hour, causing about $24 million in losses. In this incident, the hackers exploited the vulnerability that Harvest Finance’s fToken (fUSDC, fUSDT…) used the quotation in the Curve y pool when minting tokens (that is, use Curve as the source of price feed). In this way, hackers controlled the amount of fToken minted in Harvest Finance through huge exchanges and manipulate external prices, thereby stealing a large amount of funds.
51% attack: In May 2018, the Bitcoin Gold development team announced that hackers controlled a large proportion of the computing power of the BTG network, thus launching a “51% double-spend attack” against the exchange. The attackers stole more than 388,200 BTG from the exchange, worth about $18.6 million. The logic of the “51% attack” is that the digital currency uses a distributed accounting mechanism. Taking Bitcoin as an example, the Bitcoin network is a decentralized distributed ledger, and each account needs to be confirmed by a “referendum”. When the attacker has more than 50% of the computing power of the entire network, he has the right to manipulate and tamper with the Bitcoin network. Once the attacker succeeds in manipulating the network, he can modify his transaction records and make double payments.
The DAO incident: DAO is a crowdfunded project initiated by blockchain company Slock.it. On June 17, 2017, hackers used a loophole in a splitDAO function in the smart contract written by DAO to continuously separate the DAO assets from the DAO project’s asset pool and transfer them to the sub-DAO established by the hacker himself, thereby stealing 3.6 million ETH. Following this incident, the price of ETH plummeted by about 30% the next day.
A powerful weapon for risk aversion: security audit
Recent DeFi security incidents have been a wake-up call for blockchain projects. With the rapid development of BTC, ETH, EOS and other blockchain projects, we are now in the era of smart contracts, but the correctness and security of smart contracts are facing huge problems. Smart contracts solved the issue of making the code public and ensuring its security. However, the openness of the code makes it easier for hackers to discover the defects of the code, and then use the code defect trigger conditions to change the execution result of the smart contract, which poses huge economic risks to blockchain projects. Therefore, the absolute reliability of the source code is necessary to ensure the security of any project.
Since blockchain is built on code and the code is written by people, the blockchain will inevitably have some problems, namely code vulnerabilities. If there are code loopholes on the blockchain, it will have serious consequences once they are discovered by hackers. For programmers, it is too difficult to write bug-free code. Even if all possible preventive measures are taken, there will always be unexpected execution paths or possible loopholes in complex softwares.
Therefore, as a preventive measure for possible risks, overall security audit is a rigid indicator to ensure project security. Security audit uses automated tools or manual reviews to check and analyze the program source code line by line in order to find security vulnerabilities caused by source code defects, and provide measures and suggestions about code revision.
Then, through code audit, the defects in the code layer are repaired in time, thereby greatly improving the overall security of the system and avoiding huge economic losses.
aelf puts security at the forefront of blockchain
The blockchain itself is a very responsible systematic project, involving smart contracts, node programs, communication protocols, and consensus algorithms. Problems in any aspect may have a huge impact. As an open source project, aelf always keeps network security at the forefront of the blockchain. To ensure the security of aelf’s public testnet code and the successful launch of the mainnet, the “aelf Public Testnet Code Audit Bounty Program“ was officially launched on October 22, 2020, inviting global security research teams and developers to build and maintain the underlying security of the aelf blockchain.
This security audit, on the one hand, is aimed to improve the security of the code. After all, offense and defense are two sides of the same coin, which are both needed to ensure strong security for the upcoming mainnet launch; on the other hand, it can help improve the technical strength of the aelf team. Improvement and iteration can give people better big data solutions. It is worth mentioning that aelf will make long-term security investment and educate developers and other personnels about security to ensure the security of aelf’s code and the effectiveness of its functions.
aelf Enterprise 1.0.0 RC 1 version has been officially released, which has realized all the functions required for the mainnet launch, and it has been running stably. When the code audit is completed and the vulnerabilities are fixed, this version will be used to officially launch the mainnet, providing users with a secure, efficient and reliable blockchain network.
Blockchain is gradually becoming the future development trend of the Internet. Its essence is to promote social development, but the open source feature will inevitably bring many security challenges. However, it should not become an obstacle and stumbling block to the development of blockchain technology. As an important player in the blockchain ecosystem, aelf will provide users with a secure and reliable blockchain infrastructure through continued technological development while ensuring code security.
— Join the Community:
· Get on our Telegram Discord Slack and Kakao channel
· Follow us on Twitter Reddit and Facebook
· Read weekly articles on the aelf blog
· Catch up with the develop progress on Github
· Telegram community in 한국, 日本 語, русский, العربية, Deutsch, Italiano and Tiếng Việt
· Instagram: aelfblockchain
· YouTube Channel: aelf
For more information, visit aelf.io
