One feature of blockchain projects (especially public chains) is open source. By opening the source code, the credibility of the project can be improved and more people can participate. However, the openness of the source code also makes it easier for attackers to attack blockchain systems. There have been many hacker attacks in the past two years, and the anonymous coin edge (XVG) has been attacked again recently. The attacker locked a loophole in the XVG code, which allowed malicious miners to add false timestamps to blocks and then quickly dig out new blocks. In just a few hours, they obtained a digital currency worth nearly $65,438 +0.75 million. Although the attack was successfully stopped later, no one can guarantee that the attacker will attack again in the future.

Of course, blockchain developers can also take some measures.

One is to use professional code audit services,

The second is to understand the safety coding specification and prevent problems before they happen.

Security of cryptographic algorithm

With the development of quantum computer, it will bring great security threats to the cryptographic systems currently used. Blockchain mainly relies on elliptic curve public key encryption algorithm to generate digital signatures for secure transactions. At present, the most commonly used ones are ECDSA, RSA and DSA. Theoretically, it can't withstand quantum attacks, and there will be greater risks. More and more researchers begin to pay attention to cryptographic algorithms that can resist quantum attacks.

Of course, in addition to changing the algorithm, there is another way to improve certain security:

Refer to bitcoin's handling of public key addresses to reduce the potential risks caused by public key disclosure. As users, especially bitcoin users, the balance after each transaction is stored in a new address to ensure that the public key of the bitcoin fund storage address is not leaked.

* * * Safety of cognitive mechanism

At present, * * knowledge mechanisms include proof of work (PoW), proof of interest (PoS), proof of authorized interest (DPoS) and practical Byzantine fault tolerance (PBFT).

The ability faces 5 1% attack. Because PoW depends on computing power, when an attacker has the advantage of computing power, the probability of finding a new block will be greater than that of other nodes, and then he will be able to cancel the transaction that has already occurred. It should be noted that even in this case, the attacker can only modify his own affairs, but not those of other users (the attacker does not have the private key of other users).

In PoS, an attacker can only succeed if he holds more than 5 1% tokens, which is more difficult than the computing power of 5 1% in PoW.

In PBFT, when the number of malicious nodes is less than 1/3 of the total number of nodes, the system is secure. Generally speaking, any knowledge mechanism has its own conditions. As an attacker, you also need to consider that once the attack is successful, the value of the system will be zero. At this point, the attacker has not received other valuable returns except destruction.

For the designers of blockchain projects, it is necessary to clearly know the advantages and disadvantages of each * * * identification mechanism, so as to choose the appropriate * * * identification mechanism or design a new * * * identification mechanism according to the needs of the scene.

Security of Smart Contract

Smart contract has the advantages of low operating cost and low risk of human intervention, but if there are problems in the design of smart contract, it may bring greater losses. 2065438+June 2006, the most popular fundraising project in Ethereum was attacked, and hackers obtained more than 3.5 million Ethereum coins, which later led to the bifurcation of Ethereum into ETH and ETC.

The proposed measures are twofold:

The first is the security audit of smart contracts.

The second is to follow the principle of safe development of smart contracts.

The security development principles of smart contracts are: prepare for possible errors and ensure that the code can correctly handle bugs and vulnerabilities; Carefully issue smart contracts, do functional tests and safety tests, and fully consider the boundaries; Keep smart contracts simple; Pay attention to blockchain threat intelligence and check updates in time; Understand the characteristics of blockchain, such as carefully calling external contracts.

The Security of Digital Wallet

There are three main hidden dangers of digital wallet: first, design defects. At the end of 20 14, a subscriber lost hundreds of digital assets due to the serious random number problem (repeated R value). Second, the digital wallet contains malicious code. The third is the loss of assets caused by the loss or damage of computers and mobile phones.

There are four main countermeasures:

One is to ensure the randomness of the private key;

The second is to check the hash value before the software installation to ensure that the digital wallet software has not been tampered with;

The third is to use a cold wallet;

The fourth is to back up the private key.