Who is supervising the Ethereum public chain
Publish: 2021-05-22 13:28:02
1.
blockchain includes public blockchain, joint (instry) blockchain and private blockchain. Public chain point-to-point e-cash system: bitcoin, smart contract and decentralized application platform: Ethereum
blockchain is a new application mode of distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and other computer technologies
blockchain is an important concept of bitcoin. In essence, it is a decentralized database. At the same time, as the underlying technology of bitcoin, it is a series of data blocks generated by using cryptographic methods. Each data block contains a batch of bitcoin network transaction information, Used to verify the validity of its information (anti-counterfeiting) and generate the next block
extended data
according to the different degree of blockchain network centralization, three kinds of blockchains under different application scenarios are differentiated:
1. The blockchain with the whole network open and without user authorization mechanism is called public chain
2. The authorized nodes are allowed to join the network, and the information can be viewed according to the authority. It is often used in the inter agency blockchain, which is called alliance chain or instry chain
3. All the nodes in the network are in the hands of one organization, which is called private chain
alliance chain and private chain are also called licensing chain, and public chain is called non licensing chain
blockchain features
1, decentralization. Blockchain technology does not rely on additional third-party management institutions or hardware facilities, and there is no central control. In addition to the self-contained blockchain itself, each node realizes information self verification, transmission and management through distributed accounting and storage. Decentralization is the most prominent and essential feature of blockchain
2. Openness. Blockchain technology is based on open source. In addition to the private information of all parties involved in the transaction is encrypted, the data of blockchain is open to everyone. Anyone can query blockchain data and develop related applications through the open interface, so the information of the whole system is highly transparent
3. Independence. Based on consensus specifications and Protocols (similar to various mathematical algorithms such as hash algorithm used by bitcoin), the whole blockchain system does not rely on other third parties, and all nodes can automatically and safely verify and exchange data in the system without any human intervention
4. Safety. As long as 51% of all data nodes cannot be controlled, the network data cannot be arbitrarily manipulated and modified, which makes the blockchain itself relatively safe and avoids subjective and artificial data changes
5. Anonymity. Unless there are legal requirements, technically speaking, the identity information of each block node does not need to be disclosed or verified, and the information can be transferred anonymously
2. The digital currency
issued based on Ethereum public chain should be observed according to the price trend of the platform.
issued based on Ethereum public chain should be observed according to the price trend of the platform.
3.
This is two different concepts. According to different standards, blockchain can be classified into three categories:
& # 8195&# 8195; 1) According to the network scope of blockchain, it can be divided into public chain, private chain and alliance chain
&# 8195; 2) According to the docking type of blockchain, it is divided into single chain, side chain and interconnection chain
&# 8195; 3) According to the display environment of blockchain deployment, it can be divided into main chain and test chain
the main chain can be understood as a formal online and independent blockchain network, while the public chain refers to a blockchain that can be read by anyone, can send transactions and can be effectively confirmed by anyone, and can participate in its consensus process
4. Migration process outline
as of today (October 19, 2018), AE token exists on Ethereum blockchain. In order to migrate them to the aeternity blockchain in a secure and verifiable way, the AE team designed a process in which the migration is divided into four stages. The final phase will end on September 2, 2019
after each stage, there will be a scheled hard fork of the aeternity blockchain, which will migrate tokens and introce improvements and new features
to ensure the transparency and verifiability of this migration process, users will be able to migrate using dedicated smart contract settings. There will be a tool that anyone can use to verify:
1. Generation of accounts contained in the origin block of aeternity blockchain and corresponding accounts of Ethereum
2. Scheled migration balance
Genesis block and scheled hard fork
phase 0 is the migration phase before mainnet starts. Its start date will be announced separately. Genesis block is the first block in the aeternity blockchain, which will include all tokens migrated by users in phase 0. Each of the following three phases, lasting about three months, will end with a scheled hard fork of the day and night blockchain. This means that after mainnet starts, there will be three scheled hard bifurcations. Each hard fork migrates tokens and adds or extends the functions of the aeternity blockchain, which can only be realized through hard fork. This also means that users can only receive their tokens on aeternitymainnet, one of which ends and the fork is complete. All scheled hard forks will include new features and improvements to the aeternity protocol such as governance systems or new virtual machines. A detailed timetable for the future will be announced in a separate announcement.
as of today (October 19, 2018), AE token exists on Ethereum blockchain. In order to migrate them to the aeternity blockchain in a secure and verifiable way, the AE team designed a process in which the migration is divided into four stages. The final phase will end on September 2, 2019
after each stage, there will be a scheled hard fork of the aeternity blockchain, which will migrate tokens and introce improvements and new features
to ensure the transparency and verifiability of this migration process, users will be able to migrate using dedicated smart contract settings. There will be a tool that anyone can use to verify:
1. Generation of accounts contained in the origin block of aeternity blockchain and corresponding accounts of Ethereum
2. Scheled migration balance
Genesis block and scheled hard fork
phase 0 is the migration phase before mainnet starts. Its start date will be announced separately. Genesis block is the first block in the aeternity blockchain, which will include all tokens migrated by users in phase 0. Each of the following three phases, lasting about three months, will end with a scheled hard fork of the day and night blockchain. This means that after mainnet starts, there will be three scheled hard bifurcations. Each hard fork migrates tokens and adds or extends the functions of the aeternity blockchain, which can only be realized through hard fork. This also means that users can only receive their tokens on aeternitymainnet, one of which ends and the fork is complete. All scheled hard forks will include new features and improvements to the aeternity protocol such as governance systems or new virtual machines. A detailed timetable for the future will be announced in a separate announcement.
5. Buy a lot of bitcoin and let it continue to buy high and sell low. If you can hold on, bitcoin may be short
as long as you can continuously spread the shortcomings of bitcoin and rece the number of people who hold bitcoin, it will basically affect the operation of the exchange. If bitcoin can't be traded, it will only have some academic research value
as long as you can continuously spread the shortcomings of bitcoin and rece the number of people who hold bitcoin, it will basically affect the operation of the exchange. If bitcoin can't be traded, it will only have some academic research value
6. Piaget believes that all children's psychology develops through various cognitive stages in a certain order. He divided children's psychological development into four stages:
① perceptual motor stage (from birth to 2 years old), in which infants only have "perceptual motor intelligence" and begin to coordinate the activities between perceptual perception and movement, without appearance and thinking; Infants began to be able to distinguish themselves and objects, and further understand the relationship between action and effect
in the pre operation stage (2-7 years old), the signal function of representation and language appears, and children can use representation and language to describe the external world, which greatly expands children's ability of intelligent activities. However, at this stage, there is no "conservation" and "reversibility", and egocentrism is more prominent< (3) at the stage of concrete operation (7-12 years old), children have concrete operation ability, and "conservation" and "reversibility" appear“ Operation is the core concept of Piaget's intelligence growth theory. The so-called operation refers to a special intelligence program that transforms information for a certain purpose, and it is reversible. But in this period, children's calculation can not leave the help of specific things or images< (4) in the stage of formal operation (12-15 years old), adolescents have the ability of formal operation, and their psychological level is close to that of alts. The so-called "formal operation" is to "liberate the form from the content". Thinking goes beyond the specific content of the perceived facts or things and develops towards the direction of things that are not directly perceived or in the future. For example, reasoning various propositions and solving problems according to hypotheses.
① perceptual motor stage (from birth to 2 years old), in which infants only have "perceptual motor intelligence" and begin to coordinate the activities between perceptual perception and movement, without appearance and thinking; Infants began to be able to distinguish themselves and objects, and further understand the relationship between action and effect
in the pre operation stage (2-7 years old), the signal function of representation and language appears, and children can use representation and language to describe the external world, which greatly expands children's ability of intelligent activities. However, at this stage, there is no "conservation" and "reversibility", and egocentrism is more prominent< (3) at the stage of concrete operation (7-12 years old), children have concrete operation ability, and "conservation" and "reversibility" appear“ Operation is the core concept of Piaget's intelligence growth theory. The so-called operation refers to a special intelligence program that transforms information for a certain purpose, and it is reversible. But in this period, children's calculation can not leave the help of specific things or images< (4) in the stage of formal operation (12-15 years old), adolescents have the ability of formal operation, and their psychological level is close to that of alts. The so-called "formal operation" is to "liberate the form from the content". Thinking goes beyond the specific content of the perceived facts or things and develops towards the direction of things that are not directly perceived or in the future. For example, reasoning various propositions and solving problems according to hypotheses.
7. This kind of virtual digital currency is very risky and unreliable. Even if you go to the stock exchange, you should not participate in it.
8. Public blockchain refers to the chain that users can participate anonymously without registration, and the blockchain that users can access without authorization. Any block of the public chain is open to the public, and anyone can read and send transactions, but can obtain effective confirmation of the consensus blockchain. In the public chain, any node can join or leave the network at any time without any permission
at present, public chain is regarded as the most promising development direction in the field of blockchain, because it is more in line with the nature of blockchain, and is also the underlying protocol of blockchain, and is the "operating system" of blockchain world
after the exploration of the first generation of public chain bitcoin and the second generation of public chain Ethereum, the third generation of public chain is focusing on solving the problems of system scalability, security and regulatory compatibility to carry large-scale commercial applications. At the same time, the third generation public chain still needs to retain the open and autonomous characteristics of blockchain
this is totally different from the architecture of the Internet. The value of the underlying protocol of the blockchain far exceeds that of the application layer. Therefore, the R & D and investment of the blockchain pay more attention to the underlying public chain technology. In addition, the underlying public chain will still be the focus of the blockchain instry at this stage, and the competition among public chains in terms of scalability, applicability, and application ecology construction will continue for a long time
the development of blockchain projects in recent years
according to the current development stage of blockchain, blockchain technology has gone through three stages. Blockchain 1.0 stage: the formation stage of blockchain concept. In this stage, as BTC first came into view and attracted people's attention to the blockchain technology behind it, the issue of digital currency at this stage makes the P2P transmission of basic value information and data a reality and opens the door to the blockchain world. However, this stage is limited to simple applications and has no practical value
blockchain 2.0 stage: the development stage of the underlying technology of blockchain in blockchain 2.0 stage, the underlying platform of blockchain, represented by eth, Neo, qtum and EOS, aims to upgrade and innovate consensus mechanism, smart contract, development components, transaction processing speed and development language, and assist with fragmentation, cross chain, side chain, digital identity Review and design technology innovation, trying to solve the problem of blockchain commercial application, but at present, many technology platforms are not perfect or in the development stage, there is still a distance from the real commercial stage
blockchain 3.0 stage: large scale application stage in blockchain 3.0 stage, with the maturity of blockchain technology, some platform projects will become the connector between the real world and the blockchain world, and can access other blockchain systems, forming a common blockchain technology platform and supporting large-scale transaction processing requirements, There will be more blockchain applications, and blockchain technology will really enter real life
as a public chain to help resource value network platform enable, sea will continuously iterate the incentive mechanism of resource value exchange network by mining the effective operation behavior of resource supply and resource consumption, and provide underlying technical support for other resource value exchange platforms. Guided by the theory of ecological planet, sea practices the concept of btcai, relies on abundant enterprise resources, and combines with its own major breakthrough in public chain technology to help traditional enterprises realize the chain reform, and truly achieve the combination of blockchain and entity enterprises.
at present, public chain is regarded as the most promising development direction in the field of blockchain, because it is more in line with the nature of blockchain, and is also the underlying protocol of blockchain, and is the "operating system" of blockchain world
after the exploration of the first generation of public chain bitcoin and the second generation of public chain Ethereum, the third generation of public chain is focusing on solving the problems of system scalability, security and regulatory compatibility to carry large-scale commercial applications. At the same time, the third generation public chain still needs to retain the open and autonomous characteristics of blockchain
this is totally different from the architecture of the Internet. The value of the underlying protocol of the blockchain far exceeds that of the application layer. Therefore, the R & D and investment of the blockchain pay more attention to the underlying public chain technology. In addition, the underlying public chain will still be the focus of the blockchain instry at this stage, and the competition among public chains in terms of scalability, applicability, and application ecology construction will continue for a long time
the development of blockchain projects in recent years
according to the current development stage of blockchain, blockchain technology has gone through three stages. Blockchain 1.0 stage: the formation stage of blockchain concept. In this stage, as BTC first came into view and attracted people's attention to the blockchain technology behind it, the issue of digital currency at this stage makes the P2P transmission of basic value information and data a reality and opens the door to the blockchain world. However, this stage is limited to simple applications and has no practical value
blockchain 2.0 stage: the development stage of the underlying technology of blockchain in blockchain 2.0 stage, the underlying platform of blockchain, represented by eth, Neo, qtum and EOS, aims to upgrade and innovate consensus mechanism, smart contract, development components, transaction processing speed and development language, and assist with fragmentation, cross chain, side chain, digital identity Review and design technology innovation, trying to solve the problem of blockchain commercial application, but at present, many technology platforms are not perfect or in the development stage, there is still a distance from the real commercial stage
blockchain 3.0 stage: large scale application stage in blockchain 3.0 stage, with the maturity of blockchain technology, some platform projects will become the connector between the real world and the blockchain world, and can access other blockchain systems, forming a common blockchain technology platform and supporting large-scale transaction processing requirements, There will be more blockchain applications, and blockchain technology will really enter real life
as a public chain to help resource value network platform enable, sea will continuously iterate the incentive mechanism of resource value exchange network by mining the effective operation behavior of resource supply and resource consumption, and provide underlying technical support for other resource value exchange platforms. Guided by the theory of ecological planet, sea practices the concept of btcai, relies on abundant enterprise resources, and combines with its own major breakthrough in public chain technology to help traditional enterprises realize the chain reform, and truly achieve the combination of blockchain and entity enterprises.
9. There is no doubt that Ethereum is still the absolute head of the public chain in the defi market, but it has passed the situation of Ethereum dominating alone, and the attack of coin an intelligent chain is still very fierce.
10. Public chain: refers to the blockchain that anyone in the world can access to the system at any time to read data, send confirmatory transactions and compete for bookkeeping. For example: bitcoin, Ethereum
private chain: refers to the blockchain whose write permission is controlled by an organization and institution, and the qualification of participating nodes will be strictly limited
alliance chain: refers to a blockchain with several institutions participating in the management. Each institution runs one or more nodes. The data only allows different institutions in the system to read, write and send transactions, and record transaction data together
alliance chain is a relatively new way to apply blockchain technology to enterprises. The public chain is open to all, while the private chain usually only provides services for one enterprise. The alliance chain has more restrictions than the public chain, and usually provides services for the cooperation among multiple enterprises
the difference between alliance chain and public chain is that it requires prior permission. Therefore, not everyone with an Internet connection can access the alliance blockchain. Alliance chain can also be described as semi decentralized. The control of alliance chain is not granted to a single entity, but to multiple organizations or indivials
for alliance chain, consensus process may be different from public chain. The consensus participants of the alliance chain may be a group of pre approved nodes on the network, rather than anyone can participate in the process. Alliance chain allows more control over the network
when it comes to the advantages of alliance chain:
first of all, alliance chain is completely controlled by a specific group, but it is not monopoly. When each member agrees, this control can establish its own rules
secondly, it has greater privacy, because the information used to verify the block will not be disclosed to the public, and only alliance members can process the information. It creates greater trust and confidence for platform customers
finally, compared with the public blockchain, the alliance chain has no transaction costs and is more flexible. A large number of verifiers in public blockchain lead to the trouble of synchronization and mutual protocol. Usually this divergence will lead to bifurcation, but the alliance chain will not
alliance chain technology can be used to optimize the business process of most traditional information systems, especially for business scenarios without strong center, multi-party cooperation and controllable risk. The shared ledger mechanism of alliance chain can greatly rece the reconciliation cost, improve the efficiency of data acquisition, increase the fault tolerance, consolidate the trust foundation, and avoid malicious fraud
with the continuous development of blockchain technology, more and more institutions and enterprises begin to increase the research and application of blockchain. Compared with the public chain, the alliance chain has better landing, and has been supported by many enterprises and the government
alliance chain can be understood as a kind of distributed ledger established by internal institutions to meet the needs of specific instries. This account book is open and transparent to internal institutions. However, if there are relevant business needs and the data of this account book is modified, it is still necessary to join the smart contract
smart contract is a kind of computer protocol which aims to disseminate, verify or execute contracts in an information way. Smart contracts allow trusted transactions without a third party, which are traceable and irreversible
generally speaking, the current mainstream architecture of alliance chain intelligent contract is: system contract + business contract
system contract: the configuration is completed before the node is started. It is generally used for system management (such as bcos precompiled contract (permission management, naming management, etc.), and it is written by the project side, with high security
Business Contract: it is written according to the actual business and needs to be deployed. It is similar to the public chain smart contract. It is written by the general internal organization participants and needs to comply with certain requirements. The security is general< However, there are still security risks in the following aspects:
(1) code language security features
one is to continue to use the main stream public chain programming language and improve on it (such as: the solidness used by bcos), The other is to specify the corresponding smart contract mole (such as fabric's go / Java / node. JS) based on the general programming language. No matter what language is used to program the smart contract, there are security problems in its corresponding language and related contract standards< (2) integer overflow caused by contract execution: no matter which virtual machine is used to execute the contract, all kinds of integer types have corresponding storage width. When trying to save data beyond this range, the signed number will overflow
stack overflow: when there are too many method parameters and local variables defined and the bytes are too large, the program may have errors
denial of service attack: it mainly involves the alliance chain that consumes resources to execute the contract, and the corresponding transaction cannot be completed e to the exhaustion of resources
(3) contract security problems caused by system mechanism
here mainly refers to the alliance chain of Multi Chain Architecture:
if the generation of contract variables depends on uncertain factors (such as the time stamp of this node) or a variable that is not persistent in the ledger, the transaction verification may fail because the reading and writing sets of the variable of each node are different
global variables are not stored in the database, but in a single node. Therefore, if this kind of node fails or restarts, it may cause the global variable value to be no longer consistent with other nodes, and affect node transactions. Therefore, data read, written or returned from the database should not depend on global state variables
when calling the contract of the external chain in the multi chain structure, only the return result of the called chain code function may be obtained, and no transaction will be submitted in any form in the external channel
when a contract accesses external resources, it may expose unexpected security risks of the contract and affect the chain code business logic
(4) business security issues
the smart contract of alliance chain is to complete a business requirement and execute a business, so there may still be security risks in business logic and business implementation, such as function permission mismatch, unreasonable input parameters, and improper exception handling
our suggestions on alliance chain security are as follows:
(1) simplify the design of smart contract to achieve the balance between function and security
(2) strictly implement smart contract code audit (self-evaluation / project team review / tripartite audit)
(3) strengthen the security training for smart contract developers
(4) implement the application of blockchain, It needs to be promoted step by step, from simple to complex. In this process, we should constantly comb the contract and platform related functions / security attributes
(5) consider the idea of devsecops (development + Security + operations)
chain platform security includes: transaction security, consensus security, account security, compliance, RPC security, endpoint security, P2P security, etc
hackers attack alliance chain by means of internal threats, DNS attacks, MSP attacks, 51% attacks, etc
take MSP attack as an example: MSP is the abbreviation of membership service provider in fabric alliance chain. It is a component that provides an abstract member operation framework. MSP abstracts all cryptographic mechanisms and protocols behind the issuance and verification of certificates and user authentication. An MSP can define its own identity, as well as identity management (authentication) and authentication (generation and verification of signatures) rules< Generally speaking, attacks against MSP may exist in the following aspects:
(1) internal threats: a) the current version of MSP allows single certificate control, that is, if an insider holds a certificate that can manage MSP, he can configure the fabric network, such as adding or revoking access rights, Adding identity to CRL (essentially blacklisted identity), too centralized management may lead to security risks. b) If there are sensors and other Internet of things devices connected to the alliance chain, it may spread false information to the chain, and because the sensor itself may not support perfect security protection, it may lead to further attacks
(2) private key leakage, the certificate file of node or sensor is generally stored locally, which may lead to private key leakage, and then lead to witch attack, man in the cloud attack, etc.
(3) DNS attack: when creating a new participant's identity and adding it to MSP, DNS attack may occur in any case. The process of creating certificates to blockchain members may be attacked in many places, such as man in the middle attack, cache poisoning, DDoS. An attacker can convert a simple DNS query into a larger payload, causing DDoS attacks. Similar to Ca attacks, this attack results in certificate tampering and / or theft, such as the permissions and access rights that some blockchain members will have. Sensor networks are particularly vulnerable to DDoS attacks. Smart city is not only faced with the weakness of sensor networks against DDoS attacks, but also the challenge of blockchain system< (4) Ca attack: digital certificate and identity are very important to the operation of MSP. Hyperledger fabric allows users to choose how to run a certification authority and generate encrypted materials. Options include fabric Ca, process built by hyperledger fabric, cryptogen contributors, and own / third party ca. The implementation of these CAS has its own defects. Cryptogen generates all the private keys in a centralized location, which are then fully and securely copied by the user to the appropriate host and container. This facilitates private key disclosure attacks by providing all private keys in one place. In addition to the weakness of the implementation, the whole MSP and the membership of the blockchain run on the Ca, and have the ability to trust that the certificate is valid, and the certificate owner is what they call the identity. If the attack on well-known third-party CA is executed successfully, the security of MSP may be damaged, resulting in forged identity. Another weakness of Ca in hyperledger fabric is how they are implemented in MSP. MSP needs at least one root Ca, and can support as root Ca and intermediate CA as needed. If the root CA certificate is attacked, all certificates issued by the root certificate will be affected
Cheng chain security has launched the alliance chain security solution. With the development of alliance chain ecology, in 2020, Cheng chain security has cooperated with multi provincial network information office to conct multi-level security audit on the alliance chain system of local government, enterprises and institutions from the bottom of the chain to the application layer, and found the loopholes and weaknesses of the alliance chain system with multiple scenarios, multiple applications and multiple forms and its supporting systems
in addition, Cheng Lianan has cooperated with ant blockchain to join the open alliance chain as the first batch of nodes selected by ant blockchain. We will give full play to security technology, service and market
private chain: refers to the blockchain whose write permission is controlled by an organization and institution, and the qualification of participating nodes will be strictly limited
alliance chain: refers to a blockchain with several institutions participating in the management. Each institution runs one or more nodes. The data only allows different institutions in the system to read, write and send transactions, and record transaction data together
alliance chain is a relatively new way to apply blockchain technology to enterprises. The public chain is open to all, while the private chain usually only provides services for one enterprise. The alliance chain has more restrictions than the public chain, and usually provides services for the cooperation among multiple enterprises
the difference between alliance chain and public chain is that it requires prior permission. Therefore, not everyone with an Internet connection can access the alliance blockchain. Alliance chain can also be described as semi decentralized. The control of alliance chain is not granted to a single entity, but to multiple organizations or indivials
for alliance chain, consensus process may be different from public chain. The consensus participants of the alliance chain may be a group of pre approved nodes on the network, rather than anyone can participate in the process. Alliance chain allows more control over the network
when it comes to the advantages of alliance chain:
first of all, alliance chain is completely controlled by a specific group, but it is not monopoly. When each member agrees, this control can establish its own rules
secondly, it has greater privacy, because the information used to verify the block will not be disclosed to the public, and only alliance members can process the information. It creates greater trust and confidence for platform customers
finally, compared with the public blockchain, the alliance chain has no transaction costs and is more flexible. A large number of verifiers in public blockchain lead to the trouble of synchronization and mutual protocol. Usually this divergence will lead to bifurcation, but the alliance chain will not
alliance chain technology can be used to optimize the business process of most traditional information systems, especially for business scenarios without strong center, multi-party cooperation and controllable risk. The shared ledger mechanism of alliance chain can greatly rece the reconciliation cost, improve the efficiency of data acquisition, increase the fault tolerance, consolidate the trust foundation, and avoid malicious fraud
with the continuous development of blockchain technology, more and more institutions and enterprises begin to increase the research and application of blockchain. Compared with the public chain, the alliance chain has better landing, and has been supported by many enterprises and the government
alliance chain can be understood as a kind of distributed ledger established by internal institutions to meet the needs of specific instries. This account book is open and transparent to internal institutions. However, if there are relevant business needs and the data of this account book is modified, it is still necessary to join the smart contract
smart contract is a kind of computer protocol which aims to disseminate, verify or execute contracts in an information way. Smart contracts allow trusted transactions without a third party, which are traceable and irreversible
generally speaking, the current mainstream architecture of alliance chain intelligent contract is: system contract + business contract
system contract: the configuration is completed before the node is started. It is generally used for system management (such as bcos precompiled contract (permission management, naming management, etc.), and it is written by the project side, with high security
Business Contract: it is written according to the actual business and needs to be deployed. It is similar to the public chain smart contract. It is written by the general internal organization participants and needs to comply with certain requirements. The security is general< However, there are still security risks in the following aspects:
(1) code language security features
one is to continue to use the main stream public chain programming language and improve on it (such as: the solidness used by bcos), The other is to specify the corresponding smart contract mole (such as fabric's go / Java / node. JS) based on the general programming language. No matter what language is used to program the smart contract, there are security problems in its corresponding language and related contract standards< (2) integer overflow caused by contract execution: no matter which virtual machine is used to execute the contract, all kinds of integer types have corresponding storage width. When trying to save data beyond this range, the signed number will overflow
stack overflow: when there are too many method parameters and local variables defined and the bytes are too large, the program may have errors
denial of service attack: it mainly involves the alliance chain that consumes resources to execute the contract, and the corresponding transaction cannot be completed e to the exhaustion of resources
(3) contract security problems caused by system mechanism
here mainly refers to the alliance chain of Multi Chain Architecture:
if the generation of contract variables depends on uncertain factors (such as the time stamp of this node) or a variable that is not persistent in the ledger, the transaction verification may fail because the reading and writing sets of the variable of each node are different
global variables are not stored in the database, but in a single node. Therefore, if this kind of node fails or restarts, it may cause the global variable value to be no longer consistent with other nodes, and affect node transactions. Therefore, data read, written or returned from the database should not depend on global state variables
when calling the contract of the external chain in the multi chain structure, only the return result of the called chain code function may be obtained, and no transaction will be submitted in any form in the external channel
when a contract accesses external resources, it may expose unexpected security risks of the contract and affect the chain code business logic
(4) business security issues
the smart contract of alliance chain is to complete a business requirement and execute a business, so there may still be security risks in business logic and business implementation, such as function permission mismatch, unreasonable input parameters, and improper exception handling
our suggestions on alliance chain security are as follows:
(1) simplify the design of smart contract to achieve the balance between function and security
(2) strictly implement smart contract code audit (self-evaluation / project team review / tripartite audit)
(3) strengthen the security training for smart contract developers
(4) implement the application of blockchain, It needs to be promoted step by step, from simple to complex. In this process, we should constantly comb the contract and platform related functions / security attributes
(5) consider the idea of devsecops (development + Security + operations)
chain platform security includes: transaction security, consensus security, account security, compliance, RPC security, endpoint security, P2P security, etc
hackers attack alliance chain by means of internal threats, DNS attacks, MSP attacks, 51% attacks, etc
take MSP attack as an example: MSP is the abbreviation of membership service provider in fabric alliance chain. It is a component that provides an abstract member operation framework. MSP abstracts all cryptographic mechanisms and protocols behind the issuance and verification of certificates and user authentication. An MSP can define its own identity, as well as identity management (authentication) and authentication (generation and verification of signatures) rules< Generally speaking, attacks against MSP may exist in the following aspects:
(1) internal threats: a) the current version of MSP allows single certificate control, that is, if an insider holds a certificate that can manage MSP, he can configure the fabric network, such as adding or revoking access rights, Adding identity to CRL (essentially blacklisted identity), too centralized management may lead to security risks. b) If there are sensors and other Internet of things devices connected to the alliance chain, it may spread false information to the chain, and because the sensor itself may not support perfect security protection, it may lead to further attacks
(2) private key leakage, the certificate file of node or sensor is generally stored locally, which may lead to private key leakage, and then lead to witch attack, man in the cloud attack, etc.
(3) DNS attack: when creating a new participant's identity and adding it to MSP, DNS attack may occur in any case. The process of creating certificates to blockchain members may be attacked in many places, such as man in the middle attack, cache poisoning, DDoS. An attacker can convert a simple DNS query into a larger payload, causing DDoS attacks. Similar to Ca attacks, this attack results in certificate tampering and / or theft, such as the permissions and access rights that some blockchain members will have. Sensor networks are particularly vulnerable to DDoS attacks. Smart city is not only faced with the weakness of sensor networks against DDoS attacks, but also the challenge of blockchain system< (4) Ca attack: digital certificate and identity are very important to the operation of MSP. Hyperledger fabric allows users to choose how to run a certification authority and generate encrypted materials. Options include fabric Ca, process built by hyperledger fabric, cryptogen contributors, and own / third party ca. The implementation of these CAS has its own defects. Cryptogen generates all the private keys in a centralized location, which are then fully and securely copied by the user to the appropriate host and container. This facilitates private key disclosure attacks by providing all private keys in one place. In addition to the weakness of the implementation, the whole MSP and the membership of the blockchain run on the Ca, and have the ability to trust that the certificate is valid, and the certificate owner is what they call the identity. If the attack on well-known third-party CA is executed successfully, the security of MSP may be damaged, resulting in forged identity. Another weakness of Ca in hyperledger fabric is how they are implemented in MSP. MSP needs at least one root Ca, and can support as root Ca and intermediate CA as needed. If the root CA certificate is attacked, all certificates issued by the root certificate will be affected
Cheng chain security has launched the alliance chain security solution. With the development of alliance chain ecology, in 2020, Cheng chain security has cooperated with multi provincial network information office to conct multi-level security audit on the alliance chain system of local government, enterprises and institutions from the bottom of the chain to the application layer, and found the loopholes and weaknesses of the alliance chain system with multiple scenarios, multiple applications and multiple forms and its supporting systems
in addition, Cheng Lianan has cooperated with ant blockchain to join the open alliance chain as the first batch of nodes selected by ant blockchain. We will give full play to security technology, service and market
Hot content