原标题:迄今为止,以太坊安全漏洞最全总结及建议
Original title: To date, the most complete summary and recommendations have been made with regard to the security gap in the Taihouse.
雷锋网AI金融评论按:本文来自微信公众号“众享比特”,原文标题《以太坊目前已知安全问题总结》。雷锋网授权转载。
RSNA's financial review is based on: This is from the Twitter public's name, “Hembit”, under the original title, “Summary of currently known security issues in Etheria.” RSN is authorized to reproduce.
(以下是本次转载全文,雷锋网对其进行略做编辑。)
以太坊(Ethereum)是一个开源的有智能合约功能的公共区块链平台。区块链上的所有用户都可以看到基于区块链的智能合约。但是,这会导致包括安全漏洞在内的所有漏洞都可见。如果智能合约开发者疏忽或者测试不充分,而造成智能合约的代码有漏洞的话,就非常容易被黑客利用并攻击。并且越是功能强大的智能合约,就越是逻辑复杂,也越容易出现逻辑上的漏洞。同时,智能合约语言Solidity自身与合约设计都可能存在漏洞。
Etheeum is an open-source public block chain platform with smart contracts. Smart contracts based on block chains can be seen by all users on the block chain. But this can lead to all loopholes, including security gaps.
如果说区块链也有315,那么以太坊想必榜上有名。以太坊自运行以来多次爆出过由于漏洞造成的重大安全事件。
If there is also 315 in the block chain, it will be well known. Since the beginning of the operation, the site has experienced a number of major security incidents due to loopholes.
北京时间2016年6月17日发生了在区块链历史上沉重的一次攻击事件。由于以太坊的智能合约存在着重大缺陷,区块链业界最大的众筹项目TheDAO(被攻击前拥有1亿美元左右资产)遭到攻击,导致300多万以太币资产被分离出TheDAO 资产池。
On June 17, 2016, Beijing time was marked by a heavy attack in the history of the block chain. As a result of a major flaw in Ether’s smart contract, the largest block chain venture, TheDAO (with assets of around $100 million before the attack), was attacked, resulting in more than 3 million Ether assets being separated from TheDAO’s asset pool.
2017年7月21日,智能合约编码公司Parity警告1.5版本及之后的钱包软件存在漏洞,据Etherscan.io的数据确认有价值3000万美元的15万以太币被盗。2017年11月8日,以太坊Parity钱包再出现重大bug,多重签名漏洞被黑客利用,导致上亿美元资金被冻结。
On July 21, 2017, smart contract coding company Parity warned that there was a gap in version 1.5 and the subsequent wallet software, which, according to Etherscan.io, confirmed the theft of $150,000 worth of $30 million. On November 8, 2017, there was another major bug in the family Paris wallet, and multiple signature loopholes were used by hackers, resulting in the freezing of hundreds of millions of dollars of money.
以太坊开源软件主要是由社区的极客共同编写的,目前已知存在Solidity漏洞、短地址漏洞、交易顺序依赖、时间戳依赖、可重入攻击等漏洞,在调用合约时漏洞可能被利用,而智能合约部署后难以更新的特性也让漏洞的影响更加广泛持久。
The open-source software in Ethio, which is mainly developed by the community's elites, is known to contain loopholes such as the Solity gap, the short address gap, the reliance on the order of transactions, the time stamp dependency, and the possibility of re-attacking, which may be exploited when contracts are called, while the features that are difficult to update after the deployment of the smart contract also make the impact of the gap more widespread and enduring.
据有关调查统计,以太坊主要漏洞情况描述如下表:
According to the relevant survey statistics, the following table depicts the main gaps in the Tails:
上述漏洞目前已经广泛存在以太坊网络中,2018年2月24日,新加坡和英国几位研究员指出,3.4万多份以太坊智能合约可能存在容易被攻击的漏洞,导致数百万美元以太币暴露在风险中,其中2365份属于著名项目。
These gaps are now widespread in the Etherm network, and on 24 February 2018 several researchers from Singapore and the United Kingdom pointed out that more than 34,000 Etherm intellectual contracts could have loopholes that could be vulnerable to attack, resulting in millions of dollars being exposed to risk in tafts, of which 2,365 were well-known projects.
鉴于以太坊其运行时间还不到3年,如上漏洞可能只是其所有漏洞的冰山一角,为保证业务在区块链上安全可靠运行,保护数字资产的安全,采用以太坊做为区块链技术方案时必须对智能合约代码进行充分测试。在构造智能合约时,众享比特技术团队的安全建议如下:
In order to ensure that operations operate safely and securely on the block chain, and to protect digital assets, the smart contract code must be fully tested in the application of the section-chain technology programme, which is based on the portal. In the construction of the smart contract, the security advice of the Enricht technical team is as follows:
限制在智能合约中存储以太坊的数量。如果智能合约源代码、编译器或者平台有问题,这些资金可能丢失。
Limits the number of smart contracts that are stored in the community. If there is a problem with the smart contract code, compiler, or platform, the funds may be lost.
尽可能保证智能合约中的功能小而模块化。源码质量一定要得到保证(比如限制局部变量的数量,函数的长度),程序注释尽量完整,以便方便日后的维护和增加代码的可读性。
As much as possible, the smart contract is small and modular. The quality of the source code must be guaranteed (e.g. limiting the number of local variables, the length of the function) and the program comment is as complete as possible in order to facilitate future maintenance and increase the readability of the code.
尽可能减少交易中gas的消耗,如果有必须使用大量计算的地方,尽量将其放到链下去处理。
The consumption of Gas in transactions is minimized and, where there is a need to use a large amount of calculations, it is placed in the chain to the extent possible.
在智能合约中添加一个函数,执行一些自我检查,如“有没有以太泄漏?”。如果自检失败,智能合约会自动切换到某种“故障安全”模式,例如,禁用大部分功能,将控制交给固定和可信的第三方,或者将智能合约转换成简单的“把我的钱还给我”智能合约。
Add a function to a smart contract to perform some self-censorship, such as " Did Too Leak??" If self-censorship fails, the smart contract will automatically switch to some kind of "fault safety" mode, for example, by disableing most functions, handing control over to a fixed and credible third party, or converting the smart contract into a simple "Give me my money back" smart contract.
雷锋网AI金融评论
Thundernet A.I. Financial Review
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论