?> Talking about: the importance of smart contract security audit-2020-12-Trister

Talking about: the importance of smart contract security audit

Push Time :2020-12-08 16:41:08 Auther:

The essence of a smart contract is a piece of code running in the blockchain network, which completes the business logic assigned by the user. Taking the token of the Ethereum system as an example, its business logic is token issuance and transaction. At the beginning of the design of Ethereum, smart contracts were designed into a model that cannot be modified once deployed. This design may be to improve the credibility of smart contracts. But we also know that as long as the program is written by humans, errors and defects are bound to occur. If the smart contract has security vulnerabilities, the attacker can control all nodes in the blockchain network by issuing a "smart contract" containing malicious code, and then cause a devastating blow to the project.

Destructive examples

For example, in the famous THE DAO incident, hackers took advantage of a simple recursive function loophole and successfully stolen digital assets worth $200 million, which directly led to the death of the star project The DAO. In April 2018, there was such a major attack by hackers. The hacker used the BatchOverFlow vulnerability in the Ethereum ERC-20 smart contract to attack the BEC (Beauty Chain’s token "Bei Mi") smart contract and successfully transferred to two addresses The volume of BEC tokens caused the market to sell BEC, making the value of BEC almost zero that day, and RMB 6.4 billion instantly evaporated. Therefore, the code audit and verification of smart contracts are particularly important. Only when security and enforceability are fully reviewed, smart contracts can play their intended role in future execution.

A large number of smart contracts have security vulnerabilities

In the research paper "Finding The Greedy, Prodigal, and Suicidal Contractsat Scale", Associate Professor Ilya Sergei of the Department of Computer Science at University College London found that nearly 1 million smart contracts were analyzed for 10 seconds per contract. Among them, 34,200 smart contracts are vulnerable to hacker attacks. At the same time, they sampled 3759 smart contracts. Among them, 3686 smart contracts have a 89% probability of containing loopholes. Some experts also said that there are at least more than 20 kinds of vulnerabilities that may appear in current blockchain smart contracts. In view of this, the most practical approach is to conduct a comprehensive and in-depth code security audit on the smart contract before it goes online to eliminate loopholes and reduce security risks as much as possible.

Purpose of contract audit

The purpose of contract auditing is mainly to check code norms, regular vulnerabilities, security vulnerabilities, business logic vulnerabilities, etc. The most important thing is to reduce the code-induced business failure to operate normally as expected, followed by ensuring the safety of funds; the third aspect is also to reflect intelligence "Fairness, openness, justice, transparency" etc. after contract deployment. At the same time, it also reduces the possibility of hacker attacks. In addition, the risk can be minimized before the product goes online. "There is no absolute security system", this is a warning in the field of network security, and it is also a hacker's banter on security protection. Blockchain has its own financial attributes. In recent years, it has been the target of hackers to go to exchanges, down to wallets, and DAPP applications. They seize the loopholes in these platform codes and carry out attacks or even blackmail. Once these platforms have "stolen coins" incidents, it is difficult to retrieve assets. Therefore, code security audits are particularly important.

Super Trister passed a third-party security audit

According to the Super Trister Twitter announcement, the TLC smart contract passed the Beosin Chain Security Technology security audit on October 30th, and the contract audit result was passed.

The content of the security audit of Chengdu BEOSIN Technology includes translator version security audit, deprecated item audit, redundant code audit, require/assert usage audit, gas consumption audit, integer overflow audit, reentry attack audit, pseudo-random number generation Audit, transaction sequence dependency audit, denial of service attack audit, function call permission audit, call/delegatecall security audit, return value security audit, tx.origin usage security audit, replay attack audit, variable coverage audit, business logic audit, business implementation Audit etc., the contract audit results are all passed.

CERTIK official website announcement information: On November 6, US local time, the US blockchain security audit company CERTIK completed the Super Trister decentralized lending agreement TLC smart contract code audit and issued a security audit report. The audit results did not find significant or critical or major Loopholes.

Based on the high requirements for the security of platform technology, Super Trister will submit the decentralized lending agreement TLC smart contract to CERTIK for security audit. In this audit, CERTIK made full use of technologies such as dynamic analysis, static analysis and manual review to conduct a comprehensive inspection of the project agreement. The audit results did not find any major or critical or major vulnerabilities. CERTIK has submitted optimization suggestions to Super Trister, and these suggestions have been applied in the process of improving the code base.

to sum up

Due to its combinable, expandable, and landable series of financial attributes, the DeFi track has become the focus of traditional financial integration with blockchain technology. As an innovative application of DeFi technology, Super Trister chooses CERTIK and BEOSIN to choose two global The top-level "dual audit" of smart contracts to prevent potential risk threats and protect user asset security is also a model for DeFi technology.