As a company focusing on blockchain ecological security, SlowMist Technology was established in January 2018 by a team with more than ten years of front-line network security offensive and defensive combat. SlowMist Technology has independently discovered and published several common high-risk blockchain security vulnerabilities in the industry, which has received widespread attention and recognition from the industry.
Blockchain security issues occur frequently today, and Web3ers have also been troubled by this problem for a long time. Therefore, in the second dialogue, we are very happy to invite the SlowMist security team to share with you dry goods about blockchain security, and help you explore the world on the chain more securely. Lets start now~
1. First, please introduce Slow Mist to everyone.
Answer: Hello everyone, SlowMist is a company that focuses on blockchain ecological security. Our blockchain ecological security capability consists of three rings: the innermost layer is compliance security, the second layer is technical security, and the third layer is security. The first layer is ecological security. Technical security mainly includes two main business lines, security auditing and anti-money laundering. The content of the security audit includes the smart contract code of the DeFi project, the centralized exchange, the wallet app, the browser plug-in wallet, the underlying public chain, and we also have a red team testing service, which is one of our advantages. For more than five years from 2018 to the present, we have served many well-known and leading customers in the industry, and we have thousands of commercial customers, with a high praise rate. We have an on-chain tracking platform for anti-money launderingMistTrack. In addition, we are also very concerned about compliance and security. Compliance is one of the important cornerstones of the long-term development of this industry. We have strict legal procedures for the target projects of security audit or anti-money laundering cooperation. We know that security is a whole, and security needs to build a complete security system, so we provide integrated security solutions tailored to local conditions from threat discovery to threat defense. To put it simply, it is actually a military-like circular defense system, layered defense. Threat discovery at the outermost layer is to discover and identify threats through partners in the SlowMist zone and SlowMist’s own threat intelligence system (this is also our ecological security), and then publish them to the entire ecosystem for early warning through media channels; threat defense is Refers to our defense system, from BTI (Blockchain Threat Intelligence System) to deploying systematic defense solutions tailored to local conditions, implementing hot and cold wallet security reinforcement, etc., to select network security, risk control security, wallet security and other fields for customers The high-quality security solution provider in China allows customers to choose flexibly and easily deal with various difficulties encountered in the process of business development. We hope to cooperate with high-quality partners in the industry and the community to jointly build security joint defense work.
2. Web3 security issues are always unpredictable. In addition to some basic rules such as hand-writing mnemonics and paying attention to the authenticity of websites, does Slow Mist have any security suggestions for Web3er that frequently interacts with it?
Answer: Since the question is about interaction security, let’s first sort out how general attacks steal users’ assets.
Attackers generally steal user assets in two ways:
First, deceive users into signing malicious transaction data for stolen assets, such as deceiving users into authorizing or transferring assets to attackers. Second, trick users into entering their wallet’s mnemonic phrase on a malicious website or app.
After we know how the attacker steals wallet assets, we must prevent possible risks:
Before signing, you must identify the signed data, know what the transaction you signed is for, carefully check whether the signed object is correct, and whether the authorized amount is too large;
Use hardware wallets as much as possible. Since hardware wallets generally cannot directly export mnemonic phrases or private keys, the threshold for mnemonic private key theft can be increased;
Various phishing techniques and incidents emerge in endlessly. Users should learn to identify various phishing techniques by themselves, improve security awareness, conduct self-education to avoid being cheated, and master self-rescue skills. Fishing techniques. Of course, I highly recommend everyone to read the book produced by Slow Mist.Blockchain Dark Forest Self-Help Manual, full of useful information;
It is recommended that users maintain different wallets for various scenarios to keep the risk of assets under control. For example: large amounts of assets are generally not used frequently. It is recommended to store them in a cold wallet and ensure that the network environment and physical environment are safe when using them. Wallets that participate in activities such as airdrops are recommended to store small assets due to their high frequency of use. The wallet can be managed hierarchically by different assets and frequency of use, so as to ensure that risks are controllable.
3. On August 16, the cosine boss sent an interesting tweet—where did your illusion that Mac is more secure than Win computers come from? For Web3 users, what does SlowMist think are the advantages and disadvantages of Mac and Win computers?
Answer: Yes, this tweet also caused a lot of discussion. On the contrary, we asked Where does the illusion that Win is more secure than Mac computers come from? It is also a similar angle and answer. At the level of single-system intrusion prevention, Macs closedness and strict permission control are indeed better than Windows. Moreover, Macs global PC market share is very low, and Wins share is high, so more attacks occur in Win. Since the birth of Win, there have been basically various types of attacks. The attack surfaces are too mature. It is an exaggeration to say that 99% of the current security personnel who do infiltration, intrusion, and APT will not target Mac. On the contrary, 100% of them will target Win. Aside from what was said above, if you attack Mac and Win with an anti-killing Trojan horse, the basic result is the same, and you will be hit. In general, it is half a device and half a person. If the user does not have enough security awareness, it is easy to be tricked and malicious programs will be implanted in the computer, which may lead to the theft of sensitive data (such as mnemonic phrases) on the computer. Malware can behave in many different ways, it might hide in an email attachment, or it might use your devices camera to spy on it. It is recommended that everyone improve their security awareness. For example, do not easily download and run programs provided by netizens, and only download applications, software or media files from trusted sites; do not easily open attachments from unfamiliar emails; regularly update the operating system to obtain the latest updates in a timely manner. security protection; install anti-virus software on the device, such as Kaspersky.
4. Many projects have experienced theft of funds. What does SlowMist think are the main causes of security issues? Is it possible to be guarded and stolen?
Answer: According toSlow Mist Blockchain Hacked Archives (SlowMist Hacked)Statistics show that as of August 24, there were a total of 253 security incidents in 2023, with losses as high as US$1.45 billion. From the perspective of blockchain evil methods, there are mainly several aspects: phishing attacks, Trojan horse attacks, computing power attacks, smart contract attacks, infrastructure attacks, supply chain attacks and internal crimes. Let’s take common smart contract attacks as an example. There are the following attack methods: flash loan attacks, contract vulnerabilities, compatibility or architecture issues, and other methods: front-end malicious attacks and phishing for developers. In addition, when it comes to guarding and stealing, we have to mention the leakage of private keys. The leakage of private keys depends on the situation, and the leakage of private keys between individuals and exchanges varies greatly. The personal private key is leaked. Generally, the private key or mnemonic is stored on the Internet, such as WeChat collection, 163 mailbox, memo, Youdao notes and other cloud storage services. Hackers often collect account password databases leaked on the Internet, such as CSDN account passwords in clear text many years ago, and then go to these cloud storage and cloud service websites to try. If the login is successful, go inside to see if there is any Crypto-related content. The exchange is more complicated. Generally, it is a large-scale hacker organization that has the ability to break through the layers of security protection of the exchange, and intrude step by step to obtain the private key of the hot wallet in the exchange server. A special reminder here is that this is illegal and must not be imitated. We suggest that the project party must try its best to find a security company to conduct a security audit on the code of its own project to improve the security level of the project. It can also release Bug Bounty to avoid security problems during the continuous operation and development of the project. At the same time, it is recommended that all projects Fang has improved its internal management and technical mechanisms and increased asset protection through the introduction of multi-signature mechanisms and zero-trust mechanisms.
5. The cross-chain bridge was once dubbed: AKA hacker cash machine. For Web3er, who is relatively new to technology, what points should be paid attention to when using cross-chain bridges?
Answer: When it comes to cross-chain bridges, first of all, the business of cross-chain bridges is complex, the amount of code is large, and vulnerabilities are prone to occur during coding implementation; secondly, the security of third-party components referenced in the project is also one of the important reasons for security vulnerabilities; finally However, the lack of a larger development community for cross-chain bridges means that the code has not been searched extensively and carefully for potential bugs. For users, it is important to understand how your funds are protected when using a cross-chain bridge. You can look at the risk level of the cross-chain bridge from some dimensions, such as: Is the project contract open source? Is there a multi-party security audit on the project? The private key management solution is MPC multi-party computation? Or multiple nodes and multiple signatures? Or will the project party keep the private key centrally? When choosing a cross-chain bridge, users should also choose cross-chain teams with strong security capabilities. First, they must have code security audits for all versions. Secondly, the team must have full-time security personnel. We also recommend that cross-chain bridge-related teams can operate Be more transparent, so that more questions and suggestions from users can be received, and gaps can be checked and filled in time.
6. In addition to some common Scam and Phishing, can SlowMist give some examples that are relatively uncommon and hard to guard against?
A: We have previously disclosed incidents in which attackers used flaws in the WalletConncet implementation of Web3 wallets to increase the success rate of phishing attacks. Specifically, when some Web3 wallets provide WalletConncet support, they do not limit the area in which the WalletConncet transaction pop-up window will pop up. Instead, a signature request will pop up on any interface of the wallet. Attackers take advantage of this flaw to guide users through phishing websites. WalletConncet connects with phishing pages, and then continuously constructs malicious eth_sign signature requests. After the user recognizes that eth_sign may be unsafe and refuses to sign, since WalletConncet uses wss to connect, if the user does not close the connection in time, the phishing page will continuously initiate malicious eth_sign signature requests, which will greatly affect the users ability to use the wallet. It is possible to mistakenly click the sign button, resulting in the theft of the users assets. In fact, as long as you leave or close the DApp Browser, the WalletConncet connection should be suspended. Otherwise, when the user uses the wallet, a signature suddenly pops up, which can easily lead to confusion and the risk of theft. At this point, let me mention eth_sign again. eth_sign is an open signature method that has been often used by attackers for phishing in the past two years. It allows any hash, that is, any transaction or any data, to be signed, which poses a dangerous phishing risk. Everyone should carefully check the application or website you are using when signing or logging in, and do not enter a password or sign a transaction if it is not clear. Rejecting blind signing can avoid many security risks.
7. I want to hear what is the most profound security incident that SlowMist has encountered in blockchain security for so many years?
A: What impressed me most in the past two or three years was the Poly Network incident in 2021. At around 20:00 in the evening of August 10th, when the attack first occurred, we paid close attention and have been analyzing the attack process, tracking the flow of funds, counting stolen losses, etc. It felt a bit like being on the front line. And the loss was US$610 million, which at the time was considered a particularly large loss in the attack. At around 5 a.m. on the 11th, our team immediately released the analysis of this attack and the IP identity information of the attacker that we had discovered. At around 16:00 on the 11th, the hackers were under heavy pressure. , begin returning assets. Some of the subsequent comments made by hackers on the chain were also quite interesting. The whole process gave me a great sense of accomplishment as a security company.
8. Finally, ask an interesting question. New technologies such as formal verification and AI audit continue to iterate. How does SlowMist view the development of new technologies?
Answer: Speaking of new technologies, for example, ChatGPT improves the efficiency of working with traditional text, and CodeGPT improves the efficiency of code writing. We have also used historically common vulnerability codes internally as test cases to verify GPTs ability to detect basic vulnerabilities. The test results found that the GPT model is good at detecting simple vulnerable code blocks, but it is temporarily unable to detect slightly more complex vulnerable codes, and the overall contextual readability of GPT-4 (Web) can be seen in the test Very high, the output format is clearer. GPT has partial detection capabilities for basic simple vulnerabilities in contract codes, and after detecting vulnerabilities, it will explain the vulnerabilities with high readability. Such a feature is more suitable for providing quick guidance for preliminary training of junior contract auditors and simple QA. But there are also some disadvantages: for example, GPT has certain fluctuations in the output of each dialogue, which can be adjusted through API interface parameters, but it is still not a constant output. Although such volatility is a good way for language dialogue, it is large but This is a bad problem for code analysis jobs. Because in order to cover the various vulnerability answers that AI may tell us, we need to request the same question multiple times and perform comparative screening, which invisibly increases the workload and violates the benchmark goal of AI assisting humans to improve efficiency. Furthermore, the detection of slightly more complex vulnerabilities will reveal that the current (2024.3.16) training model cannot correctly analyze and find relevant key vulnerability points. Although GPT’s ability to analyze and mine contract vulnerabilities is still relatively weak at present, its ability to analyze small code blocks of common vulnerabilities and generate report texts still excites users. With the training and development of this GPT and other AI models, it is believed that faster, smarter, and more comprehensive auxiliary audits for large and complex contracts will definitely be realized.
Conclusion
Many thanks to the SlowMist security team for their answer. Where there is light, there are shadows, and the blockchain industry is no exception; but it is precisely because of the existence of blockchain security companies such as SlowMist Technology that light can also enter the shadows. I believe that with development, the blockchain industry will become more standardized, and I am very much looking forward to the future development of SlowMist Technology~
After that, NFTGo will continue to invite Web3 Builder to conduct interviews and dialogues. You are also welcome to follow our Chinese Twitter: @NFTGoCN and follow us. If you have any suggestions, builders you want to see, questions you want to ask, or you want to recommend yourself, please feel free to comment on our Twitter or DM.
In the next dialogue with Web3 Builder, we will see you there~
