HelloTalk Vol.3 — What We Talk about When We Talk about Onchain Asset Security

in #helloeos6 years ago

Why do EOS dApps always get hacked?

As the EOS community and ecosystem rapidly growing, the security problem is also amplified. From EOS FOMO 3D to EOSBET, from NewDex to EOSBank, the on-chain asset security problem has become a growing pain on the butt of every EOS community member.

This week, we invited experts from cyber security company, wallet and dApp to share their opinions on the ongoing security issues. Why do EOS dApps always get hacked and what should we do about it? 

 

Slow Mist

 

EOS was launched less than half a year ago. The technologies are relatively new, like using WebAssembly as virtual machine, using C++ as the programming language to develop (dApps). The mechanism is different with Ethereum, the way you think when programming on EOS is also very different with traditional software. At the time when Ethereum was on its early stage, their smart contracts also experienced hack attacks. In the end, when it is a new thing, it is quite normal (to be attacked).
EOS community is hot now, but the skills of those smart contract developers vary. Some of them did not understand the technology very well. Contracts on EOS are like all the other smart contracts, it’s impossible to generate a real random number. You must verify whether the pseudo random numbers your smart contract generate could be predicted or be manipulated.
A developer must realize that attacking with malicious contracts is the most common method to be used by hackers. You must be alert about the malicious spreading of contracts.
Risk control is most important. A user should transfer the assets to a safe wallet immediately when notices any abnormal behaviors.
When a RNG (Random Number Generating) mechanism is insecure, no matter it is an open course or not, it will be attacked sooner or later. Project developers have to do a self-check or hire a professional auditing company.
Go check Slow Mist best practices on secure programming. We will perfect it in the near future. https://github.com/slowmist/eos-smart-contract-security-best-practices

 

IMToken

The recent EOS stolen events are basically due to 2 reasons:
Poor private key management. Private keys were stolen by various phishing websites, phishing telegram group chats, fake wallet officials.
Smart contract vulnerabilities. Like predictable RNG in gambling dApps, or the smart contracts didn’t double check transaction receivers.
In the first place, it is not just EOS got stolen, so was BTC and ETH. But EOS has ECAF, the losses are easier to be exposed. When we were communicating with our users, we realized that many users didn’t keep their private keys properly. We strongly suggest wallet users using the criteria below to double check where their keys are safe.
Your private keys are stored web drive, Email, or any other cloud services.
Used wechat or any other IM tools to transfer your private keys.
Screenshot your private keys or mnemonics. Especially when did that with another people’s phone.
If you did anything that is mentioned above, change your private keys. Do not give hackers chances to steal your assets.
And the other scenario is smart contract vulnerabilities. From ETH to EOS, the losses caused by insecure contracts never stopped. The recent losses on smart contracts, in my opinion, it’s because the most of dApp contracts didn’t open source, and lack of auditing. The other reason is that the EOS was just launched, we don’t have a lot of materials to guide the developers how to create a secure smart contract. It’s always after attacks happened, and then the developers will go check if they have similar problems.
Our suggestion is that the developers must make their projects open source. Only when there are more developers come check for them, the contracts could then be safe. Secondly, there should be a smart contract examine tool that is capable of examine known vulnerabilities. Thirdly, project developers must make their own risk management. For example, monitor their EOS account for abnormal transactions and react to them rapidly.
We think it’s normal for EOS, a new blockchain, to have the current problems. And the entire EOS community responded to the (loss) events with a timely and reasonable manner. We believe EOS will create a new path regarding blockchain governance.
IMToken as a wallet supplier, we have set the wallet security as the most important part of our products. All the major updates on the wallet core codes will be internally and externally audited. We shut down the cloud backup of our App; we use KDF algorithm to encrypt the private keys; private keys will be decrypted only when signing signatures.
We will also soon release a more secure hardware solution to our users. And regarding user education, we will frequently host meetups to guide the users use our wallet in a more secure way.



= END= 

 Block Producer Account Name: helloeoscnbp

Location: China

HelloEOS Community

HelloEOS BP

HelloEOS WeiboHelloEOS 

Wechat:hello-eos

HelloEOS Twitter

HelloEOS Telegram 

Sort:  

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://medium.com/@helloEOS/hellotalk-vol-3-what-we-talk-about-when-we-talk-about-onchain-asset-security-e274d48ca4f4