Silicon Valley Live / Field Visit / Hotspot Quest / In-depth Discussion
CertiK: Formal Verification Platform for Smart Contracts and Blockchain Systems
In the blockchain era, the security of smart contracts is infinitely magnified, and a small bug can lead to hundreds of millions of dollars in losses. The US chain (BEC) was recently exposed to a security breach, and was attacked by hackers using the BatchOverFlow vulnerability in the Ethereum ERC-20 smart contract, causing a price flash crash, and the Japanese currency price almost returned to 0. In addition to the US chain, according to the statistics of researchers in the United Kingdom and Singapore, more than 34,000 smart contracts have security risks that can be exploited.
The security issues of smart contracts frequently flash red lights, and hackers can arbitrage tens of millions with a simple string of numbers, making people lose their money. To ensure that smart contracts can be 100% correct, only formal verification (Formal Verification) can ensure that these vulnerabilities are fully detected. Let's discuss the specific method with the US chain.
What security loopholes did the US chain have?
The security breach of the US chain is actually very simple! A batchTransfer function in the USChain smart contract, the main purpose is to realize the batch transfer of BEC tokens: transfer a fixed integer number (_value) to an array of receiving accounts (_receivers). In order to realize such a batch transfer, the developers of BEC , first calculate the total amount to be transferred, the calculation formula is:
The total amount (amount) = the amount to be transferred to each recipient (_value) x the total number of accounts to be transferred (_cnt)
Then, after making sure that the sender has enough balance, send the transfer amount to each receiver.
But, what went wrong?
In the process of calculating amount = _value x _cnt, the developers did not consider the possibility of overflow of 256-bit integer data.
Therefore, the hackers, relying on this vulnerability, still transferred a total of 2²⁵⁶ BEC Tokens from the account even if the balance was insufficient.
Easily detect vulnerabilities with formal verification methods
In hindsight, it seems that the security vulnerability of the United States chain seems to be a stupid mistake, but security vulnerabilities like BEC are actually easy to ignore, and a small program negligence on a smart contract can lead to tens of millions or even hundreds of millions of losses. .
An automated formal verification platform is likely to help detect and avoid similar errors. Come see how Certik's automated formal verification platform does it.
CertiK's verification engine can easily detect BEC overflow errors
Submit this code to CertiK's validation engine, add a few tags, and Certik's automated validation engine can easily detect BEC overflow errors.
Certik's formal verification engine can process these tags and check the correctness of the code implementation against the tags. If the smart contract of the US chain can be checked for security by CertiK before submission, then the loss of hundreds of millions can be avoided.
About CertiK
CertiK is committed to rebuilding everyone's trust in smart contracts and blockchains through the world's leading formal verification technology. Certik can provide the most competitive large-scale smart contract verification services to ensure the security of smart contracts and blockchain systems.
CertiK is an elite team from Yale University, Columbia University and Silicon Valley. The co-founder Shao Zhong is the dean/tenured professor of the Department of Computer Science at Yale University, the honorary dean of the Chinese University of Science and Technology, and a member of the master class of Tsinghua University. He has more than 20 years of experience in the security field. Co-founder Gu Ronghui, Bachelor of Tsinghua University, Ph.D. of Yale University, Assistant Professor of Columbia University.
For business cooperation, please contact [email protected]
Recommended reading
Blockchain report | Brain-computer interface report
Silicon Valley Artificial Intelligence | Stanford Chancellor
Wei Zhe | Yao Jinbo | Hu Haiquan
Vertical Planting | Unmanned Vehicles