Zero Time Technology - Focus on the field of blockchain security
Shenzhen Zero Time Technology Co., Ltd. (abbreviation: Zero Time Technology), established in November 2018, is a practical and innovative network security enterprise focusing on blockchain ecological security. The team is rooted in blockchain security and application technology research, With rich experience in security attack and defense combined with artificial intelligence data analysis and processing, it provides users with blockchain security vulnerability risk detection, security audit, security defense, asset traceability, and innovative solutions for enterprise-level blockchain applications.
100 Questions on Blockchain Security of Zero Hour Technology is officially launched, explaining the knowledge of the blockchain industry and the security problems existing in blockchain ecological applications in an easy-to-understand language, so that more people can understand blockchain and blockchain chain security.
foreword
The current blockchain technology and applications are still in the initial stage of rapid development, and they face a wide variety of security risks, from the security of blockchain ecological applications, to the security of smart contracts, the security of consensus mechanisms, and the security of underlying basic components. Security issues are widely distributed and The risk is high, and it poses a new test to the overall development of the ecosystem, security audit, technical architecture, privacy data protection and infrastructure.
PART01-Introduction to smart contract audit process
In order to check the security of the contract, a variety of attacks are generally tested, a variety of attack scenarios are simulated, and security reviews are conducted through the standard audit process to ensure that the contract is safe.
The normal audit process should include communication on the requirements of the application audit in the early stage, such as the content of the audit contract, audit time, audit budget, etc.; after the audit requirements are determined, an agreement needs to be signed and a consensus reached; then the security team starts the security audit, and the output of the audit report, the development team To fix the security issues in the report, the security team assists in retesting after modification to ensure that the security issues have been fixed and improve the security of the contract.
Smart contract code audit method:
- Understand the logical operation process of the smart contract protocol
- Analyze smart contract logic design specifications and design purposes
- Tools to test the security risks of smart contracts
- Test common attack methods against smart contracts
- Carry out simulation algorithm vulnerability testing according to the project process
PART02-What are the general vulnerabilities of smart contracts?
1) Ethereum smart contract
- reentrancy attack
- Floating Point and Numeric Precision
- Unexpected Ether
- integer overflow
- reentrancy attack
- Floating Point and Numeric Precision
- default visibility
- Tx.origin authentication
- wrong constructor
- Unvalidated return value
- insecure random number
- Timestamp dependent
- transaction order dependent
- Delegatecall call
- Call call
- denial of service
- logical design flaw
- False recharge loophole
- short address attack
- uninitialized storage pointer
- Token issuance
- Freeze Account Bypass
- Contract Gas Optimization
- variable override
- malicious backdoor
2) EOS contract
- Permission verification vulnerability
- Transfer Notification Forgery Vulnerability
- Apply function permission verification vulnerability
- integer overflow vulnerability
- Permission verification vulnerability
- Transfer Notification Forgery Vulnerability
- Apply function permission verification vulnerability
- Weak Random Number Seed Vulnerability
- Freeze Account Bypass Vulnerability
- denial of service vulnerability
- Code Logic Vulnerabilities
- counterfeit money attack
- rollback attack
- replay attack
- malicious backdoor
PART03-Structure of smart contract audit report
1) Cover of the audit report:
The cover of the audit report reflects the name of the audit object, the audit team and the release date of the report.
2) Audit overview and project background:
The detailed division of overview and project background makes the audit report clearer, and the project background provides a detailed introduction to the project brief and audit scope.
3) Contract structure analysis:
Describe the project contract file and the main method parameters of the corresponding contract through the directory structure and contract details.
4) Audit details:
In the audit details, the relevant risks in the contract audit process are mainly introduced through risk distribution and risk audit details, including risk names, vulnerability descriptions, risk levels, security recommendations, repair status, and audit results.
As an investor who cares about the security of the project party, you can basically understand how to review the project through the above parts; the rest of the part is the introduction of the security audit tools of the audit team, disclaimer and basic information of the security audit team.
- A smart contract audit report is not a legal document to verify the security of the code; no one can be 100% sure that the code will not make mistakes or create vulnerabilities in the future. The audit report of the audit team on the project only means that the audit team has conducted a security assessment on the project, which only ensures that your code has been edited by experts and is basically safe. The right to choose is ultimately in the hands of the project party and investors.
- The 100 questions about blockchain security is being continuously updated, and everyone is welcome to comment and leave your own opinions in the background.