▼▼▼
Liu Feng: Cosine has been involved in the recovery of Lendf.me's stolen funds (nearly 25 million US dollars) in recent days. Can you tell us about the dozens of hours of experience?
Cosine: The first step is to quickly locate the threat situation and attack details, so that the most correct cause of the vulnerability can be quickly given. For example, in this incident, the essential problem is that there is a reentrancy attack vulnerability in the core code of Lendf.Me, and this vulnerability It needs to be combined with a combination based on ERC777 tokens to happen. After knowing the nature of the vulnerability and the attack method, it is easy to know how much assets the attacker has stolen on the chain.
The second step is to think about how to recover. On the afternoon of April 19th, the security teams of dForce, Xinghuo and imToken assembled offline, and remotely connected with the security team of SlowMist to set up a "temporary security team" to start asset recovery. Because the amount of information is huge and messy, centralized discussions can quickly achieve information symmetry and speed up.
On April 20, based on the traces left by the hackers before and after the attack, the "temporary security team" successfully determined the accurate portrait of the hacker, and began to cross-comparison with various resources at home and abroad to obtain breakthrough clues. close. On the afternoon of April 21, within the golden 48 hours, under heavy pressure, the hacker actively communicated with dForce and began to return some assets. After continuing to communicate, all assets were successfully recovered, which is the third day after the attack. This process not only played a key role in the "temporary security team", but also received direct and indirect help from many friends in the encryption community.
Liu Feng: Regarding the attack on Lendf.me, what lessons should everyone learn?
Cosine: Any new thing will have security risks during the evolution process. This is the law of evolution. The earlier the risk, the greater the risk, and eventually it will either die or tend to a relatively stable balance.
Based on this psychological preparation, let’s look at DeFi. There are several important risks: technical security risks, business security risks, and compliance security risks. Let’s briefly expand (taking Ethereum as an example):
1. Technical Security
First of all, check whether the public chain itself has been tested and safe enough, and Ethereum basically meets this point; then check whether the design of the smart contract is safe enough, Solidity is not too satisfied; then check the relevant standards (such as ERC20, 223, 721, 777 etc.) Whether the implementation is safe enough, the biggest problem here is that many times a "feature" will become a "defect"; then look at whether the mature standards-based framework is safe, such as OpenZeppelin is very good; finally look at the development of the project party It is very difficult to say whether the security practices are really strict. Obviously, the quality of development is uneven.
2. Business Security
The business depends on the design of DeFi, such as mortgage lending, flash loans, transactions, and so on. The business needs special consideration of security risk control, such as what should I do if the price plummets or skyrockets? How to deal with the sudden large amount of currency transfer? How to solve third-party security risks (such as access to third-party tokens, linkage with third parties, etc.)?
3. Compliance and Security
What if it is a DeFi with a gray or black border, accidentally knocked down by law enforcement agencies in some countries or runs away by itself?
In addition, some special judgments related to the user's perspective are added:
1. The project party has a strong security team or core personnel with rich security experience to check
2. The project party has been audited by a third-party professional security agency within the past six months and the results of the security audit have been made public
3. The project party has a long-term, continuous and close cooperation with a third-party professional security agency
4. The core members of the project party have a frank and open attitude towards safety, have the courage to admit mistakes and put safety first
5. The project party is full of awe and respect for safety work
Based on the above 5 points, some facts can be extended, such as: word of mouth, number of real users, data transparency, security transparency, etc.
Liu Feng: Everyone is willing to use DeFi products. The reason is that they are worried about the security of the centralized financial service platform and hope to seek peace through DeFi. However, a series of DeFi platforms and products have been attacked this year, which makes people distrust DeFi instead. I feel a little regretful. What do you think?
Yu Xian: My opinion is different. Let’s take a look at the history.
See details here:https://hacked.slowmist.io/
You will see that there are very serious historical cases of centralization and decentralization, but in fact there is no need to dampen confidence because of this. DeFi must have its own positioning, but DeFi should not try to dominate the world. The same is also suitable for CeFi. In the future, it should be We will see more DeFi + CeFi hybrids emerge. Moreover, DeFi does not necessarily need to be completely decentralized. This is my personal opinion.
I am a hacker. In my eyes, these are not absolutely safe and have many weak points, but not all hackers are bad. We hope to evolve in the direction of security, but when we fight, we must have enough Aggressive thinking.
Liu Feng: The audience asked, how important is the audit of DeFi contracts? Is it safe enough? Are defi projects that have been audited trustworthy?
Cosine: DeFi security audit is the second layer of security strategy, the first layer is the security of DeFi development, which is the project side's business. DeFi security audit can avoid many problems on the second layer and improve the level of security defense to a higher level. But there is a third layer after that, which is the security of continuous operation of update iterations, which will be troublesome if you are not careful. It can only be said that projects that have undergone security audits can make people feel more at ease, but there must be black swans—attacks from the future. Therefore, if the security audit has been more than half a year, you have to pay attention.
Liu Feng: The audience asked, most of the well-known DeFi protocols are centrally controlled in some form. Although this method has some advantages in terms of security, how can we prevent administrators from abusing their privileges, or reduce related risks?
Cosine: This is a problem of human nature, some of which can be solved by technology, and some cannot. Technically, it is controlled in a way similar to DAO, but this will create new problems. If the efficiency of DAO is too low, it will be troublesome. But at least one thing the project side needs to do is transparency, transparency of assets, transparency of permissions, transparency of decision-making, etc., so that the community can see it.
Liu Feng: The audience asked, is there a solution to build middleware between users and contracts, and this middleware is used for security processing?
Cosine: I don’t know about this, I need to experiment, but I have an idea recently, you can take a look:https://firewallx.io/
This firewall is built on the EOS main network, and the core is the realization of smart contracts. On Ethereum, ERC777, which is more complicated, may also do the same, but it still needs to be tested.
Liu Feng: The audience asked, code security issues are almost inevitable. Does DeFi need to be supplemented with a more mature risk control mechanism to avoid large losses? Because the charm of DeFi is decentralization and smart contracts, but the repair and recovery after being attacked seems to be a game between people.
Yu Xian: It is difficult to recover, but what is more interesting is that the success rate may increase this year, because the judicial and law enforcement procedures of various countries have begun to support cryptocurrencies.
I am very grateful to the "show" friends who participated in the Math Show #001 event tonight, and I also thank the founder of SlowMist, Yu Xian, for bringing us a feast of security knowledge about DeFi and contributing to the ecological security of the blockchain. I wish Slow Mist better and better.
