题名

智慧合約於分散式金融應用之漏洞攻擊解析與解決方案

并列篇名

Analysis and Solution of Exploiting Vulnerabilities of Smart Contracts in Decentralized Financial Applications

作者

徐宛萱(Wan-Shiuan Hsu);林詠章(Iuon-Chang Lin)

关键词

智慧合約安全 ; 重入攻擊 ; 區塊鏈安全 ; Smart Contract Security ; Reentrancy ; Blockchain Security

期刊名称

資訊安全通訊

卷期/出版年月

27卷2期(2021 / 05 / 01)

页次

23 - 40

内容语文

繁體中文
中文摘要

分散式金融於2020年後半年開始蓬勃發展,資安事件也相繼爆發,主要多與程式碼安全相關。目前各項分散式金融(DeFi)協議的技術尚未成熟,在不同應用層面的潛在風險可能在安全審計時無法被發現,未來更多結合不同協議漏洞的未知攻擊也必然會發生。本論文欲利用目前各類常見DeFi應用可能產生之漏洞進行攻擊解析,包含閃電貸、預言機、治理項目等應用,針對Unstoppable、Naive Receiver、Truster、Side Entrance、The Rewarder、Selfie、Compromised及Puppet等八種可能漏洞進行攻擊解析,進而提供智慧合約安全之撰寫或解決方式,使分散式金融項目佈署於乙太坊後能由源頭之程式碼進行安全控管,從根本減緩來自外部的攻擊。
英文摘要

Decentralized finance began to flourish after June 2020, and security incidents also broke out one after another, mostly related to code security. At present, the technology of various decentralized finance (DeFi) protocols is not yet mature, and potential risks at different application levels may not be discovered during security audits. In the future, more unknown attacks that combine different protocol vulnerabilities will inevitably occur. This paper intends to use various common DeFi applications such as flash loans, oracles, and governance projects to analyze the following vulnerabilities in a total of eight attack processes: Unstoppable, Naive Receiver, Truster, Side Entrance, The Rewarder, Selfie, Compromised, and Puppet. It also provides smart contract security writing or resolution methods for the analysis and solution of various attack vulnerabilities, so that distributed financial applications can be safely controlled by the source code after they are deployed on Ethereum, and fundamentally slow down external attacks.
主题分类 基礎與應用科學 > 資訊科學
参考文献
  1. Damn Vulnerable DeFi. Available: https://www.damnvulnerabledefi.xyz/.
  2. MakerDAO White Paper. Available: https://makerdao.com/en/whitepaper/#keepers.
  3. The DAO. Available: https://en.wikipedia.org/wiki/The_DAO_ (organization).
  4. Uniswap V2 Audit Report. Available: https://uniswap.org/audit.html#org87c8b91.
  5. Defi Pulse 網站. Available: https://defipulse.com/.
  6. Choosing a Reliable Solution for bZx’s Oracle. Available: https://bzx.network/blog/choosing-oracle.
  7. bZx Hack Full Disclosure (With Detailed Profit Analysis) . Available: https://peckshield.medium.com/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc.
  8. Exploiting Uniswap: from reentrancy to actual profit. Available: https://blog.openzeppelin.com/exploiting-uniswap-from-reentrancy-to-actual-profit/.
  9. gas fee. Available: https://blog.makerdao.com/how-ethereum-2-0-will-address-gas-issues-and-enable-dai-and-defi-to-scale/.
  10. Bitcoin, Ethereum Avg. Transaction Fee historical chart. Available: https://bitinfocharts.com/comparison/transactionfees-btc-eth.html#6m.
  11. How the dForce hacker used reentrancy to steal 25 million. Available: https://quantstamp.com/blog/how-the-dforce-hacker-used-reentrancy-to-steal-25-million.
  12. Feeds price feed oracles. Available: https://developer.makerdao.com/feeds/.
  13. H. Adams, N. Zinsmeister, and D. J. U. h. u. o. w. p. Robinson. (2020) . Uniswap v2 core. Available: https://uniswap. org/whitepaper. Pdf.
  14. Chen, Y.,Bellavitis, C. J. J. o. B. V. I.(2020).Blockchain disruption and decentralized finance: The rise of decentralized business models.ScienceDirect,13,e00151.
  15. Gudgeon, L.,Perez, D.,Harz, D.,Livshits, B.,Gervais, A.(2020).The decentralized financial crisis.2020 Crypto Valley Conference on Blockchain Technology (CVCBT)
  16. Rodler, M.,Li, W.,Karame, G. O.,Davi, L. J. a. p. a..,未出版
  17. Salami, Iwa(2020).Decentralised Finance: The Case for a Holistic Approach to Regulating the Crypto Industry.Journal of International Banking and Financial Law,35(7),496-499.
  18. Sayeed, S.,Marco-Gisbert, H.,Caira, T. J. I. A.(2020).Smart contract: Attacks and protections.IEEE Access,8,24416-24427.
print cancel