呃哦:区块链可能没有我们想象的那么安全
在对一百万份智能合约的分析中,一项新的分析工具发现34,200个安全漏洞。 在我们转向基于区块链的数字经济之前,我们需要解决这个系统中的缺陷。
区块链有可能改变我们的世界。专家坚持认为,这项技术“比互联网更大”,但我们可能希望在我们将所有钱从我们的资金转移到我们区块链上的健康记录之前进行打击。根据一项新的研究,这项技术并不像我们想象的那么安全。
早在2009年,比特币就设定了区块链革命的动向,任何地点的任何两方都可以快速安全地转账。
一些区块链,最引人注目的是以太坊,通过整合智能合约将比特币的效用提升到了一个新的水平,从而实现了流程的自动化。
例如,假设你想购买10个醚令牌,但只有当价格低于每个令牌600美元时。智能合约的设立是为了在遇到特定情况时执行特定的行动,因此当价格下跌时,您可以设置购买10片乙醚。
这不是他们能做的全部:虽然智能合约可以像上述那样简单,但它们也可能更加复杂。如果成本低于每令牌600美元,并且您的帐户余额高于10,000美元,那么您也可以设置一个智能合约来购买乙醚,这是一个星期五。
智能合约对于希望利用区块链技术的金融以外的行业至关重要。例如,如果医疗保健系统想要在区块链上放置医疗记录,它可以使用智能合同来确保只有医疗专业人员才能访问它们。
尽管理论上听起来不错,但还是有一些坏消息:来自新加坡国立大学和伦敦大学学院的计算专家团队发表了一项研究报告,详细介绍了智能合约中令人惊讶的一些安全漏洞。
该小组使用名为MAIAN的定制工具分析了大约100万份智能合约。该团队正在寻找合同,攻击者可能会操纵无限期锁定资金,强制随机泄漏资金,或者干脆杀人。
他们的分析工具标出34,200份合约。它甚至发现Parity blockchain应用程序中的缺陷造成了2017年7月无法让所有者无法访问的价值1.69亿美元的资源。然后,该团队手动分析了3,759个合同,发现他们可以利用其中的3,686个漏洞。
确定大约3.4%的智能合约可能容易受到攻击者的影响是巨大的。当然,我们目前用来管理我们的财务和其他重要记录的集中式技术并不是铁腕。但是,如果我们要经历过渡区块链支持的数字经济的所有困难,那么建立一个更好的记录系统是不够的。
我们应该努力建立最好的体系。使用像MAIAN这样的工具来揭示当前的弱点是一个很好的开始。
披露:未来主义团队的几名成员,包括这件作品的编辑,都是众多加密货币市场的个人投资者。他们的个人投资观点对编辑内容没有影响。
-------------------------------------------------------------------------------------------------------------------------------------------
Blockchain has the potential to transform our world. Experts insist the technology is “bigger than the internet,” but we may want to take a beat before we put everything from our money to our health records on blockchains. According to a new study, the technology isn’t nearly as secure as we thought.
Back in 2009, Bitcoin set the blockchain revolution in motion giving any two parties, anywhere, a way to quickly and securely transfer money.
Some blockchains, most notably Ethereum, take the utility of Bitcoin to the next level by incorporating smart contracts, which automate the process.
For example, say you want to buy 10 ether tokens, but only if the price drops below $600 per token. Smart contracts are set up to execute specific actions when they encounter a specific situation, so you could set one up to buy 10 ether when the price drops.
That’s not all they can do: while smart contracts can be as simple as the above, they can also be far more complicated. You could also set up a smart contract to buy ether if the cost hits below $600 per token, and you have an account balance above $10,000, and it’s a Friday.
Smart contracts are essential for industries outside of finance that want to take advantage of the blockchain technology. For example, if healthcare systems wanted to put medical records on a blockchain, it could use smart contracts to ensure only medical professionals are granted access to them.
While it all sounds good in theory, there is some bad news: a team of computing experts from the National University of Singapore and University College London published a study that details a surprising number of security flaws in smart contracts.
The group analyzed roughly one million smart contracts using a custom-built tool called MAIAN. The team was looking for contracts attackers could manipulate to lock funds indefinitely, force to leak funds randomly, or simply kill.
Their analysis tool flagged 34,200 contracts. It even found the flaw in the Parity blockchain app that rendered $169 million worth of ether inaccessible to owners back in July 2017. The team then manually analyzed 3,759 contracts and found they could exploit vulnerabilities in 3,686 of them.
Determining that roughly 3.4 percent of smart contracts could be vulnerable to attackers is huge. Sure, the centralized technologies we currently use to manage our finances and other important records aren’t ironclad. However, if we’re going to go through all the trouble of transitioning to a blockchain-supported digital economy, building a better system for record keeping isn’t enough.
We should strive to build the best system. Using tools like MAIAN to expose current weaknesses is a good place to start.
Disclosure: Several members of the Futurism team, including the editors of this piece, are personal investors in a number of cryptocurrency markets. Their personal investment perspectives have no impact on editorial content.