Cobo 安全团队：牛市 DeFi 交互指南

Although it can bring considerable benefits to users, the security of funds is the core of the steady growth of assets. The security team combed the common security risks in the interaction and the corresponding security precautions, hoping to inspire and help everyone in the safe interaction in the bull market. Since the opening of the year, more and more creative decentralized financial protocols led by Ethereum have emerged, which greatly enriched the availability of assets on the chain and enabled blockchain users to make better use of the assets on the chain for more diversified finance. Activities and create rich benefits, but with the rise of more and more protocols, security challenges also follow. According to incomplete statistics, the asset loss caused by blockchain attacks has reached hundreds of millions of dollars in one year alone. It can be seen that in the process of participating in the agreement, in addition to evaluating the corresponding income expectations, the evaluation of protocol security can not be ignored, otherwise it will bring great losses to users. Generally speaking, the mainstream definition of protocol security evaluation is code security evaluation, and the dimension of this definition is relatively. The single problem here is that the evaluation itself only considers the security of the agreement in the static process, while the security in the interaction process is often dynamic, including the preparation before the interaction of the account management agreement, the monitoring of asset management data after the interaction, and the self-rescue after the loss of assets in extreme cases. As a user who is about to enter the novice village, how to earn income while maximizing the protection of funds, the security team combed the common security risks and The corresponding security precautions hope to enlighten everyone's security interaction in the bull market and help the common security risks and preventive measures in the interaction-account private key disclosure is one of the problems that novice users are easy to recruit at present. Because there are many kinds of wallets in the market, novice users lack the ability to judge the security of wallets by themselves, many novice users will download some unsafe wallets and use them to generate private keys, which will lead to the private keys being maliciously returned to attackers. Many experienced users found that their main account was transferred on a certain day, and all the assets analysis found that all the behaviors were normal for a long time. In most cases, the account used an unsafe wallet to generate its own private key in the early days, which led to the leakage of the private key. At the same time, due to the wealth effect caused by blockchain airdrop, many novice users blindly clicked on some so-called airdrop websites, which packaged themselves into very serious project pages and told users to save them. Driven by a large number of unpaid tokens, many novice users will fill in their private keys under the guidance of web pages, which will lead to the disclosure of private keys. In order to prevent the disclosure of private keys, users need to do the following to take precautions, use well-known blockchain wallets and download wallets from the corresponding official website. Conditional users suggest using hardware wallets, and never expose their private keys in plain text in the networking environment, and never enter their private keys into any web pages at will. Fishing Risk Signature Fishing Risk is also the hardest hit area for novice users, just like the disclosure of private keys. It is different from directly letting users fill in private keys. This kind of phishing attack is to induce users to initiate a transaction or signature to obtain the authorization of users' related assets, which is characterized by high concealment, difficulty in analysis and imperceptible detection. Usually, attackers will first induce users to sign in the name of receiving airdrop verification login, etc. At this time, the user's browser wallet prompts the user to complete the signature. There may be many types of phishing transactions, such as direct transfer, direct transfer or call to transfer wallet assets to attacker's address type. Call method to authorize attacker's wallet. Asset transfer will not occur when the user signs, but the attacker's wallet can transfer user's asset message signature through call, such as method authorization pending order signature. Such signatures are usually displayed in the wallet as data or well-formatted tree data. When the user signs, the transaction will not be initiated, but the signature result will be consumed by phishing websites. Record the attacker can use the signature result to transfer the original signature data of the victim or assets into binary data. It is impossible to infer the specific signature content from the signature data itself. The signature of the above types of data is likely to lead to asset loss. However, at present, mainstream wallets usually prohibit this signature method or give obvious risk warnings. Recently, in some cases, it has been found that some phishing websites will require users to sign multiple signatures in succession and the first few are harmless normal signatures. Mix a malicious signature content and use the user's operational inertia to induce the user to complete the signature operation. In order to prevent the financial loss caused by phishing, the core is to refuse blind signing. Carefully examine each signature and refuse to sign for transactions with uncertain content. Specifically, you can pay attention to the following contents during the signing process: confirm the interactive website to check the complete domain name for the project official website. Check the method called by the contract. Focus on the method and check the transfer attached to the transaction. Some phishing websites will try to construct a seemingly safe one. For example, it will actually cause the loss of the original tokens in the same chain when it is called. The original content is not signed. The transfer address is poisoned. The transfer address poisoning is a relatively new attack method recently. The attack method is to send a transaction with the same amount to the user with an address similar to the receiving address in the transaction when the user initiates a transfer, or a transaction with the same amount but corresponding tokens. For example, it will be transferred regularly every month to monitor the transaction as salary payment. The first and last bits of the address are the same. After this operation, the address that may be used in the next transfer is used as the receiving address of the transaction. The reason for this situation is that the blockchain address is long and irregular, which makes it difficult for users to remember. Many times, users will copy the address directly from the last transaction record for convenience. Because the address is very similar to the address, it is difficult to distinguish and eventually lead to asset loss. In order to prevent the transfer address from being poisoned, users can take it. The following measures are taken to prevent every transaction from checking the transfer address and checking the complete content instead of just comparing the first few bytes. Set the commonly used addresses into the address white list address book and set aliases. Try to use only the addresses in the address book to transfer money. Avoid copying addresses from online channels, including blockchain browser wallet transaction records, as the transfer target. Over-authorization of four tokens is almost the first step in interaction. Because the transaction data is constructed by the project party's webpage rather than the user's, it is not necessary to repeatedly authorize the project in order to facilitate the user's multiple interactions. 比特币今日价格行情网_okx交易所app_永续合约_比特币怎么买卖交易_虚拟币交易所平台

注册有任何问题请添加 微信：MVIP619 拉你进入群

文章转载注明 网址：https://netpsp.com/?id=57502