blockchain security and right and wrong

Posted by santillano at 2020-02-25

- Description -

All statistics and screening do not exclude personal subjective judgment. If there is any misunderstanding or mistake, please correct it.

-Data source-

The data source is still from the Internet, without any sensitive data illegally quoted.

News and data related parts, mainly refer to:

Currency world, a fast and complete blockchain information station:

Baidu news, query and statistics are very convenient:

Non small, cryptocurrency statistical analysis platform:

For the safety related part, refer to the information released by slow fog to a large extent in details:

Slow fog, a team focusing on blockchain security: knowledge planet (zsxq. Com) search [slow fog area]

Statistical questions:

For various reasons, the statistics of all information categories are up to December 15. Although it is less comprehensive, it should be representative

This statistics is different from the first two, most places will not have specific figures, try to replace them with trend statistics. In addition to the statistical caliber, blockchain, as a * * word, tries not to mention numbers

(please contact me to revise or delete the quotation in the article if there is any problem.)

【1】 Cryptocurrency

It is undeniable that it is almost impossible to mention blockchain without cryptocurrency. So, let's start with this.

According to the non trumpet Statistics (December 18), there are currently 2485 kinds of digital currencies. Among them:

The total market value of circulation exceeds 800 billion yuan

More than 36% of digital currencies have no current market value

48% of the circulation market value is less than 1 million yuan (including currency without circulation market value)

The total market value of top 10 circulation market value accounts for 82.4% of the total market value of all digital currencies

【2】 Blockchain talents

For blockchain talents, first list some news:

January 2018: Swiss blockchain developers earn up to $180000 a year

March 2018: boss direct employment research institute's average salary of 25800 yuan

March 2018: blockchain fever "sequela" \

March 2018: Estonian blockchain start-ups recruit expression pack specialists whose salary is far beyond the average national income

April 2018: Japan's blockchain technology talent shortage, high salary and difficult to hire innovative engineers

April 2018: the first quarter of 2018 talent report of direct employment of boss ﹣ block chain technology post salary increased by 31%

April 2018: the highest salary increase of golang Engineer in the blockchain hotspot

April 2018: the average salary in blockchain field exceeds that in AI field, ranking first

June 2018: 2018 China blockchain talent status white paper average monthly salary of technical posts is 10000 higher than Internet

October 2018: the salary of blockchain professionals far exceeds the average wage in the United States

October 2018: skyrocketing salaries of blockchain engineers and AI developers

October 2018: recruitment salary of media blockchain industry decreased by 30% to 50%

December 2018: the monthly salary of domestic blockchain technology post is only 30000 less than half of that of American counterparts

It can be seen that in the first half of the year, the pay of blockchain talents has been high. In the second half of the year, the number of talent reports on blockchain not only decreased, but also began to decline.

What's more interesting are two news in the second half of the year:

In April, it was also reported that "the average salary in blockchain field exceeds that in AI field" and in October, it became "comparable with AI developers"

In December, it was reported that "the salary of domestic blockchain technology post is only 30000 yuan less than half of that of its American counterparts", which is very clever but extremely poignant

Therefore, there should be the following chart (BTC price trend, K line from Huo coin):

【3】 Geography and heat

According to the frequency of several regions frequently mentioned in the industry, the United States, Japan and South Korea are the regions with the highest blockchain related popularity.

(this data does not include "China", don't ask me why)

This paragraph is not evaluated too much. On demand news.

【4】 Enterprises march into blockchain

In the past year, blockchain, as a hot spot, has become a direction of technology innovation for many enterprises.

For the listed companies, "entering the blockchain" has become a magic weapon to increase the value in the secondary market. As long as the announcement of "entering the blockchain" is made, the stock will rise accordingly.

Here, a segment statistics is made on the news that the enterprise announced to enter the blockchain on a monthly basis, as shown in the following figure:

In terms of divisions, the largest number of enterprises announced to enter the blockchain field in January and March.

Over time (as the market weakens?) , in the second half of the year, no enterprises have tried to find hot spots on the blockchain.

In terms of time, it seems to be a good way for the market to find a new technology field and promote a wave of hot topics in the first quarter of the new year.

In the second and third quarter, when it was time for mules and horses to come out for a walk, the hot spot of remanufacturing technology seemed to have little significance. What's more, at this time, both the currency circle and the A-share market have appeared somewhat weak.

So, can we also understand that the rise and fall of the so-called blockchain industry depends on the face of the currency circle?

In addition, for those enterprises that have entered the off-season (the fourth quarter) and are still trying to find a new direction in the blockchain, maybe they are the true love of blockchain technology?

Here, add a K-line (from snowball) of this year's A-share Shanghai Stock Exchange:

Of course, not all stocks with blockchain names can soar to the sky. For example, this long blockchain:

December 2017: Long Island Iced Black tea company changed its name to long blockchain Corporation (hereinafter referred to as "the company") in December last year, and its share price soared 4 times;

January 2018: the company plans to purchase 1000 ant mining machines produced by bitland to start mining business;

February 2018: the company abandoned its plan to purchase mining machinery and issued 1.6 million ordinary shares to raise 7.7 million US dollars;

February 2018: the company received notice of delisting intention from NASDAQ Exchange;

February 2018: Nasdaq Stock Exchange said it would not list the company, because the market value is too low;

February 2018: NASDAQ is preparing to delist its shares due to misleading investors

April 2018: the company received the delisting decision letter from the Nasdaq stock market hearing panel and will suspend trading on the Nasdaq Stock Exchange on April 12;

April 2018: the company delisted on NASDAQ on April 12.

The reason for delisting has not been studied. But it can be seen that to enter the blockchain is to buy a miner to mine

【5】 Blockchain application landing

The landing of blockchain is a hot topic in 2018. At the same time, a large number of reports are discussing how to land the application of blockchain.

However, there are less reports on specific landing applications, less than 10%, compared with the reports on how to land, and only among these 10%, it's really difficult for me to select a typical representative project after repeated screening (here, excluding those small block chain applications that big factories do in their own ecology).

So, let's leave this part blank first.




-- Forrester Research believes that the application of blockchain technology will take some time.

【6】 Security incident statistics


In this chapter, for the statistics of security (or hacker) events, only those clear reports or actionable intelligence will be counted, and some vague contents of false numbers or reports will be eliminated. Details:

The information of slow fog area is mostly verified, so in addition to statistics, it is also used to verify the quoted information

For those who are generic and have no clear targets, we will exclude those who have made more than US $1 billion from the digital money market this year

All reports of speculation that "suspected XX platform has been hacked" have been eliminated

For "XX exchange stolen XX billion digital currency" or "XX platform black loss more than XX billion", keep it

All information is only selected for reports directly related to blockchain or digital currency, and blackmail software like bitcoin payment and mining virus are excluded

For the event subject, do not count repeatedly. For example, a blackout of an exchange may lead to a large number of reports, but only record the event once

Key words for troubleshooting: hacker, being hacked, stolen and attacked

Screening method: after the key words are screened, the human flesh will be screened one by one, so the deletion of subjective reasons will not be excluded

In this paper, the distribution statistics of the proportion of the number of events, currencies, threats and other dimensions are carried out to avoid the emergence of exchanges, wallets and other brands


/6.1 / proportion of currencies involved in various events (limited energy, only BTC, ETH, EOS Statistics)

According to the overall distribution, EOS has the most security events (events, non amount). Among them, EOS is the most popular game (including games and assembling).

In terms of BTC security events, there are not so many means, basically stealing personal accounts (or wallets) and hacking into platforms, but the overall number is much less than Eth and EOS.

In terms of eth, it mainly focuses on the platform, which has a lot to do with a series of erc20 vulnerabilities.

/6.2/eos game security

According to media reports, DAPP of top 10 accounts for more than 84% of the CPU resources of the whole network, and these dapps are all guessing games.

From the perspective of dappradar, there are more than 100 DAPP games (including two categories of game and gaming), while in this year, at least 21 games have been definitely attacked.

And the attack sources also present a relatively concentrated situation.

/6.3 / statistics of attack means

Because many incidents did not disclose specific means of attack, and even some platforms refused to admit after technicians analyzed the means of attack.

Therefore, in this part, only some statistics are made for the events with clear means. Because the overall number is small (but there are dozens of them), the statistics are no longer in the form of graphs, but only specific means are listed:

Fishing / fraud / harpoon (mainly by mail, SNS, for individuals, harpoon will harm the platform)

DOS / DDoS (mainly for platform / node)

Vulnerability / tampering of the third-party library (mainly for the platform, but also personal injury caused by front-end XSS)

51% attacks (this year, only the number of Shuanghua incidents reported is beyond imagination)

DNS hijacking (for platform, but mainly for personal injury)

Fake recharge (mainly for platform)

EOS random number

EOS rollback

It is worth noting that DDoS / DOS and DNS hijacking are the least of these.

The reason is not hard to understand, denial of service does not directly benefit, and the investment of DNS hijacking is greater than other means. Judging from the well-known DNS hijacking this year, the price performance ratio is not reasonable.

For the above attack methods, make a sorting according to the month in which they appear:

In the first half of the year, there were a lot of fraud attacks against individuals, such as fishing. But at the end of the year, I don't know whether it was because everyone started to spend the winter or for what reason, there were relatively few;

As an attack method with only input but no direct output (excluding the problem of competing products pinching each other), the number of denial of service attacks will not be too much;

There are two kinds of third-party libraries: one is to pollute the third-party library from the source, and the other is to exploit the third-party library due to loopholes (such as trading view). The first is to meet but not to ask, and the second is closely related to the exchange. In short, there are many objective restrictions, so nature will not appear frequently;

The number of Shuanghua (51%) may be unexpected to many people, and 51% of them are not very small currencies, so it can also explain some problems of computing power to a certain extent;

DNS hijacking, the only widely publicized DNS hijacking, appeared in April. It is said that the action is huge. From the perspective of harvest, it seems that it does not match the action range. Presumably, we have learned from our predecessors' lessons, and no such reports have appeared again. However, I guess that DNS pollution for specific population should still exist, after all, the benefits should be considerable. But even if this kind of problem appears, it should also be very difficult to be reported;

The emergence of false recharge is very interesting, first of all, the continuity of time, and then the focus on a period of time. It can be understood that when the fake recharge is found, hackers will be crazy to use it, and after many people pay their tuition fees, few people will step on it. Moreover, many exchanges have also strengthened the security audit of smart contracts, which also plays an important role;

The reported EOS random number problem appeared as early as July, and it continued to exist in the middle, but it began to break out in the fourth quarter, and it was basically focused on various games;

EOS rollback is also used in DAPP, a recent game. When this article is revised, there are new cases of rollback attack. It seems that it will catch fire;

Finally, why are January and February so quiet?

/6.4 / target of threat

In the past year, various threats have emerged, classified by threat target. The proportion of wallets, exchanges and nodes is as follows:

In fact, most of wallets belong to the threat of exchange wallets. So, in general, exchanges remain the biggest potential victims. After all, the complexity of exchange business gives attackers a lot of imagination and operation space.

/6.5 / safety situation summary

It should be obvious that this summary is not written.

From the perspective of the overall attack situation, attackers in this industry have a strong tendency to profit. And if there's a problem somewhere, it's bound to drain all the possible value out of it.

It can be seen from the combination of attack time and industry development process:

In the early days, attackers still used some traditional methods, such as denial of service, phishing, DNS hijacking, etc. Regardless of the input-output ratio of this DNS hijacking, these are more traditional attacks, and the profit is limited, and the luck component is also large. Even denial of service attacks have little profit margin if they exclude the possibility of competing against each other.

In the medium term, attackers are clearly turning to some features or vulnerabilities specific to cryptocurrencies. Problems such as false recharge and random number. But like 51% attack, it is not likely to be an attack manipulated by traditional hackers. If you want to deal with such a huge computing power at once, it is not realistic to come here in the dark. More likely, people who have mastered the computing power have evil ideas.

Later, squeezing and harvesting. At this stage, it's not just about blackout. A series of recent EOS events give people a feeling that attackers seem to have entered the rules of the game in this new world. They are not attackers anymore, but the reapers in the game (one of them) - this, meaning it.

If the specific news reports are combined with this process, there will be the following trends:

In the early days, we all stared at BTC, especially fishing, and most of them lost BTC;

In the middle period, it is also a period when various tokens or chains are active. With a few problems exposed, the news also focused on the theft of various tokens;

Later, EOS.

On the whole, it is in line with the evolution of the currency circle.

【7】 The future of blockchain

I want to see the fog in front of me.

What's the future? Stupid!

- 12.16 -

- END -