合约安全入个门

[mylamour]

不知道什么情况，老板准备做游戏？还是做博彩？不清楚。让看下合约安全，然后给大家分享一下。不好说，两天时间，还要分析下几个Dapp的合约代码。还好之前自己学习过一点。然后现学现卖，搞了一下。想说的都在PDF里了。 PDF -> smart contract security basicly

Resources

• Ethereum Safety: https://github.com/ethereum/wiki/wiki/Safety
• Smart Contract Best Practices: https://consensys.github.io/smart-contract-best-practices/
• DASP top10: https://github.com/CryptoServices/dasp
• Safe Solidity: http://chriseth.github.io/notes/talks/safe_solidity/
• Audit Smart Contract: https://medium.com/@merunasgrincalaitis/how-to-audit-a-smart-contract-most-dangerous-attacks-in-solidity-ae402a7e7868
• Online Contract Scan: https://securify.ch/
• Scan Contract Tools: https://github.com/meyer9/ethdasm
• Malicious Backdoors In Ethereum Proxies: https://medium.com/nomic-labs-blog/malicious-backdoors-in-ethereum-proxies-62629adf3357

[mylamour]

• https://github.com/thec00n/smart-contract-honeypots
• http://rickgray.me/2018/05/17/ethereum-smart-contracts-vulnerabilites-review/
• https://rickgray.me/2018/05/17/ethereum-smart-contracts-vulnerabilities-review/

PDF

• Predicting Random Numbers in Ethereum Smart Contracts
• Safety · ethereum wiki
• smart-contract-best-practices中文版

[mylamour]

合约中生成随机数

不安全的方式

1. 任何使用以下示例的决策将会给用户带来不公平机会

   • 使用blockhash, timestamp`或者其他矿工可以定义的值。始终记住，每个矿工有权利选择是否打包一个块，所以可想而知，他们都有可能获取他们挖到每个块中奖金？？ what fuck ?
   • 使用了任何用户提交的随机数。用户可能泄露预先提交了任何一个数值。

2. 任何其他合约可见，或者公共的。

   • 这意味着这个数字不应该在开奖前公布

3. EVM将不会追踪外部计算机

   • 任何合约生成的数字都可以在块结束前被知晓。所以需要在数字的产生和使用之间留出时间

原文:

1. Any decision that a user makes which affects the outcome gives that user an unfair advantage. Examples include:

   • Using a blockhash, timestamp, or other miner-defined value. Keep in mind that the miner has a choice of whether to publish a block or not, so they could conceivably have one chance at the prize per block they mine.
   • Any user-submitted random number. Even if the user pre-commits to a number, they have a choice in whether or not to reveal the number.

2. Everything that the contract sees, the public sees.

   • This means that the number should not be generated until after entry into the lottery has been closed.

3. The EVM will not outrace a physical computer.

   • Any number that the contract generates may be known before the end of that block. Leave time between the generation of the number and its use.

安全的方式： 设计一个不可欺骗的分布式彩票

1. The Casino sets aside a reward for a random number 赌场为随机数留出奖池

2. Each user generates their own secret random number N 每个用户生成自己的随机数N

3. Users create their commitment by hashing their N with their address: bytes32 hash = sha3(N,msg.sender) ¹ 用户通过散列他们的随机数值和钱包地址创建他们的唯一凭证

   • note: steps 2 & 3 should be performed locally, in secret 这一步和上一步最好应该在本地完成，为了安全

4. Users send their hash to the contract, along with ether greater than or equal in value to the value of the random number. ² 用户发送他们的哈希值(这个就是你的彩票)到合约地址, 随着Ether的值逐渐大于等于随机数的值

5. Submissions continue for some number of blocks, or until sufficient participants have joined. Once the submission round has ended, the reveal round begins. 继续提交新的块，直到有足够的参与者进来。一旦一轮提交结束，就开始开奖。

6. Each user submits their random number N to the contract 每个用户提交他们的随机数N到合约

7. The contract verifies that the sha3(N,msg.sender) matches the original submission 合约去验证这个sha3(N, msg.sender)是不是和原来的提交一致。

   • If the user does not submit a valid N in time, his deposit is forfeit. 如果用户的没有及时提交或者提交的是无效的，他的存款将会被没收。

8. The Ns are all XOR'd together to generate the resulting random number. 中奖的那个N是所有的一起生成所产生的随机数的异或。

9. This number is used to determine which of the participants receives the reward.(N % numUsers) ³ 这个数字决定了哪个参与者将接受奖金。

注解:

1. The users must concatenate their address to their N before hashing. Otherwise, another user could simply submit an identical hash, then wait for N to be revealed, then submit that. N XOR N equals 0, so this could be used to cancel out all submissions except the attacker's. 用户在哈希前吧随机数N和他们的地址连接到一起。否则，另一个用户可以简单地提交一个相同的哈希，然后等待N被显示，然后提交。N XOR N等于0，这可以用来抵消除了攻击者之外的所有提交。

2. This is where the trade-offs come in. The last person to reveal their N has a choice whether to reveal or to not reveal. This essentially gives them a double chance at winning. Enter enough times, and you get a new choice for each entry. Hint: Miners chose the order of transactions in a block. In order to discourage this, users must put up a large security deposit, equal to the value they would gain by manipulating the random number. This could be a problem for many users, especially for large jackpots, even with game-theoretic optimizations.

• A commonly employed alternative is a semi-centralized system. This requires the "house" to submit the first hash and last reveal. If the house does not fulfill their duty, everyone's ether is returned. This has issues, such as the house choosing to flake if a jackpot payout is imminent. The idea is that the house's reputation is at stake. ** Note that this essentially centralizes the whole system. One simply needs to take down the house for the whole operation to be shut down. This risk can be reduced by hiring multiple trusted non-players to be the first/last commiters.
• Another trick is to use hired professional third parties to "mine" randomness for you, so that the players need not be bothered with the process.
  3. A reward is necessary in order to foster competition among participants. It causes a classic tragedy-of-the-commons/prisoner's dilemma situation. Collusion between participants would allow them to win a large pot and split it among themselves, but if everyone knows what everyone else will submit, they know what they themselves should submit to win the reward. Thus, if the reward is larger than the value of the random number divided by the number of players, then everyone is incentivised to keep their own number a secret in order to have a better shot at the reward. Note that only one of the participants needs to submit a good random number, and the result will be unpredictable.

References

• 生成安全的随机数