NFTGo conversation with SlowMist Security Team: Security assurance requires the establishment of a comprehensive security system

Author: NFTGo Research

As a company focused on blockchain ecosystem security, SlowMist Technology was established in January 2018 by a team with over a decade of frontline cybersecurity experience. SlowMist has independently discovered and disclosed numerous high-risk blockchain security vulnerabilities in the industry, gaining widespread attention and recognition.

Today, blockchain security issues are frequent, and Web3ers have long been troubled by them. Therefore, in this second episode of our dialogue, we are pleased to invite the SlowMist security team to share valuable insights on blockchain security, helping everyone explore the on-chain world with more assurance. Let’s officially begin~

1. First, please introduce SlowMist to everyone.

Answer: Hello everyone, SlowMist is a company focused on blockchain ecosystem security. Our blockchain ecosystem security capabilities consist of three rings: the innermost layer is compliance security, the second layer is technical security, and the outer layer is ecosystem security. Technical security mainly includes two business lines: security auditing and anti-money laundering.

The content of security audits includes smart contract code for DeFi projects, centralized exchanges, wallet apps, browser plugin wallets, and underlying public chains. We also offer red team testing services, which is one of our advantages. Over the past five years since 2018, we have served numerous well-known and leading clients in the industry, with thousands of commercial clients and a high satisfaction rate. For anti-money laundering, we have an on-chain tracking platform called MistTrack. In addition, we pay close attention to compliance security, as compliance is one of the important cornerstones for the long-term development of this industry. We have strict legal processes for projects that cooperate with us for security audits or anti-money laundering.

We understand that security is a whole, and security assurance requires a complete security system. Therefore, we provide integrated, tailored security solutions from threat discovery to threat defense.

In simple terms, it is a military-like circular defense system with layered defenses. The outer layer is threat discovery, which involves discovering and identifying threats through SlowMist's partners and our own threat intelligence system (this is also part of our ecosystem security), and then issuing warnings to the entire ecosystem through media channels; threat defense refers to our defense system, from BTI (Blockchain Threat Intelligence System) to deploying tailored and systematic defense solutions, implementing cold, warm, and hot wallet security hardening, etc., selecting quality security solution providers in the fields of network security, risk control security, wallet security, etc., allowing clients to choose flexibly and easily cope with various challenges encountered during business development. We hope to work together with quality partners and communities in the industry to build a joint security defense effort.

2. Web3 security issues are always hard to guard against. Aside from basic rules like: handwritten mnemonic phrases and verifying the authenticity of websites, what security advice does SlowMist have for Web3ers who frequently interact?

Answer: Since the question is about interaction security, let's first outline how attackers generally steal users' assets.

Attackers typically use two methods to steal user assets:

First, they trick users into signing malicious transaction data that transfers assets to the attacker. Second, they deceive users into entering their wallet's mnemonic phrase on malicious websites or apps.

Now that we know how attackers steal wallet assets, we need to take precautions against potential risks:

1. Before signing, identify the data being signed, understand what the transaction is for, carefully check whether the signing target is correct, and whether the authorized amount is excessive;
2. Use hardware wallets as much as possible, as hardware wallets generally cannot directly export mnemonic phrases or private keys, which raises the threshold for mnemonic phrase and private key theft;
3. Various phishing techniques and incidents are emerging constantly. Users should learn to identify various phishing methods, enhance their security awareness, and educate themselves to avoid being scammed. For example, follow media updates from security companies like SlowMist to stay informed about the latest scams or phishing techniques. Of course, we highly recommend reading SlowMist's “Blockchain Dark Forest Self-Rescue Handbook”, which is full of valuable information;
4. We suggest users maintain different wallets for various scenarios to keep asset risks manageable. For example, large assets that are not frequently used should be stored in cold wallets, ensuring that the network and physical environments are secure when accessed. Wallets used for participating in airdrops or other activities, which are accessed more frequently, should hold smaller amounts of assets. By managing wallets based on different asset types and usage frequencies, risks can be kept under control.

3. On August 16, Yuxian posted an interesting tweet - where does your "Mac is safer than Windows" illusion come from? For Web3 users, what are the advantages and disadvantages of Mac and Windows according to SlowMist?

Answer: Yes, this tweet sparked quite a discussion. Conversely, we might ask, "Where does the illusion that Windows is safer than Mac come from?" The perspective and answers are similar. From the perspective of single-system intrusion prevention, Mac's closed nature and strict permission controls are indeed better than Windows. Additionally, Mac has a very low global PC market share, while Windows has a high share, leading to more attacks occurring on Windows. Since Windows has been around for a long time, various attack vectors have matured. To exaggerate a bit, currently, 99% of security personnel engaged in penetration testing, intrusion, and APT do not target Mac, while 100% target Windows. Setting aside the above points, if we were to use a trojan that bypasses detection to attack both Mac and Windows, the results would be similar; both would be compromised. Overall, it’s half about the device and half about the individual. If users lack security awareness, they can easily fall victim to having malicious programs implanted on their computers, which may lead to the theft of sensitive data (such as mnemonic phrases). Malicious software can behave in many different ways; it may hide in email attachments or use the device's camera for surveillance. We recommend that everyone enhance their security awareness, such as not easily downloading and running programs provided by strangers, only downloading applications, software, or media files from trusted sites; not opening attachments from unknown emails; regularly updating the operating system to obtain the latest security protections; and installing antivirus software on devices, such as Kaspersky.

4. Many projects have experienced "treasury" theft incidents. What does SlowMist believe are the common causes of security issues? Is the possibility of insider theft significant?

Answer: According to the SlowMist Hacked database, as of August 24, 2023, there have been 253 security incidents with losses amounting to as much as $1.45 billion. From the perspective of blockchain malfeasance, there are several main methods: phishing attacks, trojan attacks, hash power attacks, smart contract attacks, infrastructure attacks, supply chain attacks, and insider jobs. Taking common smart contract attacks as an example, there are several attack methods: flash loan attacks, contract vulnerabilities, compatibility or architectural issues, as well as some techniques like front-end malicious attacks and phishing targeting developers.

Additionally, when it comes to insider theft, we must mention private key leakage. Private key leakage varies by situation; the differences between individual and exchange private key leaks are significant. For individuals, private key leakage usually occurs when they store their private keys or mnemonic phrases online, such as in WeChat favorites, 163 email, notes, or cloud storage services like Youdao. Hackers often collect leaked account password databases from the internet, such as plaintext account passwords from CSDN many years ago, and then try these on cloud storage or cloud service websites. A common term in the security circle is "credential stuffing," which is probabilistic; if login is successful, they will look for any crypto-related content.

For exchanges, it is more complex. Generally, only large hacker organizations have the capability to breach the multiple layers of security protecting exchanges, gradually infiltrating to obtain the private keys of hot wallets on the exchange's servers.

Here, it is important to emphasize that this is illegal behavior and should never be imitated. We recommend that project teams seek security companies to conduct security audits on their project code to enhance the project's security level. They can also issue bug bounties to mitigate security issues during the ongoing operation and development of the project. Additionally, we suggest that project teams improve internal management and technical mechanisms by introducing multi-signature mechanisms, zero-trust mechanisms, etc., to strengthen asset protection.

5. Cross-chain bridges have been jokingly referred to as "hacker ATMs." For Web3ers with limited technical knowledge, what should they pay attention to when using cross-chain bridges?

Answer: When it comes to cross-chain bridges, first, the complexity of cross-chain bridge operations and the large amount of code can easily lead to vulnerabilities during coding implementation. Secondly, the security of third-party components referenced in the project is also a significant cause of security vulnerabilities. Finally, the lack of a larger development community for cross-chain bridges means that the code has not been widely and thoroughly searched for potential bugs.

For users, it is important to understand how their funds are protected when using cross-chain bridges. They can assess the risk level of a cross-chain bridge from several dimensions, such as: Is the project contract open source? Does the project have multiple security audits? Is the private key management scheme based on MPC (Multi-Party Computation)? Or is it multi-node multi-signature? Or is the private key managed uniformly by the project team? Users should also choose cross-chain teams with strong security capabilities, ensuring that all versions of the code have undergone security audits, and that the team has dedicated security personnel. We also recommend that cross-chain bridge teams operate more transparently, so they can receive more user inquiries and suggestions, and promptly address any shortcomings.

6. Aside from common scams and phishing, can SlowMist provide some less common, hard-to-detect examples?

Answer: We previously disclosed an incident where attackers exploited a defect in the WalletConnect feature of Web3 wallets to increase the success rate of phishing attacks. Specifically, some Web3 wallets that support WalletConnect did not restrict where the transaction pop-up would appear, allowing it to pop up on any interface of the wallet. Attackers exploited this flaw by guiding users to connect WalletConnect to phishing pages through phishing websites, continuously constructing malicious eth_sign signature requests.

When users recognize that ethsign may not be safe and refuse to sign, since WalletConnect uses a wss connection, if users do not close the connection in time, the phishing page will continuously initiate malicious ethsign signature requests. When using the wallet, users are likely to mistakenly click the sign button, leading to asset theft. In fact, simply leaving or closing the DApp Browser should pause the WalletConnect connection. Otherwise, when users are using the wallet, if a signature request suddenly pops up, it can easily cause confusion and lead to theft risks.

Speaking of eth_sign, it is an open signature method that has been frequently used by attackers for phishing in the past two years. It allows signing of any hash, meaning it can sign any transaction or data, posing a dangerous phishing risk. Everyone should carefully check the application or website they are using when signing or logging in, and avoid entering passwords or signing transactions in unclear situations. Refusing blind signing can help avoid many security risks.

7. I would like to hear about the most profound security incident SlowMist has encountered over the years in blockchain security.

Answer: In the past two to three years, the Poly Network incident that occurred in 2021 left a deep impression. At the moment the attack happened on August 10 at around 8 PM, we maintained a high level of attention, continuously analyzing the attack process, tracking the flow of funds, and calculating the losses incurred, which felt somewhat like being on the front lines. The loss was $610 million, which at the time was considered an exceptionally large loss in an attack incident.

Our team released an analysis of the attack incident and the IP identity information of the attackers we had discovered at around 5 AM on the 11th. By the afternoon of the 11th, under immense pressure, the hacker began to return the assets. The hacker's subsequent comments on-chain were also quite "interesting." The entire process was a significant achievement for a security company.

8. Finally, let me ask an interesting question. With the continuous iteration of new technologies like formal verification and AI auditing, how does SlowMist view the development of new technologies?

Answer: Speaking of new technologies, for example, ChatGPT improves the efficiency of traditional text work, and CodeGPT enhances code writing efficiency. Internally, we have previously used historically common vulnerability codes as test cases to verify GPT's detection capabilities for basic vulnerabilities. The test results found that the GPT model performs well in detecting simple vulnerability code blocks, but it currently cannot detect slightly more complex vulnerability codes. During testing, we observed that GPT-4 (Web) has high overall contextual readability and produces clear output formats.

GPT has partial detection capabilities for basic simple vulnerabilities in contract code, and when vulnerabilities are detected, it explains the issues with high readability. This feature is suitable for providing quick guidance and simple Q&A for junior contract auditors in their initial training. However, there are some drawbacks: for example, GPT's output for each conversation has a certain degree of fluctuation, which can be adjusted through API parameters, but it is still not a constant output. While this variability is a good approach for language dialogue, it poses a problem for code analysis tasks.

To cover the various vulnerabilities that AI might inform us about, we need to request the same question multiple times and compare the results, which inadvertently increases the workload, contradicting the goal of AI assisting humans in improving efficiency. Furthermore, when detecting slightly more complex vulnerabilities, it becomes evident that the current (as of March 16, 2024) training model cannot correctly analyze and identify relevant key vulnerability points.

Although GPT's ability to analyze and discover contract vulnerabilities is still relatively weak, its ability to analyze small blocks of common vulnerabilities and generate report texts continues to excite users. In the foreseeable future, with the training and development of GPT and other AI models, we believe that faster, smarter, and more comprehensive auxiliary auditing for large and complex contracts will definitely be achieved.**

Conclusion

Thank you very much to the SlowMist security team for their responses. Where there is light, there are shadows, and the blockchain industry is no exception; but it is precisely because of the existence of blockchain security companies like SlowMist Technology that light can shine even in the shadows. We believe that with development, the blockchain industry will become more standardized, and we look forward to the future development of SlowMist Technology~

In the future, NFTGo will continue to invite Web3 Builders for interviews and dialogues, and we welcome everyone to follow our Chinese Twitter: @NFTGoCN to stay updated. If you have any suggestions, builders you want to see, questions you want to ask, or if you want to recommend yourself, feel free to comment or DM us on Twitter.