跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.80) 您好!臺灣時間:2024/12/08 23:10
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:徐宛萱
研究生(外文):Wan-Shiuan Hsu
論文名稱:智慧合約安全於分散式金融應用之研究
論文名稱(外文):Research on the Security of Smart Contracts in Decentralized Financial Applications
指導教授:林詠章林詠章引用關係楊朝成楊朝成引用關係
口試委員:吳汶涓林珮瑜
口試日期:2021-06-29
學位類別:碩士
校院名稱:國立中興大學
系所名稱:資訊管理學系所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2021
畢業學年度:109
語文別:中文
論文頁數:48
中文關鍵詞:智慧合約安全重入攻擊區塊鏈安全
外文關鍵詞:Smart Contract SecurityReentrancyBlockchain Security
相關次數:
  • 被引用被引用:0
  • 點閱點閱:113
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
分散式金融於 2020 年後半年開始蓬勃發展,資安事件也相繼爆發,主要多與程式碼安全相關。目前各項分散式金融(DeFi)協議的技術尚未成熟,在不同應用層面的潛在風險可能在安全審計時無法被發現,未來更多結合不同協議漏洞的未知攻擊也必然會發生。本論文欲利用目前各類常見 DeFi 項目可能發生之攻擊過程進行漏洞解析,包含閃電貸、預言機、治理項目等等共八種。針對各案例提供智慧合約安全之撰寫或解決方式,使分散式金融項目佈署於乙太坊後能由源頭之程式碼進行安全控管,從根本減緩來自外部的攻擊。
Decentralized finance began to flourish after June 2020, and security incidents also broke out one after another, mostly related to code security. At present, the technology of various decentralized finance (DeFi) protocols is not yet mature, and potential risks at different application levels may not be discovered during security audits. In the future, more unknown attacks that combine different protocol vulnerabilities will inevitably occur. This paper intends to use various common DeFi applications such as flash loans, oracles, and governance projects. It also provides smart contract security writing or resolution methods for the analysis and solution of various attack vulnerabilities, so that decentralized financial applications can be safely controlled by the source code after they are deployed on Ethereum, and fundamentally slow down external attacks.
摘要 i
Abstract ii
目次 iii
圖目次 iv
第一章、緒論 1
一、研究背景 1
二、研究動機與目的 2
三、論文架構 3
第二章、文獻探討 4
一、 DASP TOP10 4
二、 智慧合約驗證標準(SCSVS) V14:Decentralized Finance 7
三、 重入攻擊(Reentrancy) 8
四、 DeFi新型態攻擊 10
第三章、攻擊解析及防護 14
一、 Unstoppable 14
二、 Naive Receiver 15
三、 Truster 17
四、 Side Entrance 19
五、 The Rewarder 21
六、 Selfie 24
七、 Compromised 25
八、 Puppet 28
第四章、實驗結果 32
一、 研究環境 32
二、 攻擊及解決方式分析 34
第五章、結論與未來展望 44
參考文獻 45
[1]L. Gudgeon, D. Perez, D. Harz, B. Livshits, and A. Gervais, "The decentralized financial crisis," in Proceedings of 2020 Crypto Valley Conference on Blockchain Technology (CVCBT), pp.1-15: IEEE , 2020
[2]Y. Chen and C. J. J. o. B. V. I. Bellavitis, "Blockchain disruption and decentralized finance: The rise of decentralized business models," Journal of Business Venturing Insights, vol. 13, p. e00151, 2020.
[3]Defi Pulse網站. Available: https://defipulse.com/
[4]I. J. S. Salami, I.‘Decentralised Finance: The Case for a Holistic Approach to Regulating the Crypto Industry’Journal of International Banking and F. Law, "Decentralised Finance: The Case for a Holistic Approach to Regulating the Crypto Industry," Journal of International Banking and Financial Law, vol. 35, no. 7, pp. 496-499, 2020.
[5]Bitcoin, Ethereum Avg. Transaction Fee historical chart. Available: https://bitinfocharts.com/comparison/transactionfees-btc-eth.html#6m
[6]H. Adams, N. Zinsmeister, and D. J. U. h. u. o. w. p. Robinson. (2020). Uniswap v2 core. Available: https://uniswap. org/whitepaper. pdf
[7]gas fee. Available: https://blog.makerdao.com/how-ethereum-2-0-will-address-gas-issues-and-enable-dai-and-defi-to-scale/
[8]The DAO. Available: https://en.wikipedia.org/wiki/The_DAO_(organization)
[9]DAO遭駭事件打破區塊鏈不可逆神話. Available: https://www.ithome.com.tw/news/107405
[10]How the dForce hacker used reentrancy to steal 25 million. Available: https://quantstamp.com/blog/how-the-dforce-hacker-used-reentrancy-to-steal-25-million
[11]S. Sayeed, H. Marco-Gisbert, and T. J. I. A. Caira, "Smart contract: Attacks and protections," IEEE Access, vol. 8, pp. 24416-24427, 2020.
[12]OWASP TOP10. Available: https://owasp.org/www-project-top-ten/
[13]OWASP ASVS. Available: https://owasp.org/www-project-application-security-verification-standard/
[14]DASP TOP10. Available: https://dasp.co/
[15]SCSVS. Available: https://github.com/securing/SCSVS
[16]Secure Smart Contracts Development using SCSVS. Available: https://owasp.org/www-chapter-tunisia/assets/images/OWASP-Tunis-Chapter-2020.pdf
[17]OWASP Tunisia. Available: https://owasp.org/www-chapter-tunisia/
[18]OpenZeppelin math. Available: https://github.com/OpenZeppelin/openzeppelin-contracts/tree/master/contracts/utils/math
[19]ICO Smart contract Vulnerability: Short Address Attack. Available: https://medium.com/huzzle/ico-smart-contract-vulnerability-short-address-attack-31ac9177eb6b
[20]Solidity v0.6.9 Doc. Available: https://docs.soliditylang.org/en/v0.6.9/
[21]The Parity Wallet Hack Explained. Available: https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/
[22]King of the Ether. Available: https://www.kingoftheether.com/thrones/kingoftheether/index.html
[23]Solidity by Example 0.7.6. Available: https://solidity-by-example.org/
[24]OpenZeppelin GitHub. Available: https://github.com/OpenZeppelin
[25]tinchoabbate. Available: https://twitter.com/tinchoabbate
[26]Wargame. Available: https://en.wikipedia.org/wiki/Wargame_(hacking)
[27]Uniswap's getInputPrice function. Available: https://github.com/Uniswap/uniswap-v1/blob/master/contracts/uniswap_exchange.vy#L106
[28]M. Rodler, W. Li, G. O. Karame, and L. J. a. p. a. Davi, "Sereum: Protecting existing smart contracts against re-entrancy attacks," in Proceedings of 26th Annual Network & Distributed System Security Symposium (NDSS), 2019.
[29]Responsible_disclosure. Available: https://en.wikipedia.org/wiki/Responsible_disclosure
[30]J. Feist, G. Grieco, and A. Groce, "Slither: a static analysis framework for smart contracts," in Proceedings of 2019 IEEE/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8-15: IEEE. ,2019
[31]MythX: Smart Contract Security Tool for Ethereum. Available: https://mythx.io/
[32]Introduction to Manticore, a symbolic analysis tool for smart contract. Available: https://medium.com/haloblock/introduction-to-manticore-a-symbolic-analysis-tool-for-smart-contract-9de08dae4e1e
[33]P. Tsankov, A. Dan, D. Drachsler-Cohen, A. Gervais, F. Buenzli, and M. Vechev, "Securify: Practical security analysis of smart contracts," in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 67-82 , 2018.
[34]S. Tikhomirov, E. Voskresenskaya, I. Ivanitskiy, R. Takhaviev, E. Marchenko, and Y. Alexandrov, "Smartcheck: Static analysis of ethereum smart contracts," in Proceedings of the 1st International Workshop on Emerging Trends in Software Engineering for Blockchain, pp. 9-16. , 2018
[35]B. Jiang, Y. Liu, and W. Chan, "Contractfuzzer: Fuzzing smart contracts for vulnerability detection," in Proceedings of 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE, pp. 259-269: IEEE. ), 2018
[36]M. Di Angelo and G. Salzer, "A survey of tools for analyzing Ethereum smart contracts," in Proceedings of 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON ), pp. 69-78: IEEE., 2019
[37]S. Kalra, S. Goel, M. Dhawan, and S. Sharma, "ZEUS: Analyzing Safety of Smart Contracts," in Proceedings of 2018 Ndss, pp. 1-12. , 2018
[38]M. Wohrer and U. Zdun, "Smart contracts: security patterns in the ethereum ecosystem and solidity," in Proceedings of 2018 International Workshop on Blockchain Oriented Software Engineering (IWBOSE), pp. 2-8: IEEE. , 2018
[39]Aave Protocol V2 Available: https://github.com/aave/protocol-v2
[40]bZx Hack Full Disclosure (With Detailed Profit Analysis). Available: https://peckshield.medium.com/bzx-hack-full-disclosure-with-detailed-profit-analysis-e6b1fa9b18fc
[41]EIP-777: ERC777 Token Standard Available: https://github.com/ethereum/EIPs/blob/master/EIPS/eip-777.md
[42]Exploiting Uniswap: from reentrancy to actual profit. Available: https://blog.openzeppelin.com/exploiting-uniswap-from-reentrancy-to-actual-profit/
[43]Damn Vulnerable DeFi. Available: https://www.damnvulnerabledefi.xyz/
[44]PercentFinance Important Announcement. Available: https://percent-finance.medium.com/important-announcement-d35f9a0df112
[45]Bancor smart contracts vulnerability: It’s not over. Available: https://medium.com/zengo/bancor-smart-contracts-vulnerability-and-its-lessons-ce762d09bb9a
[46]MakerDAO White Paper. Available: https://makerdao.com/en/whitepaper/#keepers
[47]Harvest Finance: $24M Attack Triggers $570M ‘Bank Run’ in Latest DeFi Exploit. Available: https://www.coindesk.com/harvest-finance-24m-attack-triggers-570m-bank-run-in-latest-defi-exploit
[48]Cheese Bank Incident: Root Cause Analysis. Available: https://peckshield.medium.com/cheese-bank-incident-root-cause-analysis-d076bf87a1e7
[49]WarpFinance Incident: Root Cause Analysis. Available: https://peckshield.medium.com/warpfinance-incident-root-cause-analysis-581a4869ee00
[50]Uniswap V2 Audit Report. Available:https://uniswap.org/audit.html#org87c8b91
[51]Feeds price feed oracles. Available: https://developer.makerdao.com/feeds/
[52]Choosing a Reliable Solution for bZx’s Oracle. Available: https://bzx.network/blog/choosing-oracle
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top