Along with IoT and AI, business development utilizing blockchain is becoming more widespread. At the same time, because blockchain is a new technological field, many people are also currently worried about how best to ensure its security. In fact, while blockchain has benefits, including making tampering difficult, there is another side to it, where security must be taken into consideration based on standpoints different from those of conventional systems. We therefore provide our Blockchain Assessment service in order to improve security when customers implement businesses utilizing blockchain technology.
Overview of Blockchain Assessment Service
Blockchain consists of various technical elements, and security standpoints differ for each element.
- 1. Smart Contract
- 2. Blockchain Platform Connection
- 3. DApps/Proprietary Apps
- 4. Blockchain Platform Settings (*consortium-type)
Various security assessments are performed, including evaluations and recommendations, for each element in the Blockchain Assessment.
*As of July 2017, the provision of service extends to only smart contract assessments, with future expansions planned.
Smart Contract Assessment
The use of smart contracts is common in systems that utilize blockchain. Smart contracts are always in danger from attackers; if vulnerabilities exist, there is a danger of them being illegally manipulated.
For example, there was an incident where Ethereum, a public blockchain, had a smart contract vulnerability exploited, and a large amount of virtual currency (Ether) held in smart contracts leaked out. Security practices for smart contracts differ from the secure coding practices applied to conventional web and smartphone apps; if smart contracts are implemented without this knowledge, they may be attacked after they are released.
In addition, knowing how to eliminate vulnerabilities prior to release is even more critical than with conventional systems, as smart contracts cannot be modified once they are released to blockchain. With our Blockchain Assessment, we perform security assessments from our unique standpoint to check for the presence of smart contracts implemented with vulnerabilities.
Our service combines static (main) and dynamic (secondary) analyses of smart contract source code. We use static analyses as triggers to detect issues and perform checks via dynamic analyses on our private net for a high-precision assessment. Expert blockchain and smart contract engineers with GSSP certification, a qualification certifying GIAC-certified secure software programmers, are responsible for the service.
- The assessment of smart contracts from standpoints assuming a variety of threats based also on our own diagnostic items
- The preparation of our own diagnostic items based on smart contract security practices designed primarily overseas
- Confirmations that no vulnerabilities remain hidden that are unique to smart contracts
- Additional vulnerability assessments from general secure coding standpoints, including that of overflow vulnerabilities
- Optional advice before and after smart contract development
* Related patents pending
Major Threats to Smart Contracts
- Fraudulent virtual currency withdrawals (e.g., Re-entrancy Problem)
- Changes to master data through fraudulent function calls
- The induction of unintended execution results through the manipulation of transaction execution sequences (Transaction-Ordering Dependence)
- The manipulation of execution results by a malicious miner (e.g., An attacker always wins at a game depending on block timestamp by manipulating block timestamp)
- Information leaks from transactions
- Data inconsistencies due to missed atomicity considerations (e.g., A settled payment status despite being unpaid)
- The risk of being on the receiving end of persistent attacks due to missed countermeasure considerations when vulnerabilities are exploited
* Consultation is required for other platforms
The supported platforms will continue to be expanded
* The support of other languages is negotiable
* Estimates are for each individual smart contract.