Building an application on a blockchain is a real challenge for developers who are seeking to leverage the power of the decentralized Web. With that in mind, dfuse is inviting experienced developers to share their journey of building these next-generation dapps. To launch the series, we are pleased to speak with Chiachih Wu, Co-Founder/Research VP at PeckShield and one of the early users of the dfuse API.
Could you introduce yourself?
I am Chiachih Wu (@chiachih_wu), PeckShield’s Co-Founder/Research VP. I have worked in information security for more than ten years. I studied virtual machine security and mobile security in the early years. I delved into blockchain at the end of 2017. Together with the former Chief Scientist of 360 Dr. Jiang Xuxian and my long-time colleagues from the security industry, we co-founded PeckShield, "all-in" on the blockchain industry. Because in this new industry where "the code is the law", security issues will be the key factor affecting the growth of the blockchain ecosystem.
Could you present the vision of PeckShield?
We have positioned ourselves to be blockchain data and security service providers. We analyze, organize, and summarize the data from major public chains, and with our years of experience in security, detect the possible security risks in the public chain first-hand, and then offer our findings and expertise to our partners in the ecosystem, help the community to avoid some of the security risks and minimize the loss of digital assets.
For example, when the dapp ecosystem started to flourish, we found that the biggest factor that plagued the growth of developers was hacking. For this, we launched the DAppShield risk control platform. DAppShield helps dapp developers perform pre-launch security testing, eliminate known risks, and integrate risk control capabilities to alert potential security attacks in a timely manner. In addition, it also supports a one-click pause after the attack occurs to minimize asset loss, then works with exchanges to track the funds, providing dapp developers with complete risk control, emergency response and other services.
This service provides dapp developers with the necessary security and risk control emergency responses, takes the burden off of developers in the early dapp development process by reducing the number of attack vectors. It also helps in protecting the security of digital assets, helping dapps and the industry itself to grow in a healthier environment.
What are the main challenges when developing on a blockchain?
The biggest challenge for developers is that the blockchain industry pursues characteristics such as decentralization and transparency. Therefore, there is a lot of potential security risks and obstacles, especially that the risk of being hacked is there throughout the entire course of product development, the reasons are:
- The development of the blockchain itself is still in its early stages, and there are many security issues in the technology and operation. The security awareness and basic skills of blockchain developers are relatively weak in these early stages. Many underlying contract codes have large homogeneity, and once there is a problem, it will affect many;
- In the second half of 2017 and early 2018, the blockchain boom and the price increase of different currencies greatly attracted the attention of hackers. The rate of return for hacking blockchain is usually much higher than that of the traditional Internet;
- The cost of attacking on the blockchain is extremely low, and it is often difficult to recover by traceability. This has indirectly further indulged these security incidents.
The attacker is stronger than the builder, I am afraid that this is the industry environment that every developer will face. To attempt to overcome, it is imperative to do the risk control layout, strengthen the security protection from the beginning of a dapp’s development, put security first in the investment, and then build the operation and promotion on this basis. Obviously, the current DApp format is too focused on operation and promotion, but it also ignores the most basic security defense work. This has led to a series of security incidents, which not only hit the DApp developers hard, but also damaged the confidence of the market.
What advantages would a dapp have by working with PeckShield?
If we look from the actual DApp attack cases, a considerable part of the attacks can be effectively avoided. In the case of our DAppShield risk control platform, developers can log in to the DAppShield back-end in a decentralized manner, and that there is a large number of blacklisted accounts. Developers can block all blacklisted accounts with one click. They can also run detection of characteristics of known attacks, which helps developers to understand the security status of their DApp contracts. After an unusual attack, the DApp will be able to shut down a specific feature with one-click to minimize asset losses.
It should be said that DAppShield products take into account the various problems that may be encountered in the development of a DApp. This is combined with PeckShield's accumulated security expertise, blacklist database, and risk-control emergency response services, which are all open to developers. This includes audits before the contract goes online, real-time anomaly detection after launch, and emergency response after an attack.
What advice would you give to a developer who wants to build a project on blockchain?
For DApp developers, we have compiled a developer documentation on EOS on GitHub called: “EOS Smart Contract Coding Security Standard - A Quick Reference Guide”: https://github.com/peckshield/EOS/tree/master/eos-tutorials
Some Suggestions for developers:
- There is a certain interoperability between the public chains. For example, TRON is developed based on ETH. DApp developers on TRON can refer to existing security events on ETH, analyze the characteristics of known attacks, and know in advance the possible attacks, and then test with a product similar to the DAppShield to eliminate some known attacks.
- Developers should establish a close relationship with a security company. After all, they have the specialization. Security companies can share a lot of valuable experience and services to developers, helping developers take less detours and run into fewer roadblocks.
- Developers should carefully choose the public chain platform. In the coming year, there will be strong competition among public chains. Especially in the DApp ecology, the whole layout will be established. Developers can comprehensively compare the development environment of major public chains, then choose a relatively more mature, stable and secure platform.
- Find the right business model as early as possible. The reason why gambling games are the mainstream and that they are the most developed DApps is that they have a stable business model and relatively stable traffic. What’s blocking the growth of other types of DApps is the lack of a relatively viable business model. After all, entrepreneurship in the dapp ecosystem is difficult, and the first challenge is to simply survive.
If you are a developer and want to share your experience to build on the blockchain, please feel free to contact us. We would be happy to integrate your interview in to our series "In the Eyes of a Blockchain Developer".