For tomorrow’s leading dapps to utilize blockchain within their development stack, developers need the tools and information-access that they are used to having when developing for the web. dfuse is speaking with experienced blockchain developers to help share their journey, the tools they use, and the knowledge sources they turn to. This week we spoke with Keywolf from SlowMist.
Could you introduce yourself?
I am known as Keywolf, a partner at SlowMist Technology, the head of SlowMist Zone. Since I entered the workforce, I have always worked to design and develop security products for internet companies’ internal use, and now I am focusing on blockchain security at SlowMist.
Could you present the vision of SlowMist？
SlowMist is a blockchain security company that provides customers with security auditing and advisement services, defense deployment, blockchain threat intelligence (BTI), bounty-for-vulnerability detection and more. We have carried out security audits and defense deployment for many top exchanges, wallets, chains, smart contracts, etc., Our team has received lots of positive feedback on our security capabilities and business experience from our customers.
We have been helping to cultivate the EOS ecosystem. When the mainnet launched in June 2018, in order to ensure a smooth start of the mainnet we put together an “EOS Block Producer Security Operation Guide,” which provided security best-practices for many BPs in the community. In September 2018, we pulled our experience from previous EOS smart contract security auditing to compose a copy of the “EOS Smart Contract Development Security Best Practices,” which summarized all known vulnerabilities along with solutions to help developers prevent being attacked by these vulnerabilities.
In addition, we provided the EOS community with EOS MonKit and FireWall.X for dapps. EOS MonKit makes it easy for users to query dapp contract deployment records. Through it, you can also subscribe to dapp contract updates. FireWall.X is convenient for developers to control the contract calls and prevent unauthorized access. At the same time, combined with an Oracle, you can implement risk control to prevent assets from being stolen by attackers.
The blockchain ecosystem has its own financial attributes; it doesn’t have government endorsement, and it is difficult to trace the source after being attacked. These points create a serious lack of a sense of security in this space. As a company that focused on blockchain security, SlowMist hopes to bring security to this ecosystem through our own strength and strive to become the security infrastructure of the blockchain world. This is our vision and our values.
What are the main challenges when developing for blockchain?
Blockchain technology is still in its early stages. Many infrastructures for tech development have not been built. At this stage, developers can only rely on a small amount of official technical documentation for reference and learning. During this process, it is inevitable that they will encounter obstacles resulting in attacks and vulnerabilities that have already occurred constantly reappearing in newly launched dapps.
In order to solve this problem, our security team at SlowMist has put together all known EOS smart contract vulnerabilities and provided corresponding solutions for each of them, “EOS Smart Contract Development Security Best Practices.” We hope After reading this guide, developers can avoid having their own dapps being attacked by these known vulnerabilities.
What advantages would a dapp have by working with SlowMist？
In the second half of 2018, security incidents occurred frequently on EOS and many smart contracts were hacked, causing a large amount of EOS being stolen. We analyzed a large number of smart contract attack methods and found the pain points and difficulties in defending against them. We then decided to develop a dapp firewall to help secure dapps.
Right now, FireWall.X can help block malicious accounts, and manage blacklists and whitelists. It provides statistics, log records, and identification of malicious transfers, and has a very friendly web console for developers to use. It allows dapp developers to focus on the project itself. In terms of smart contract security, you only need to integrate a library file when writing a smart contract. FireWall.X is free, why not utilize it?
What advice would you give to a developer who wants to build a project on blockchain?
1. Learn about smart contract security vulnerabilities that have already occurred and avoid them in your smart contracts. Refer to our “EOS Smart Contract Development Security Best Practices” on GitHub.
2. Before the project goes online, fully test them as much as possible. If necessary, invite a professional security company to audit it for avoiding asset losses caused by attacks.
3. Follow along with what it going on security-wise in the community. Monitor your smart contracts to see if any newly reported vulnerabilities exist in your contract and upgrade.
4. Prepare for possible errors. It is recommended to design a “fuse” in the smart contract, so that when there is an error in the smart contract, it would trigger the fuse to be burnt to stop the contract from running immediately.
If you are a developer and want to share your experience to build on the blockchain, please feel free to contact us. We would be happy to integrate your interview to our series "In the Eyes of a Blockchain Developer".