Jul 24, 2018 - The world’s first anonymous crowd-testing platform, DVP (dvpnet.io) [1], is launched by BCSEC [2] and PeckShield jointly today, which opens a new era of improving blockchain security by crowd testing.

The main idea behind DVP, Decentralized Vulnerability Platform, is to build an anonymous security crowd-testing community with the blockchain technology, which provides decentralization and the “vulnerability is mining” paradigm. DVP effectively connects the white hats, security firms, blockchain firms, and reduces the risk of accidental vulnerability disclosure and improves the security of the whole blockchain ecosystem.

Figure 1: Decentralized Vulnerability Platform

Chiachih Wu, the CEO of DVP, states that security is essential to any blockchain company, from smart contracts auditing to security auditing, from nodes fortifying to penetration testing. “It’s all about security. Bugs exist in the darkest corner of your code, which is inevitable. When it comes to smart contract programming, the situation is even worse due to the fact that the deployed contracts cannot be truncated or upgraded. This makes the vulnerabilities in smart contracts prone to attack” Wu said.

The ecology of blockchain with hidden security issues has become the hotspot in the eyes of hackers naturally. In recent years, a series of security incidents emerged in an endless stream with increasing impact scope and amount of asset loss. BCSEC’s latest statistics show that across the world there are 500 exchanges, 1644 digital currencies, and the total market value is up to $344,8 billion. As of June 2018, the cumulative number of attacks on digital currency had reached 100, resulting in direct economic loss of $3.3 billion, and there is about $1 billion lost in the first half of this year alone. Recently the security vulnerability in Bancor (BNT) smart contract led to the theft of $23.5 million worth of money. Previously, the Japanese Coincheck exchange’s $500 million crypto currency was stolen, and the Korean Coinrail exchange lost $40 million worth of crypto currency.

These security incidents are scattered throughout the whole blockchain ecosystem, including exchanges, mining pools, wallets, and smart contracts, etc. These security vulnerability affects the safety of hundreds of millions worth of digital assets, and the security ecology of the whole block chain faces enormous security threats and challenges. Chiachih Wu believes that as a new industry, the practitioners of the blockchain are relatively lack of safety awareness, resulting in the insecure nature of the current blockchain software and hardware, and there are a large number of security vulnerabilities; In addition, there are many ecological links in the whole blockchain. On contrast, the security practitioners are scattered and it is difficult to form a joint effort to solve the problem. Meeting these challenges requires systematic solutions, and DVP is such a powerful attempt.

Huan Deng, the CSO of DVP platform, said the DVP platform will connect global blockchain firms and white hats. Because the platform is decentralized, it means that white hats and security engineers around the world can be involved into exploiting vulnerabilities, and every blockchain firms around the world can join in to utilize the service.

Huan Deng said “at the moment, the blockchain firms have limited communication channels and high cost, while most white hats are reluctant to disclose their personal information, so they don’t actively inform the relevant companies even if they find a vulnerability.” The DVP platform will re-establish the relationship between the blockchain firms and the white hats throughout the community. On one hand, it can effectively expand the limited communication channels and reduce the cost of communication; on the other hand, it can protect the white hats by using the inherent anonymity of blockchain.

According to introduction, DVP platform also provides the automatic reward payment system for the blockchain firms and white hats. “Vulnerability is mining”, said by Deng, the blockchain firms specify the asset scope and rewarding standard of the security audit, and deposit the digital currency into the contract. The white hats can submit the blockchain related vulnerabilities and threat information into the DVP platform, and check the progress of vulnerability audit and claim at any time. After being adopted, the corresponding reward will be paid to the white hat’s address automatically. To ensure the fairness of the entire process, the public key of vulnerability information will be encrypted by DVP platform, and the blockchain firms can decrypt using the private key to obtain the details of the report. When the vulnerability is confirmed and adopted, reward will be automatically sent to the address of the person submitting the vulnerability.

With the promotion of public chain value and the emergence of all kinds of security incidents, the security of blockchain industry has attracted more and more attention. As a decentralized autonomous organization, the DVP platform will implement the responsible disclosure of vulnerabilities in all directions and dimensions, and strive to realize a virtuous circle of win-win situation between the blockchain firms and the white hats. Take practical action to enhance the overall safety awareness of the block chain industry, and jointly build a better blockchain ecosystem.

PeckShield is the world’s leading blockchain security company, founded by Dr. Xuxian Jiang, who is the former chief scientist of Qihoo 360 and tenured professor at North Carolina State University. The core team members, who are oversea returnees or Ph.D. graduated from Tsinghua University, have a deep experience pool in the mobile security area. They conducted the world’s first research on the genome of malware on smart phones in 2012, and the malware dataset has been leveraged by more than 500 research institutes and companies across the world. In addition, the team was the first to identify the critical vulnerability in Tesla apps in 2014. Since its inception, the company has also attracted wide attention in the industry because of its continuous discovery and release of BEC, SMT, EDU and other major security vulnerabilities in the first half of this year.

The core members of BCSEC are from BMH Security Research Institute, who have solid experience of running the largest vulnerability platform in the world, which has more than 10,000 hackers registered. With the focus on blockchain security, BCSEC provides the industry-leading security solutions. By researching on vulnerabilities in the wild and building security intelligence systems, BCSEC has accumulated vast knowledge on digital wallets, cryptocurrency exchanges, mining pools, and smart contracts, which enables it to provide security advisory services and technical support to the blockchain community.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.

References