智能合同vulns - Re:最近一波的范围?

:> 2。该合同是一个随机的代码块不能:>归因于供应商。而合同的名字可能是“AIChain”和:>与AIChain的令牌,这并不意味着有一个:>作者令牌的创造者和合同之间的关系。:>合同创造者只被称为链上的一个地址,例如:>https://etherscan.io/address/0x8a8690d3ffaeeb700fe8be7a86b145b64922ec15CVE::这是一个要求?有很多开源的代码有问题或未知的起源,以及在某些情况下我们做的事:标签的事情作为一个生态系统的一部分(例如“WordPress插件”:大多数WordPress插件一无所有与WordPress:公司……)。在我看来,这不是一个好比较。这些第三方为WordPress插件(或Drupal或任何其他CMS)通常有一个供应商页面,版本,更新日志,回购,等等。这是极其罕见的没有出处写代码,或者在哪里/维护。这些合同是一个非常不同的事情。:> 3。这些合同都是互相复制/粘贴,这就是为什么:>我们看到很多这样的披露。有几个人/组:>做大部分的信息披露,并简单地扫描所有合同:>上链(例如ethereum)寻找blob的脆弱的代码。我们不:>知道如果一个人最初的脆弱的代码,复制500年写道:> *(可能),或者如果数百同样脆弱代码blob写道:>(不太可能)。 : : So we maybe look at CVE MERGE, but XML hashdos had similar issues, : people cutting and pasting.recycling stuff that was fundementally : broken. As an example, here are two contracts with the same name, associated with two different tokens. Can you see a way to determine if they are the 'same' contract, in the sense of the author? Or is this a likely case of copy/paste? I think this would also make MERGE decisions problematic. 7/3/2018 AssetToken vl coin (vlcn)https://etherscan.io/address/0x0bdbc0748ba09fbe9e9ed5938532e41446c2f0337/3/2018 AssetToken BitRS (BitRS)https://etherscan.io/address/0x6248211b830ce0191c7643b19f5ddb059e018672:> 4。用户不能安装一个补丁或升级修复脆弱的合同:>这样的。这个代码不是区块链本身的一部分,还是:>钱包/客户最终用户安装。在大多数情况下,:>脆弱的合同将被弃用,一个新副本将旋转:>我相信一个新的地址。如果代码是固定的合同的创造者:>相同的地址,会有任何迹象显示,我是固定的:>可以看到。所以我们甚至不一定会得到一个“2018-07-09”风格:>符号,更不用说一个版本或者其他方式来跟踪合同。:“这是可以解决的”不是一个反暴力极端主义的要求。至于跟踪大部分:合同可以追踪。“这是可跟踪的一个有意义的/有用的方式”应该是一个要求。这是我的论点。 : > 5. A majority of these tokens don't even have a vendor page or GitHub that : > I have been able to find. So even trying to track it by the token becomes : > problematic as we can't reference a vendor, software, or version number in : > a majority of cases. Compare this to the actual blockchains such as : > Bitcoin, Ethereum, Litecoin, etc, that have web pages, code repos, and : > software that is installed by the user, it further contrasts that the : > contracts are not the same as the blockchain themselves. : : I'm not sure what you're saying here, you're saying unless : software/service has a good web page talking about it, we can't cover : it? I'm asking where the value is. If the CVE description can't give someone actionable information, and they haven't been (largley due to not including the address of the contract), what value does it bring? As a consumer of CVE, it would require a lot of digging to ultimately hit the same point I did on a lot of these; a given blob of code, that may or may not be copied, with no known author or other provenance, that likely can't be assigned meaningful CPE (i.e. would be missing at least one component of the string, the vendor), and may or may not have a 'solution' in the form of deprecation and/or relcation. Basically, how does someone use the current CVE entries for these to determine if it impacts them? Brian