智能合同vulns - Re:最近一波的范围?

:>,在我看来不是一个好比较。这些第三方插件:> WordPress(或Drupal或任何其他CMS)通常有一个供应商页面,:>版本,更新日志,回购,等等。这是极其罕见的没有:>出处写代码,或者在哪里/维护。:>合同是一个非常不同的事情。::好另一个真实世界的例子:我试图追踪所有SSH客户:苹果iOS商店,我无法数。:意味着他们得不到了CVE吗?意思你知道iOS的SSH客户机的存在,但找不到应用程序/供应商在商店吗?如果是这样的话,这将是类似于Dormann的木薯项目,一些23 k +脆弱的应用程序。甚至一个星期后披露,许多应用程序已经从存储中删除。我们能够挖掘app /供应商使用第三方网站镜像Android商店将信息丢失原来的披露。所以在这种情况下,我们有软件的来源。 If there is an app that completely vanished, and no indication it ever existed via Google searches, that is tricky. How do we even know it was a legit app in the first place, and not malware being distributed on a third-party store? : > "Is it trackable in a meaningful / helpful way" should be a requirement. : > That is my argument here. : : But it is trackable, and it is helpful. We have the wallet : ID's/examples, and in the case of say SoarCoin people know now that the : provider (Soar Labs) was engaged in some, shall we say shenanigans that : mean you may want to avoid that coin. That's pretty useful. Except, we don't. MITRE/CVE/Researchers have not been including the contract address in the CVE IDs. That is obviously fixable, and should be mandatory for any smart contract disclosure, regardless of the outcome of this thread. Also, a contract can interact with SoarCoin but have nothing to do with the coin otherwise. People using SoarCoin aren't impacted unless they interact with the vulnerable contract. So the presence of a dozen contracts on Ethereum that are vuln, has no bearing on the security of Ethereum itself. We've seen that with 'game' contracts earlier this year, where the vulnerability allowed for badthing that could result in loss of funds, but only for those playing the game via the contract. Unrelated to CVE's trackign of these, I wouldn't say it is fair to ding SoarCoin or Ethereum for a vulnerability in a third-party contract, just as we don't with WP or Drupal plugins and their main software. Brian