DEF CON 32聚焦：CertiK安全工程师揭秘dApp的安全挑战

币界网Publicado em 2024-08-15Última atualização em 2024-08-15

币界网报道：

8月10日，CertiK的安全工程师Wang Peiyu在DEF CON 32会上发表了题为“Web2遇见Web3：黑客攻击去中心化应用”的演讲，通过Dapp漏洞和攻击手段的真实示例，深入分析了Web2与Web3集成所带来的新型安全问题，并提出了如何识别和防范这些风险。

演讲不仅揭示了去中心化应用（dApp）所面临的独特安全挑战，还分享了CertiK安全工程师Wang Peiyu在dApps渗透测试过程中积累的宝贵经验。他强调了恶意行为者如何利用dApps的漏洞，通过窃取种子短语、私钥、签名和API密钥等敏感信息来控制加密资产和托管人，进而操纵合约状态。

此外，演讲还深入讨论了dApp威胁建模，通过一系列实际案例，展示了客户端和服务器端的常见漏洞，包括跨站脚本攻击（XSS）、子域接管、DNS劫持、供应链攻击以及服务器配置错误等。他还提出了几个关键的安全建议，包括进行渗透测试和智能合约审计，以确保dApps的安全性。他强调，开发者需要对Web2和Web3的安全知识有全面的了解，以防止漏洞的引入，并保护用户资产不受侵害。

DEF CON是历史悠久的年度黑客大会之一，自1993年首次举办以来，一直面向白帽黑客群体举办，以其前沿的演讲、研讨会和竞赛而闻名。今年，CertiK的安全工程师Wang Peiyu受到特别邀请，参与了这场盛会，与全球网络安全领域的顶尖专家一道，深入探讨并分享了最新的安全技术进展和行业趋势。

Leituras Relacionadas

Crypto Crime Hit Hard: $700 Million Frozen By DOJ Strike Force

A US law enforcement task force has frozen over $700 million in cryptocurrency linked to investment scams targeting Americans. The operation, which involved cooperation from crypto exchanges and legal processes, also took down more than 500 fraudulent websites and a Telegram channel used to recruit victims. Two Chinese nationals were named in arrest warrants for operating a scam compound in Burma. In a related move, the US State Department announced a $10 million reward for information disrupting scam centers in Burma. Singaporean authorities, alongside major crypto exchanges and analytics firms, also prevented nearly $3 million in losses through a parallel operation. The scale of cybercrime remains vast, with the FBI reporting over $20 billion in losses in 2025.

bitcoinistHá 24m

Crypto Crime Hit Hard: $700 Million Frozen By DOJ Strike Force

bitcoinistHá 24m

Toncoin Fees To Drop 6x As Network Moves Toward Feeless Transactions

Telegram founder Pavel Durov announced that the Toncoin (TON) network will reduce transaction fees by six times in one week, lowering the cost to just 0.00039 TON (approximately $0.0005). This fee reduction is part of the "Make TON Great Again" (MTONGA) roadmap and will remain fixed regardless of network congestion. The update follows a recent upgrade that made the network 10 times faster and transactions nearly instant. Durov also hinted that future steps aim to make most transactions fully feeless. Although Telegram discontinued formal involvement with TON due to regulatory issues, Durov remains a strong supporter. Currently, Toncoin is trading around $1.30, down over 8% in the past week.

bitcoinistHá 54m

Toncoin Fees To Drop 6x As Network Moves Toward Feeless Transactions

bitcoinistHá 54m

a16z: AI's 'Amnesia', Can Continuous Learning Cure It?

The article "a16z: AI's 'Amnesia' – Can Continual Learning Cure It?" explores the limitations of current large language models (LLMs), which, like the protagonist in the film *Memento*, are trapped in a perpetual present—unable to form new memories after training. While methods like in-context learning (ICL), retrieval-augmented generation (RAG), and external scaffolding (e.g., chat history, prompts) provide temporary solutions, they fail to enable true internalization of new knowledge. The authors argue that compression—the core of learning during training—is halted at deployment, preventing models from generalizing, discovering novel solutions (e.g., mathematical proofs), or handling adversarial scenarios. The piece introduces *continual learning* as a critical research direction to address this, categorizing approaches into three paths: 1. **Context**: Scaling external memory via longer context windows, multi-agent systems, and smarter retrieval. 2. **Modules**: Using pluggable adapters or external memory layers for specialization without full retraining. 3. **Weights**: Enabling parameter updates through sparse training, test-time training, meta-learning, distillation, and reinforcement learning from feedback. Challenges include catastrophic forgetting, safety risks, and auditability, but overcoming these could unlock models that learn iteratively from experience. The conclusion emphasizes that while context-based methods are effective, true breakthroughs require models to compress new information into weights post-deployment, moving from mere retrieval to genuine learning.

marsbitHá 1h

a16z: AI's 'Amnesia', Can Continuous Learning Cure It?

marsbitHá 1h

Can a Hair Dryer Earn $34,000? Deciphering the Reflexivity Paradox in Prediction Markets

An individual manipulated a weather sensor at Paris Charles de Gaulle Airport with a portable heat source, causing a Polymarket weather market to settle at 22°C and earning $34,000. This incident highlights a fundamental issue in prediction markets: when a market aims to reflect reality, it also incentivizes participants to influence that reality. Prediction markets operate on two layers: platform rules (what outcome counts as a win) and data sources (what actually happened). While most focus on rules, the real vulnerability lies in the data source. If reality is recorded through a specific source, influencing that source directly affects market settlement. The article categorizes markets by their vulnerability: 1. **Single-point physical data sources** (e.g., weather stations): Easily manipulated through physical interference. 2. **Insider information markets** (e.g., MrBeast video details): Insiders like team members use non-public information to trade. Kalshi fined a剪辑师 $20,000 for insider trading. 3. **Actor-manipulated markets** (e.g., Andrew Tate’s tweet counts): The subject of the market can control the outcome. Evidence suggests Tate’sociated accounts coordinated to profit. 4. **Individual-action markets** (e.g., WNBA disruptions): A single person can execute an event to profit from their pre-placed bets. Kalshi and Polymarket handle these issues differently. Kalshi enforces strict KYC, publicly penalizes insider trading, and reports to regulators. Polymarket, with its anonymous wallet-based system, has historically been more permissive, arguing that insider information improves market accuracy. However, it cooperated with authorities in the "Van Dyke case," where a user traded on classified government information. The core paradox is reflexivity: prediction markets are designed to discover truth, but their financial incentives can distort reality. The more valuable a prediction becomes, the more likely participants are to influence the event itself. The market ceases to be a mirror of reality and instead shapes it.

marsbitHá 2h

Can a Hair Dryer Earn $34,000? Deciphering the Reflexivity Paradox in Prediction Markets

marsbitHá 2h

Analyst Reveals Accumulation Level For Dogecoin Before It Rallies To $2

A crypto analyst, Crypto Patel, predicts that Dogecoin (DOGE) could rally to $2, despite currently trading below $0.10. The analyst identifies a key accumulation zone between $0.07 and $0.09, where DOGE has repeatedly tested support without breaking down. Based on a bi-weekly chart using Elliott Wave theory, DOGE is in a Wave 4 consolidation phase within a descending channel. A bounce from this support is expected to trigger a Wave 5 rally, projecting a 2,767% surge toward $2. Price targets are set sequentially at $0.50, $1, and $2, with a stop-loss below $0.048. For a bullish trend reversal, DOGE must break above the $0.10 resistance level, which was recently rejected in April. Analysts emphasize that market conditions and a confirmed higher high are critical for the projected uptrend.

bitcoinistHá 2h

Analyst Reveals Accumulation Level For Dogecoin Before It Rallies To $2

bitcoinistHá 2h

Trading

Spot

Futuros