Track the performance of your crypto assets portfolio — completely anonymously. Wallet statements. Get a report on your address holdings for any timeframe. Make your tax reporting and accounting less of a hassle. Blockchair Awesome. Find and compare awesome blockchain and crypto products and services. News Aggregator. Catch up with the latest news from 60 biggest crypto outlets.
Available in 11 languages. Blockchair Donut. Donate to amazing nonprofits and open-source projects. Help crypto adoption and reduce tax payments. Compare crypto by size, fees, transactions per second, and more. Track upcoming hard forks and latest updates to cryptocurrency clients, like Bitcoin Core and Geth.
Get Blockchair extension. Blockchair brings the search engine for 17 blockchains to your browser. Learn about node accessibility, locations, consensus and more. This site is available in English, switch the language?
No Yes. Earn while you sleep. Earn now. Sponsored Advertise here Turn off ads. Request URI. Addresses 0 0? One way to reduce costs is to use libraries. In Ethereum, keeping your code DRY will directly save you money. The default multi-sig wallet in Parity did exactly this. It held a reference to a shared external library which contained wallet initialization logic.
The Parity team decided to let any unknown method that sent Ether to the contract just default to depositing the sent Ether. But they took it a step further, and herein was their critical mistake. Below is the actual code that was attacked. Using this, the attacker called a method called initWallet , which was not defined on the multisig contract but was defined in the shared wallet library:.
Do you see what just happened there? The attacker essentially reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. They and whatever array of owners they supply as arguments will be the new owners.
Given that they now control the entire wallet, they can trivially extract the remainder of the balance. So what was ultimately the vulnerability? You could argue there were two. First, the initWallet and initMultiowned in the wallet library were not marked as internal this is like a private method, which would prevent this delegated call , and those methods did not check that the wallet wasn't already initialized.
Either check would've made this hack impossible. The second vulnerability was the raw delegateCall. You can think of this as equivalent to a raw eval statement, running on a user-supplied string. In an attempt to be succinct, this contract used metaprogramming to proxy potential method calls to an underlying library. The safer approach here would be to whitelist specific methods that the user is allowed to call. The trouble, of course, is that this is more expensive in gas costs since it has to evaluate more conditionals.
But when it comes to security, we probably have to get over this concern when writing smart contracts that move massive amounts of money. It was a clever catch, but once you point it out, it seems almost elementary. The attacker then jumped on this vulnerability for three of the largest wallets they could find — but judging from the transaction times, they were doing this entirely manually. The DAO hack was unique in that when the attacker drained the DAO into a child DAO, the funds were frozen for many days inside a smart contract before they could be released to the attacker.
This prevented any of the stolen funds from going into circulation, so the stolen Ether was effectively siloed. This gave the Ethereum community plenty of time to conduct a public quorum about how to deal with the attack. In this attack, the attacker immediately stole the funds and could start spending them. A hard fork would be impractical—what do you do about all of the transactions that occur downstream?
What about the people who innocently traded assets with the attacker? First, remember, this was not a flaw in Ethereum or in smart contracts in general. Rather, it was a developer error in a particular contract. The developers here were a cross-collaboration between the Ethereum foundation literally the creators of Ethereum , the Parity core team, and members of the open-source community.
It underwent extensive peer review. This is basically the highest standard of programming that exists in the Ethereum ecosystem. These developers were human. They made a mistake. And so did the reviewers who audited this code. How was it even possible they missed this? When I see responses like this, I know the people commenting are not professional developers.
For a serious developer, the reaction is instead: damn, that was a dumb mistake. Mistakes of this sort are routinely made in programming. All programs carry the risk of developer error. As programs scale to non-trivial complexity, you have to start taking it as a given that programs are probably not correct.
No amount of human diligence or testing is sufficient to prevent all possible bugs. Even organizations like Google or NASA make programming mistakes, despite the extreme rigor they apply to their most critical code. We would do well to take a page from site reliability practices at companies like Google and Airbnb.
In these postmortems, there is always a principle of never blaming individuals. Blaming mistakes on individuals is pointless, because all programmers, no matter how experienced, have a nonzero likelihood of making a mistake. Instead, the purpose of a postmortem is to identify what in the process allowed that mistake to get deployed. The problem was not that the developer forgot to add internal to the wallet library, or that they did a raw delegateCall without checking what method was being called.
The problem is that their programming toolchain allowed them to make these mistakes. As the smart contract ecosystem evolves, it has to evolve in the direction of making these mistakes harder, and that means making contracts secure by default. Strength is a weakness when it comes to programming languages.
The stronger and more expressive a programming language is, the more complex its code becomes. Solidity is a very complex language, modeled to resemble Java. Complexity is the enemy of security. Complex programs are more difficult to reason about and harder to identify edge cases for. I think that languages like Viper maintained by Vitalik Buterin are a promising step in this direction.
The less the language lets you do, the easier it is to analyze and prove properties of a contract. The fewer possible attack vectors you have to consider, the easier it is to develop a secure contract. A simpler programming model also allows things like formal verification and automatic test generation. These are areas under active research, but just as smart contracts have incorporated cutting-edge cryptography, they also should start incorporating the leading edge of programming language design.
Most of the programmers who are getting into this space, myself included, come from a web development background, and the blockchain toolchain is designed to be familiar for web developers. Solidity has achieved tremendous adoption in the developer community because of its familiarity to other forms of programming.
In a way, this may end up being its downfall. The problem is, blockchain programming is fundamentally different from web development. Before the age of the client-server web model, most programming was done for packaged consumer software or on embedded systems. This was before the day of automatic software updates. In these programs, a shipped product was final — you released one form of your software every 6 months, and if there was a bug, that bug would have to stand until the next release.
Because of this longer development cycle, all software releases were rigorously tested under all conceivable circumstances. Web development is far more forgiving. These two development models are fundamentally different. Most programmers today are trained on the web development model. Unfortunately, the blockchain security model is more akin to the older model. In blockchain, code is intrinsically unrevertible.
Being on Ethereum by definition means everyone owns your server. And once your attack is successful, you can potentially steal all of the money in the contract. Imagine that you were deploying software for vending machines. But instead of a bug allowing you to simply steal candy from one machine, the bug allowed you to simultaneously steal candy from every machine in the world that employed this software.
In the case of a successful attack, defense is extremely difficult. The white-hats in the Parity hack demonstrated how limited their defense options were — there was no way to secure or dismantle the contracts, or even to hack back the stolen money; all they could do was hack the remaining vulnerable contracts before the attacker did.
Find your nearest Houston, TX Bitcoin ATM location below RockItCoin in Houston limits its offerings to Bitcoin, Bitcoin Cash, Litecoin and Ethereum. Find locations where to exchange ether for cash and cash for ether: ATMs, teller, other services. Bitcoin ATMs in Houston, United States. Total number of Bitcoin ATMs / Tellers in and around Houston: Coins: Bitcoin (BTC) Lightning BTC (LBTC).