对大多数而言，“防火墙（Firewall）”是一个不受欢迎的词汇，它暗含着审查、禁止访问和线上自由的缩减。而对于EOSIO开发人员而言，FireWall.X却是一款有用的工具，而非一道网络难题，因为该平台开始保护在EOSIO之上构建的智能合约，使之免受恶意入侵和网络威胁的侵害，从而有助于EOS整体生态系统的健康发展。我们与SlowMist Technology Co.的产品经理Zhong Qifu探讨了“世界上首款智能合约防火墙”如何保卫所有EOS应用的安全。
Where did your initial idea come from?
Zhong Qifu：我们团队在网络完全方面有着深远的知识和背景。团队中众多成员都来自技术巨头，例如：谷歌、微软、W3C、腾讯、阿里巴巴和百度等，他们的部分项目成就在Black Hat Briefings（全世界最著名的信息安全大会）上获得了表彰。目前为止，我们提供了众多以EOS为基础的去中心化交易、钱包，并为智能合约开发人员提供安全审核服务。我们的客户包括WhaleEx、Newdex、Chaince、MORE.TOP Wallet、MEET.ONE等。2018年6月，公共网络推出时，我们团队编辑了一本名为“EOS BP节点安全检查清单”的指南，旨在为社区成员提供智能合约安全支持。接下来的九月，我们利用自身智能合约安全审核的经验，打造了“最佳实践”指南，用以确保EOS智能合约的安全实施。
To most people, the word ‘firewall’ is an unwelcome term, implying censorship, lack of access, and the curtailment of online freedom. For EOSIO developers, however, FireWall.X is more likely to be a helpful tool rather than a cyber obstacle, because the platform sets out to protect smart contracts built on EOSIO from malicious hacks and cyber threats, in turn contributing to the health of the overall EOS ecosystem. We spoke to Zhong Qifu, Product Manager at SlowMist Technology Co. (the company behind FireWall.X), about how “the world’s first firewall for smart contracts” intends to be the security guardian of all EOS applications.
How would you describe your project?
Zhong Qifu: FireWall.X is a powerful and practical firewall for smart contracts — it is also the world’s first firewall for smart contracts. Similar to traditional firewalls for operating systems which control network traffic, FireWall.X can also execute control over inline actions and prevent unauthorized access to smart contracts. Used in combination with oracle technology, there is the added benefit of risk management, which will help prevent hackers from obtaining any account information contained in smart contracts. For developers, FireWall.X makes their development process a lot easier, since all they need to do is to directly import our smart contract security enforcement document into their own code, after which they will be able to create a smart contract that is more resistant against cyber attacks — all at zero cost.
Where did your initial idea come from?
Zhong Qifu: In the latter half of 2018, we conducted some research into the many different ways one could carry out smart contract hacks, and discovered some of the major pain points and challenges surrounding the safety precautions of smart contracts. Following one of our many brainstorming sessions, a cybersecurity researcher on our team proposed the idea of FireWall.X, which naturally led us to the creation of this project. Our team’s expertise also lies mainly in cybersecurity technology, which is why we chose to focus on this aspect in the first place.
Can you introduce your team and tell us what makes it special?
Zhong Qifu: Our team possesses deep expertise and experience in cybersecurity-related matters. Many of our members have worked at eminent tech corporations such as Google, Microsoft, W3C, Tencent, Alibaba, Baidu etc., and some of their project achievements have been featured at the Black Hat Briefings — one of the most well-attended information security conferences in the world. So far, we have provided many EOS-based decentralized exchanges, wallets, and smart contract developers with security audits. Our clients include WhaleEx, Newdex, Chaince, MORE.TOP Wallet, MEET.ONE etc. When the public network launched in June 2018, our team compiled a guide titled “EOS BP Nodes Security Checklist”, aimed at providing community members with smart contract security support. In the following September, we utilized our experience in carrying out smart contract security audits to create a ‘Best Practice’ guide on ensuring the secure implementation of EOS smart contracts.
What stage is the project at and what are your plans for scaling up?
Zhong Qifu: At present, some of the fully functioning features of FireWall.X include malicious account screening, blacklist and whitelist management, statistical analysis, activity logging, as well as malicious transfer detection. These are all provided on a user-friendly platform for developers. Down the line, we will be launching a real-time statistical panel, as well as introducing risk management features in combination with an off-chain analysis tool. In a nutshell, these features and tools would enable apps to block off attacks in a timely manner, thus reducing the financial loss of users.
Why did you decide to use blockchain technology, and specifically EOSIO?
Zhong Qifu: Blockchain technology is superior in that it offers the benefits of immutability and accountability, which ensure that no data can be tampered with in the process. Blockchain can also improve identity verification and data authorization, which helps massively with elevating the efficiency of threat intelligence sharing. This is especially pertinent to our project, as it is centered on preventing cyber attacks. As for choosing to build on EOSIO, that’s because it is fast and easy to use. Since the launch of the public network, we have continuously seen a growing number of apps developing on the EOSIO protocol — this gives us high hopes for the EOSIO ecosystem.
It has only been three months since FireWall.X has gone live, but we have already seen lots of positive responses to our project among members of the EOS community. So far, we have managed to get 23 projects on board with implementing FireWall.X. As of now, we have successfully blocked off a large volume of smart contract hacks, in the process protecting many apps from cyber attacks.
More information on FireWall.X available on https://FireWallx.io/index-en.html
Stay tuned to our EOSIO Spotlight series where we’ll highlight some of the truly exceptional projects being built on our platform. If you have a project you’d like to share with us, please email email@example.com.
-Developer Relations team
Block.one is a software company that is producing the EOSIO software as a free, open-source protocol. This software may, among other things, enable those who deploy it to launch a blockchain, or decentralized applications with various features. For more information, please visit https://github.com/eosio. Block.one does not provide financial support to anyone seeking to become a block producer on any version of the EOSIO platform that may be adopted or implemented.
Block.one will not be launching any of the initial public blockchains based on the EOSIO software. It will be the sole responsibility of third parties, the community, and/or those who wish to become block producers, to adopt and implement EOSIO in the manner they choose, with the features they choose, and/or providing the services they choose. Block.one does not guarantee that anyone will adopt or implement such features, or provide such services, or that the EOSIO software will be adopted and implemented in any way.
Block.one does not endorse any third party or its products or services, even if they are mentioned herein. Block.one is not responsible for any linked content or content provided by third parties, whether used directly or incorporated into this document.
Please note that the statements herein are an expression of Block.one’s vision, not a guarantee of anything. While we will try to make that vision come true, all aspects of it are subject to change in all respects at Block.one’s sole discretion. We call these “forward looking statements”, which includes statements in this document, other than statements of historical facts, such as statements regarding Block.one’s business strategy, plans, prospects, developments and objectives. These statements are only predictions and reflect Block.one’s current beliefs and expectations with respect to future events; they are based on assumptions and are subject to risk, uncertainties and change at any time.
We operate in a rapidly changing environment. New risks emerge from time to time. Given these risks and uncertainties, you are cautioned not to rely on these forward-looking statements. Actual results, performance or events may differ materially from what is predicted in the forward-looking statements. Some of the factors that could cause actual results, performance or events to differ materially from the forward-looking statements include, without limitation: market volatility; continued availability of capital, financing and personnel; product acceptance; the commercial success of any new products or technologies; competition; government regulation and laws; and general economic, market or business conditions.
All statements are valid only as of the date of first posting and Block.one is under no obligation to, and expressly disclaims any obligation to, update or alter any statements, whether as a result of new information, subsequent events or otherwise. Nothing herein constitutes technological, financial, investment, legal or other advice, either in general or with regard to any particular situation or implementation. Please consult with experts in appropriate areas before implementing or utilizing anything contained in this document.
The ideas and information expressed herein are solely those of the author and do not necessarily reflect the positions, views or advice of Block.one or any other employee of Block.one.