Consortium Blockchain Security Solutions

SlowMist Technology provides comprehensive security solutions for many top digital currency trading platforms, wallets, public chains, smart contracts, and other projects in the global public chain ecology, and is committed to blockchain ecological security construction. SlowMist Technology is one of the first to enter the Ministry of Industry and Information Technology's "2018 China Blockchain Industry White Paper", as the first batch of collaborative development partners of the national digital culture and innovation standardized governance ecological matrix, and we are also one of the five members of the Guangdong-Hong Kong-Macao Greater Bay Area Blockchain and Cyber Security Technology Joint Laboratory, and one of the initiators of the G3 Blockchain Lab of Tsinghua University. Along with the development of the consortium blockchain ecology, in 2019, SlowMist Technology has cooperated with many provincial network information offices to conduct multi-level security audits on the consortium blockchain of local government, enterprises, and institutions from the chain infrastructure to the application layer, and found vulnerabilities and vulnerable points in the consortium blockchain and their supporting systems of multiple scenarios and applications. SlowMist Technology has conducted several security research in the field of consortium blockchain and has systematic experience in the security implementation of multi-scene blockchain systems. SlowMist Technology consortium blockchain full-cycle security construction solution is dedicated to improving the security controllability of enterprises for the current blockchain technology system that is not fully mature, multi-leveling and standardizing the blockchain security system, and protecting the rapid and safe implementation of blockchain applications.

Contact Us

Processing Flow

Consortium Blockchain Security Solution Architecture Table

Security Audit Item

Blockchain Business Layer

Audit Classification Audit Category Audit Subclass
Production Network Security DNS Security DDoS Attack
DNS Spoofing
DNS Redirection
Load Balancing Strategy Polling Logic Detection
Firewall Configuration Strategy Intra-domain Security Strategy
DDoS Defense Strategy Anti-DDoS Advanced
High Performance Equipment
CDN Flow Cleaning
Load Balancing
Flow Control
Source Authentication
Session Mechanism Strategy
Port Security Minimize Service Ports
Disable Weak Passwords
Open SSH Key Login
Authority Security Hierarchical Authorization Strategy
CA Certificate/Domain Control
Personnel Management
Server Security Basic configuration security SSH Private key login
Password complex rules
Prevent root user logging in to SSH
Modify SSH default port
Setting up a Jumpserver
Minimize service ports
Firewall rules
Third-party login authentication module
Logging strategy
Upgrade and patch strategy System updates automatically
Application update
Vulnerability Patch Update
Third-party module security Software Vulnerability Review
Encryption defect
Injection Vulnerability
Code Vulnerability
Application Services Security Security certification signature
Service alarm notification
Password policy
Data transmission encryption
Storage encryption
Access Control
Server firewall
API service security black and white list of IP
Encrypted connection
Avoid MITM attacks
API Injection
Denial of service attack
Client connection authentication and authorized access
WAF service
Database service security Certificate encrypted connection
Complex password strategy
Black and white list of registered addresses
Configure the Port to Not Allow Public Access
Multi-replica
Log retention
Data Backup
Software update
Caching service security Configure the Port to Not Allow Public Access
Complex password strategy
Multi-replica
Data Backup
encrypted connection
Update bug patches in a timely manner
Black and white list of login
Private key management service security No open interface
Actively connect external interface to synchronize data
Data transmission encryption
Data Backup
Data encryption storage
Grab Data to be Signed
Interface cannot obtain private key data in plain text
Node service security IP whitelist restricted access
whitelist restricted access
Log retention
Multi-node confirmation data
Detect if the Program Crashes
Node upgrade update
Application security App running environment security detection strategy iOS Jailbreak Detection
Virtual machine detection
Android ROOT detection
App code decompilation strategy Source code obfuscation
Instruction set obfuscation
VM Shelling
Local storage security Sandbox storage
Key chain security
Cookie Security
Cache processing
Log sensitive information processing
Communication Security Strategy Use SSL
Certificate verification
Authentication and authorization Strategy Captcha Mechanism Design
Bypassing authentication
Unauthorized Access
API Interface Security Replay Attack
XSS/SQL Injection
Business Logic Security Identity Authentication Security
Business Consistent Security
Business Data Security
Data Input Format Detection
Password Recovery Logic
Confirmation Code Security
Business Authorization Security
Business Process Security
Business Interface Security
Front-end security XSS
CSRF
CORS
Click Jacking
Console Code Injection
Input Security Command Execution
XXE
Deserialization
SSRF
Overflow
SQL Injection
Code Injection
Template Injection

Blockchain Technology Layer

Serial Number Audit Class Audit Subclass
1 Static Security Examining Built-in Function Security
Standard Library Security Audit
Third-party Libraries Security Audit
Injection Audit
Serialization Algorithm Audit
Memory-leak Detection
Arithmetic Operation Audit
Resource Consumption Audit
Exception Handing Audit
Log Security Audit
2 P2P Security Number of Node Connections Audit
Node Performance Audit
Message Format Validation
Communication Encryption Audit
Alien Attack Audit
3 RPC Security RPC Permission Audit
Malformed Data Request Audit
Communication Encryption Audit
CORS Policy Audit
4 Encrypted And Signature Security Random Number Generation Algorithm Audit
Keystore Audit
Cryptographic Component Call Audit
Hash Strength Audit
Length Extension Attack Audit
Crypto Fuzzing Test
5 Account and Transaction Model Security Authority Verification Audit
Replay Attack Audit
"False Top-up" Audit
6 System contract security audit refers to "Smart Contract Security Audit"
7 Consensus Security Staking Logic Audit
Block Verification Audit
Merkle-Tree Audit
8 Code Compliance Audit Code Forking Audit
Code Patch Audit
Roadmap Audit
Top-up Program Audit
Back To Top

Copyright © SlowMist Limited. All Rights Reserved. 闽ICP备18006755号 闽公网安备35020302032841号