What security problems of bot products are exposed by the Unibot attack?

Golden financial journalist Jessy

On October 31, Unibot was attacked, and Unibot officially issued an announcement saying: "The reason for the attack is that there is a vulnerability in token approval in the new router, and any loss of funds due to the error of the new router will be compensated; The user’s key and wallet are secure. "

It is understood that the attack caused more than $600,000 in damage. Although the team has promised to pay it all out. However, this attack has exposed the problems of Unibot and even Telegram Bot itself.

In this incident, some professionals pointed out that the attack was more like a premeditated ghost act: because the contract was not open sourced, hackers easily found vulnerabilities, and a week after Unibot was launched, hackers deployed the attack, which hibernated for half a year.

From this incident, we can get a glimpse of the fact that Telegram Bot itself also has big security problems, especially those involving money and transactions, which actually have high security requirements, but there are generally problems such as the code is not open source and the private key is not localized storage.

Common problems exposed by Unibot

The attack on Unibot seems to be expected. There is actually a consensus among industry insiders: don’t dare to put too much money in it, because similar Telegram bots don’t seem to be safe.

At present, the crypto industry has basically formed two sets of development logics and paths in terms of security. The first is a centralized exchange, which is asset-backed and subject to government regulation. The trust of the public still stems from the reputation of large companies and the government agencies that oversee it.

The other path is decentralized products such as Defi and self-custody wallets. Use contracts and codes that have been audited to ensure the security of users’ assets as much as possible. Of course, what is more important in this path is that users should be responsible for themselves and master the security knowledge of the blockchain industry.

But for a product like Unibot, it actually acts as a tool to bridge the Web2 and Web3 worlds, and for a Web2.5 product, how to ensure its security?

Let’s first look at what aspects of Unibot itself are flawed, first of all, there are problems with Unibot’s contract itself. Jerry, who is also a bot entrepreneur in Telegram transactions, told Golden Finance that the attack was simply that the hacker manipulated the Unibot contract, and the contract itself was authorized by the user’s token, so the hacker manipulated the contract to transfer the user’s token to his own account.

According to Jerry’s analysis, this vulnerability should have been avoided in previous security audits. The project should not have been strictly audited, and there is no news of a contract audit on the public information. And it’s not open source.

In Jerry’s view, in addition to the problems that have been exposed so far, the Unibot product itself also has many problems, such as the security of users’ private keys. When a user uses Unibot, their private key is sent directly to Telegram’s dialog box. Industry insiders with a little common sense understand that private keys should never be made public.

The user understands that after the behavior of sending to the dialog box occurs, Unibot can actually grasp the user’s private key. If the project team is willing, the project team can do evil.

In Jerry’s opinion, in order to avoid such a situation, these trading bots should be able to store private keys locally. Of course, it is also possible to understand the way in which private keys are held in custody by trading bots like Unibot. Because this method can be used for conversational interaction, the user experience will be smooth when transacting, which does not require signature authorization for each transaction like MetaMask wallet.

How to Improve

In the face of the above problems, the solution is not difficult, but for the existing bots, the cost is high.

For example, in the direction of user private key security, what should be implemented is the localized storage of private keys, but if the existing bot project wants to do this, then all users need to be migrated. According to the golden financial reporter, at present, in this direction, there are already some teams doing related entrepreneurship, and because of the recent attack on Unibot, relevant venture capital institutions have also shown higher enthusiasm for BOT’s security entrepreneurship projects.

And we take a broader view, how should this product that builds a bridge between Web2 and Web3 ensure the security of users’ funds and personal data? Or what should Telegram itself do?

Combing through the development of Telegram, we can see that in fact, in its past practice, there have been some corresponding practices in ensuring the security of user assets, such as the launch of TON Space’s new self-custody wallet. And in terms of information security, users can choose the end-to-end encryption of the conversation.

Bots on Telegram are mixed, and there are even cases where hackers use fake bots to steal user assets. In the current situation of the increasing integration of Web2 and Web3, in terms of capital security, especially this tool to build bridges, we need more ways to ensure the integration of Web2 and Web3. For example, Telegram itself should actually play a certain role in supervision and punishment after user reporting, and as a project combined with the blockchain industry, it should do contract audits as much as possible, open source code, and so on.

With the development of the industry, how to solve the various problems of this “bridge” product will definitely develop the consensus of the industry.