3. Cryptography: random
➢ Use secure random (https://goo.gl/J0qTSv)
➢ Use enough randomness (Bitcoin hashrate ~
2^60 h/s)
➢ Don't allow users to generate random
4. Cryptography: public key crypto
➢ Follow the specification!!!
➢ Use secure random for non-deterministic
signatures
➢ Signature malleability (https://goo.gl/oHKQyq)
Elliptic curve crypto only guarantees immutability
of signed data, not a signature itself => Replay
attacks
Transaction/block id should be independent from
signatures
Chance to cancel old transaction (nonce/limited
lifetime)
➢ Distinguish mainnet/testnet addresses
5. RPC/p2p: data
➢ Check all data came from other nodes
➢ DDoS protection (easy validations first)
➢ Use sized arrays when possible (public key
should be 32 bytes)
➢ Limit size of any other arrays
➢ Protect private data (private/public key)
6. p2p: best chain discovering
➢ How to find the best chain?
➢ Attack: declare a chain with the best score
(cumulative difficulty)
Don't send the blocks or send just few of them
7. p2p: network discovering
➢ Peers exchange protocol
➢ Seed nodes
Trusted
Just provide other nodes (peers.dat)
➢ Connect to random peers
➢ Ask for new peers (check that they are valid)
e.g. https://goo.gl/5AGjc9
8. p2p: network discovering
➢ Eclipse attacks
https://eprint.iacr.org/2015/263.pdf
➢ In/out connection limit
➢ Connect to random peers
➢ Only node itself should be able to close it's
connection to other nodes