区块链风险监管办法,区块链风险监管管理办法

近年来，随着区块链技术的不断发展，区块链风险监管办法也受到了越来越多的关注。为了规范区块链技术的发展，确保金融安全，2018年2月，中国银行业监督管理委员会、中国保险监督管理委员会、中国证券监督管理委员会发布了《区块链风险监管办法》，拓展了区块链技术的应用领域，为区块链技术的更好发展提供了保障。

《区块链风险监管办法》拓展了3个关键词，即区块链监管、风险管理和安全防范。

一、区块链监管

区块链监管是指采取有效措施，对区块链技术的发展、应用和运营进行监督管理，以保证金融安全，促进区块链技术的健康发展。《区块链风险监管办法》明确了区块链监管的内容，要求金融机构和其他有关单位要依法依规开展区块链技术的研究、开发、应用和运营，加强区块链技术的监督管理，保护消费者的合法权益。

二、风险管理

风险管理是指采取有效措施，防范和控制区块链技术可能带来的风险，保证金融安全。《区块链风险监管办法》明确了金融机构和其他有关单位应当建立健全区块链技术的风险管理制度，加强风险防范和控制，做好风险监测和报告，积极预防和控制风险，保护投资者的合法权益。

三、安全防范

安全防范是指采取有效措施，防止区块链技术被恶意攻击，保护金融安全。《区块链风险监管办法》明确了金融机构和其他有关单位应当建立健全区块链技术的安全防范制度，加强对区块链技术的安全防范，做好安全防范工作，确保金融安全。

区块链风险监管办法的出台，为区块链技术的发展提供了保障，确保金融安全。区块链监管、风险管理和安全防范是《区块链风险监管办法》拓展的3个关键词，金融机构和其他有关单位要依法依规开展区块链技术的研究、开发、应用和运营，加强区块链技术的监督管理，建立健全区块链技术的风险管理制度，加强风险防范和控制，建立健全区块链技术的安全防范制度，加强对区块链技术的安全防范，以保证金融安全，促进区块链技术的健康发展。

A. Risks and Anxiety of Blockchain Investment

In this era of inflation and worthless money, how to protect your assets? For ordinary people, the best choice is probably investment. Generally speaking, investment can be buying stocks, funds, or real estate.

By the way, starting a business or opening an individual store is also a bit of an investment, but this kind of investment is extremely risky and has a probability of failure of more than 90%. Starting a business and opening a store is more about investing in individuals and trying out personal development directions. As far as asset investment is concerned, there is a narrow escape.

Investment should be "life +", life is the foundation. "Life + investment" is to make the future more promising, to invest existing assets in the future, so that there will be a better asset return expectation in the future. However, due to cognitive limitations in risk tolerance, asset investment ratio, investment knowledge, etc., investing is often a very torturous thing, and emotions fluctuate with the market, often even seriously affecting life...

How to solve the anxiety caused by investment? Since participating in blockchain investment, I have experienced many huge fluctuations in the market and suffered mentally. The following is my personal understanding.

1. Stick to the two iron laws of investment

When investing, you should first follow the two iron laws.

Iron rule 1: Invest your spare money and you can afford it even if it goes to zero.

Under normal circumstances, this seems to be easy to do, and it doesn’t even feel like it. That's because: Blind confidence, and the knife hasn't cut into the flesh yet!

When you first start investing, you are quite confident. You think you can make money, otherwise you would not take the risk. But when you have good expectations for the market and think that you will definitely make a lot of money, you will quickly forget this iron law, then abandon it, invest more assets, or even borrow money to invest.

The market is always volatile, often very volatile. When there is floating profit, everything is not a problem. Once a loss occurs, the pain will only be felt when the knife actually cuts into the flesh. Due to loss aversion, the mentality will immediately fluctuate. Even if you invest spare money, you will feel disappointed, which will affect your life. If it is borrowed money or the proportion of investment assets is too heavy (for example, more than 70%), it is impossible to treat it calmly, let alone accept it if it is returned to zero.

Therefore, don’t overestimate your affordability, let alone your investment ability! Otherwise, once you lose money, your life will inevitably be affected.

Iron Rule 2: Be friends with time and make long-term value investments.

Investment has always been a long-term matter, 1-3 years is considered short-term, and 5-10 years is considered medium-term. Do you like one?For investment projects, you must give it time to "grow" before it will bear fruit and finally yield a harvest.

Most people who have just entered the investment field are impatient and want to see "results" immediately. This is not investment, it is speculation. It is like going to the gambling table. You can see the outcome and lose immediately, and experience ecstasy or disappointment.

During this time of participating in investment, I have gradually understood a truth: most people, including myself, are gamblers with a speculative mentality from the beginning. This kind of gambler's mentality regards investment as a bet, and is eager to make a profit. It monitors the market every day and inquires about various news, for fear of missing hundreds of millions...

Those who frequently trade in the stock market People who operate short-term actually regard stock trading as gambling and want to benefit from every small band. As a result, they are harvested by professional institutions.

The success of investment should be a combination of vision (value judgment) + time + luck. Analysis and judgment before investment are crucial and are the prerequisite for final harvest; time is the process of waiting for value to grow; luck is an unpredictable or uncontrollable result.

If you don’t have a clear understanding of the value of the projects you invest in, and you can’t do it in the long term, then in the following days, your heart will fluctuate with the market fluctuations every day. Occasionally happy, occasionally disappointed, overjoyed or sad, your emotions are almost affected by the market.

2. Stop as soon as you get good, your ability to bear is limited

When facing losses, at the beginning we abide by the iron rule "it is acceptable to return to zero". This is in the mentality Get yourself vaccinated in advance. Without this vaccination, you may be unable to bear the pain of loss and cut off your investment, that is, you will be out of the investment early. Of course, if you see clearly that there is something wrong with the product you invested in, and it may be reset to zero, then even if it is a cut, you must exit in time to strive for the least loss.

There is another common situation. Even if you make a profit, it often makes people anxious, especially when the market falls and the floating profit decreases, it is even more anxious.

Why does floating profit still make people anxious? Because I don’t know when the peak will be.

In this process, there are probably four situations: the first is selling too early, the second is selling at the right time, and the third is missing out because of indecision. The fourth best selling opportunity is to remain unmoved and resolutely not sell.

What’s funny is that at least 90% of people are the third type! In the process of the market rising, people are anxious in joy, blind in anxiety, and human greed, pushing the market higher and higher, and finally the bubble bursts, leaving chicken feathers everywhere...

From the results point of view, The fourth kind of person has the same result as the third kind of person. They both failed to sell and missed the last opportunity.Best time to ship. But the difference is that the fourth type of people are voluntary, wavering and anxious in their belief in "long-term value investment"...

It is necessary to understand the second iron rule of investment "Be friends with time" , make long-term value investment" and talk about it. Since it is a long-term value investment, when the market conditions are good or bull market, should we not operate and achieve the fourth type of "unmoved and determined not to sell"?

It can be said that many people persisted in the belief of "long-term value investment" during the rising market, but after the market crash, they fell into complete confusion and depression. We think we can withstand this kind of pressure. In fact, when the market falls, most people find it difficult to bear the pressure of missing the best opportunity, and their anxiety affects their lives.

The main problem here is: because it is "long-term and long-term", it does not know how to be flexible and will not make appropriate adjustments according to its own situation.

It is understandable for professional investors not to be affected by market fluctuations and to invest firmly in the long term. But as ordinary people, when faced with earnings that exceed expectations, we can adapt appropriately. The specific approach is: to achieve expected profits and ship in batches. During the entire upward process, shipments were controlled at 20%.

This strategy can, firstly, realize profits and recover investment costs; secondly, it can keep most of the assets still involved; thirdly, once the market changes, part of the profits can be preserved and funds can be bought at the bottom. .

Therefore, in rising markets, do not rigidly adhere to "long-term investment." You should accept it as soon as it is good and cash out the profits in a timely manner. When the market changes suddenly, your heart will be able to withstand the anxiety without affecting your life.

3. The ability to make money off-site is more important

Investment involves a lot of luck. Sometimes even if you do a lot of things right, luck may not be on your side. If all financial issues are bet on investment, it will be difficult to accept the "return to zero" result during the investment process, and it will also be difficult to achieve "long-term".

In reality, the most common thing is that many people place their wealth hopes on investment and have excessive expectations. This is especially true in the field of blockchain investment. Excessive expectations will naturally make people fall into a state of "superstition" and madness, thus forgetting the principles of investment.

Even in a new market full of dividends due to technological changes, it is impossible for most people to make money. On the contrary, 90% of people are often harvested. Of course, those who can abide by the iron rules of investment can basically avoid the fate of being harvested. It is difficult not to make money even if you are lucky. However, the vast majority of people cannot do it. The fundamental reason lies in the difference between speculation and investment.

Another big feeling I have about investing is: most people are not suitable for investing (includingIncluding myself at this stage), I do not have the ability to invest (financially and intellectually), and I am mentally and physically unable to cope with the anxiety caused by the pressure caused by investment.

A qualified investor should have good ability to make money off the market, and secondly, be able to face the profits and losses caused by investment calmly. When you don't have this ability, it's not that you can't invest. You should invest the funds that you can really bear to return to zero. At least this way you can live a good life.

Don’t rely on investment to achieve financial freedom quickly, otherwise your mentality will be unbalanced. Only those with sufficient ability to make money off-site will be indifferent when faced with investment profits and losses. Profit is a reward for yourself, and losses can also be tolerated.

4. The madness and rationality of blockchain investment

There have been many investment bubbles in emerging industries in history, such as real estate investment, stock investment, Internet investment... Every time people Everyone thought they had found the road to freedom of wealth, and many people participated in it crazily, but in the end they were all in trouble...

This time, blockchain investment is even crazier and more irrational. Does it mean that once Is a new giant bubble forming? An interesting point is that the blockchain bubble has burst several times, but each time it rebounded more strongly, forming a bigger bubble... Bubbles are not without value, nor are they equivalent to Ponzi schemes, but they mean that there are too many different Rational investors flocked in and overestimated asset values ​​in the short term.

The value of blockchain is that it solves the credit problem and greatly reduces the cost of transferring assets to zero. Although blockchain technology has not yet been widely used and the actual social value it brings is not high, it is foreseeable that it will have great social value in the future.

As far as investment is concerned, no matter how valuable blockchain technology is, only a very small number of people will benefit in the end, and the vast majority of people will be harvested leeks! From the perspective of human nature, the vast majority of people will always chase the highs and sell the lows, make irrational investments, and ultimately be harvested. The value of the blockchain has nothing to do with it. The formation of bubbles is due to human greed.

Blockchain investment faces much greater variables than traditional investment, and often fluctuates greatly. This situation greatly tests people's mental strength. What’s even more frightening is that due to the current lack of supervision and regulation of blockchain investment, the influx of a large number of unqualified investors has greatly aggravated the formation of bubbles.

Only by rationally seeing the huge risks involved and insisting on: abiding by the iron law of investment, quitting when things are good, and maintaining the ability to make money off the market can we avoid being harvested in this bubble, and even Get super high returns.

Cognition is the foundation of all success! Shan Junqiang's digital signature: {"sig":"","msghash":""}

B. The security rules of blockchain

The security rules of blockchain, that is, the first rule:
Storage is everything
One The ownership and security of people's property fundamentally depends on the storage method and definition rights of property. In the Internet world, massive user data is stored on the platform's server, so the ownership of this data is still a mystery. Just like who owns your and my social ID, it is difficult to determine, but user data assets have pushed up the market value of the platform, and as users, we have not enjoyed the market value dividend. The blockchain world has made changes in storage media and methods make The ownership of the assets is delivered to the individual.
Extended information
The risks faced by the blockchain system are not only attacks from external entities, but also attacks from internal participants, as well as component failures, such as software failures. Therefore Before implementation, it is necessary to develop a risk model and identify special security requirements to ensure an accurate understanding of risks and response plans.
1. Unique security features of blockchain technology
● (1) Write data The security of Write into the block.
● (2) Security of reading data
Blockchain has no inherent security restrictions on information reading, but information reading can be controlled to a certain extent. For example, the blockchain Encrypt certain elements on the system, and then hand over the key to the relevant participants. At the same time, the complex consensus protocol ensures that the ledger seen by anyone in the system is the same, which is an important means to prevent double spending.
● (3) Distributed Denial of Service (DDOS)
Attack Resistance The distributed architecture of blockchain gives it point-to-point, multi-redundant characteristics, and there is no single point of failure problem, so its way of responding to denial of service attacks is more centralized than centralized The system is much more flexible. Even if one node fails, other nodes will not be affected, and users connected to the failed node cannot connect to the system unless there is a mechanism to support them to connect to other nodes.
2. Problems faced by blockchain technology Security challenges and response strategies
● (1) The network is open and undefended
For public chain networks, all data is transmitted on the public network, and all nodes joining the network can connect to other nodes and accept other nodes without any barriers. There is no authentication or other protection at the network layer. The response strategy for this type of risk is to require higher privacy and carefully control network connections. For industries with higher security, such as the financial industry, dedicated line connections should be used Enter the blockchain network, authenticate the accessed connection, exclude unauthorized node access to avoid data leakage, and prevent network attacks through firewall security protection at the protocol stack level.
● (2) Privacy< br>The transaction data on the public chain is visible to the entire network, and the public can track thesetransactions, anyone can draw conclusions about something by observing the blockchain, which is not conducive to the legitimate privacy protection of individuals or institutions. The response strategies for this type of risk are:
First, the certification agency acts as an agent for users to conduct transactions on the blockchain, and user information and personal behaviors do not enter the blockchain.
Second, instead of using a network-wide broadcast method, the transmission of transaction data is limited to nodes that are conducting relevant transactions.
Third, access to user data is controlled by permissions, so only visitors holding the key can decrypt and access the data.
Fourth, use privacy protection algorithms such as "zero-knowledge proof" to avoid privacy exposure.
● (3) Computing power
Blockchain solutions using proof-of-work are faced with the problem of 51% computing power attack. With the gradual concentration of computing power, it is objectively possible that organizations that control more than 50% of the computing power will emerge. Without improvement, it cannot be ruled out that it will gradually evolve into the law of the jungle where the jungle is the law of the jungle. The response strategy for this type of risk is to use a combination of algorithms and realistic constraints, such as joint management and control using asset mortgages, legal and regulatory means, etc.

C. Does blockchain have compliance risks?

Blockchain technology itself does not violate any laws and regulations, so there are no compliance risks. However, in the actual application process, enterprises or individuals using blockchain technology need to comply with relevant legal and regulatory requirements.
For example, in China, using blockchain technology to conduct financial transactions or raise funds needs to comply with relevant laws and regulatory policies. In addition, if users' sensitive personal information is retained on the blockchain, it must also comply with relevant laws and regulations such as data protection.
Therefore, enterprises and individuals who adopt blockchain technology in field applications not only need to understand and comply with existing legal operations and regulations, but also need to pay close attention to the development trends of technology and regulations and make timely decisions. Adjustments and changes accordingly. Only by operating and conducting business in compliance with regulations can enterprises develop better and gain lasting competitive advantages.

D. Blockchain core technology research goals

Key breakthroughs cover blockchain such as security privacy protection, open cross-chain protocols, efficient on-chain and off-chain collaboration, and secure smart contract mechanisms. Application support technology.

1. Security and privacy protection technology. The focus is on achieving technological breakthroughs in secure multi-party computation, zero-knowledge proof, secure transmission, and homomorphic encryption.

2. Chain-to-chain interconnection technology. The focus is on making breakthroughs in cross-chain protocols, homogeneous/heterogeneous cross-chain architecture, security, scalability and performance.

3. On-chain and off-chain collaboration technology. The focus is on breakthroughs in technologies such as on-chain and off-chain data collaborative access control, efficient storage and management.

4. Secure smart contract technology. The point isBreakthroughs have been made in smart contract formal verification, security vulnerability risk assessment, and smart contract auditing.

5. Blockchain supervision technology. Focus on achieving technological breakthroughs and applications in blockchain penetrating supervision technology, dynamic monitoring technology, blockchain risk isolation and control, etc.

                                                                                                                                                                                                From: Zhejiang Province Blockchain Technology and Industrial Development Plan (2020-2025)

E. What are the applications of blockchain

A brief introduction Application of blockchain technology in the financial field

1. Application of blockchain technology in the banking industry

The biggest feature of blockchain technology is Decentralization, and this feature will reduce a lot of costs for the banking industry.

First of all, decentralization means that intermediaries are no longer needed to establish trust mechanisms between banking systems, saving intermediary costs.

Secondly, the development of digital currency will make it possible to realize real-time digital transactions in banks. For example, in bill transactions, bank bill transactions have always relied on a third party to realize the transfer of valuable certificates. Even electronic bill transactions require interactive authentication through information from the central bank's ECDS system. Blockchain technology can realize point-to-point transfer of value and no longer requires centralized system control. This not only speeds up the speed of ticket transfer, but more importantly, it can reduce errors caused by human factors and reduce processes. Naturally, it will reduce the bank's demand for personnel and save the bank's labor costs.

Finally, it will also have an impact on clearing and settlement. The bank's clearing and settlement business has always been completed by central clearing, which is inefficient. Settlement through blockchain technology will greatly improve the efficiency of banks.

Blockchain technology also plays a major role in banks’ cross-border payment services. Today, when global trade is highly developed, cross-border payments are becoming more and more frequent, and banks often act as third-party services in cross-border trade, such as electronic transfers, asset custody, etc. However, cross-border payments generally take about 2 days to arrive, which is very inefficient and reduces the utilization of funds in transit. In blockchain technology, both parties of cross-border payments can be completed in a point-to-point manner, achieving round-the-clock payment and real-time arrival, thereby speeding up clearing and settlement, thereby improving the efficiency of bank processing business.

Blockchain technologyAnother feature of the technology is de-risking. Banks can build their own blockchain, which can ensure that the transaction information and transaction records of bank customers are true and valid and will not be arbitrarily tampered with. Banks can effectively identify customers. information, understand all aspects of the customer's situation, identify customers' abnormal transactions, prevent being deceived by customers, and can also promptly detect criminal activities such as illegal money laundering and transfer of funds, thereby reducing the bank's supervision costs.

2. Application of blockchain technology in the insurance industry

Blockchain technology also has incomparable advantages in the insurance industry. From the perspective of data management, the application of blockchain technology by insurance companies can effectively improve risk management and control capabilities, including the risk supervision of insurance companies and the risk management of policyholders.

The application of blockchain technology in the insurance industry can strengthen the internal risk supervision of insurance companies. Blockchain technology can record the daily operating processes of insurance companies on nodes, and can achieve in-process control over the company's capital flow, investment status, compensation payments and other businesses, and improve the company's risk management and control capabilities.

In addition, blockchain technology is safe, reliable, and cannot be tampered with at will, ensuring that the information obtained by the policy holder is true and effective, thereby enhancing the policy holder's risk management capabilities.

3. Application of blockchain technology in the securities industry

The application of blockchain technology in the securities industry can increase the flexibility of securities issuance. Companies issuing securities can use smart contracts , by setting the method and time of securities issuance, securities can even be issued 24 hours a day under the most ideal condition.

Under the operation of smart contracts, automatic matching of buyers and sellers is realized, and settlement and clearing steps are automatically completed through the distributed digital registration system. The transaction records on the blockchain will not be changed arbitrarily, so the entered information actually has a publicity effect, so there will be no dispute in the stock exchange's ownership confirmation.

In addition, blockchain technology makes the securities trading process more open and transparent. Through blockchain technology, the securities industry does not need a central organization to operate and manage, nor does it require investment banks to underwrite, to achieve true peer-to-peer transactions, reduce illegal activities such as black-box operations and insider trading in securities transactions, and realize the control of securities. Effective supervision of the industry.

4. Blockchain technology and financial infrastructure

Blockchain technology uses a decentralized mechanism to exchange value, which will lead to a modern world characterized by centralization. Some financial infrastructures have undergone earth-shaking changes.

Assets such as collateral, pledges, and stocks, bonds, and derivatives usually require a trustworthy central organization to register or keep them, but blockchain can record and save these in a new way. Product data will have an impact on the registration system for these products.

The blockchain can receive and respond to information and value through smart contracts, automatically complete the transfer of value, and automatically complete transactions and clearing.Accounting and settlement will impact existing financial infrastructure such as the existing large-amount trading system, central securities depository, securities settlement and over-the-counter derivatives trading.

5. Application of blockchain technology in supply chain

The application of blockchain technology in supply chain first provides credit guarantee, and the blockchain records Commodity circulation information, etc., can prove the authenticity and reliability of commodities and their circulation, thereby enabling a comprehensive evaluation of the utility of enterprises on the chain, and becoming an effective guarantee for corporate bank loan credit, financing credit, and transaction credit. .

First of all, the blockchain can time-stamp all the transaction data in the supply chain and cannot be tampered with at will. Even if the transaction data of a certain node can be tampered with, it cannot cover the sky with one hand, so the area Blockchain solves banks' concerns about corporate information being tampered with. For some small businesses, as long as they have good credit, the possibility of borrowing from banks will be greatly increased.

Secondly, through effective integration, the information between upstream and downstream enterprises recorded in the blockchain can not only provide support for enterprises in production, sales and other links, but also provide downstream enterprises with the ability to analyze customer preferences. , so that targeted services can be developed.

F. Does blockchain have compliance risks?

Yes, the application of blockchain technology may involve compliance risks.
First of all, in some countries and regions, governments or regulatory authorities may take different stances on digital currencies and other assets based on blockchain technology, and there will be a certain degree of legal, compliance and policy risks. . For example, some countries restrict or prohibit the use of digital currencies and other Bitcoin or blockchain derivatives. Therefore, when choosing the scope of application of blockchain technology, the local legal and regulatory environment needs to be considered.
Secondly, there are trust issues between participants in private chains or alliance chains, and there are also compliance risks in the construction of trust mechanisms. For example, in the financial field, banks or other financial institutions need to consider which trust model to use when using blockchain technology to comply with social ethics and potential legal requirements. For money-related transactions, legal requirements such as anti-money laundering and counter-terrorism must also be met.
In addition, due to the immutable and public nature of blockchain technology, it may inadvertently leak personal privacy, business secrets and other confidential information, causing privacy data leaks and security risks.
Therefore, enterprises and technology companies should carefully assess potential compliance risks and formulate appropriate compliance security measures, such as complying with legal and regulatory requirements, establishing a sound privacy protection mechanism, and strengthening privacy data protection in multiple dimensions. To ensure compliance and data security of blockchain technology applications.

G. Risk control under the blockchain paradigm: reducing strategic risks and foreseeable risks

p>

Marco Iansiti Karim Lakhani), "Harvard Business Review" Chinese version, January 2017, the article "The Truth about Blockchain"

Research experience in the field of technological innovation tells us that only by eliminating the need for control over technology and government Only when there are many obstacles such as , organizations and society can the blockchain revolution truly take place. If you don’t know how blockchain will occupy the high ground, it would be a mistake to rush into blockchain innovation.

Systemic risk. Speaking of systemic risks, we have to mention dramatic global economic downturns such as the credit crunch that followed the financial crisis of 2008-2009. For most companies, that is an external event that cannot be predicted or controlled. Global regulators are reshaping the financial world to avoid similar crises, and an important step in their strategy is to enhance the role of central counterparties (CCPs). A CCP is an entity that is inserted between the two parties in a financial transaction. After both parties agree to a transaction, CCP becomes a seller to any buyer and a buyer to any seller. In this process, CCP reduces counterparty credit and liquidity risk exposure through networking, reducing the risk of direct contact between the two parties when one party defaults, but the risk of doing so is still concentrated. The main roles of CCP are: 1. Manage settlement operation tasks and reduce settlement risks; 2. Monitor individual credit risks through membership approval and implementation of margins (initial and changed) to provide transparent risk management; 3. Deal with defaulting parties ;4. Supervise systemic risks in the market.

In financial markets managed based on blockchain, many CCP principles may be eliminated. It is conceivable that functions 1 and 2 of CCP will be replaced by smart contracts. DAOs are designed to create a relationship between two parties in a transaction. Once certain terms embedded in the smart contract are touched, the receivables can be automatically transferred from one party to the other. Functions 3 and 4 of CCP can also be improved by blockchain technology, but it is unlikely to be fully automated because it requires a high degree of directionality and large-scale scene analysis capabilities. Relevant blockchain startups such as Digital Asset Holding and D-Pactum are working with CCP to redesign their technology in the direction of distributed ledgers and smart contracts without changing the role given to CCP by recent laws and regulations. This could develop into fundamental measures to increase the resilience of the financial system. On the distributed ledger, transparent and standardized transaction processes can be designed, and the relationship between capital and margin can occur automatically, thus reducing the risk burden of intermediary managers. By encoding smart contracts signed by each participant, the rules for managing crisis events can be as certain as possible.

Cyber ​​risks. This is the last external risk we will analyze, but not the least. Indeed, for cyber risks or critical infrastructure failures (such as control systems, energy, transportation, telecommunications and financial infrastructure)Failure to understand or pay attention to relevant risks may have far-reaching consequences for the national economy, multiple economic sectors, and global enterprises. The responsibility for conducting risk assessments and setting up risk management systems now falls on each business, but their internal practices and processes vary widely, and small businesses with immature risk management systems are more vulnerable to cyberattacks in this context.

Is blockchain a viable solution? no doubt. The development of digital currencies extends the secure use of cryptography and creates a business model with new types of resilience against cyberattacks. A complete system on a distributed ledger could provide a higher level of cybersecurity than a company's standard firewall technology. Because the distributed ledger is automated, and because of the principles of information sharing and the robustness of the consensus protocol, the ledger history is omnipresent and unchangeable. Therefore, in this system, high-tech cyber attacks can be prevented before they occur.

However, at the end of the analysis of external risks, it is worth noting that the emergence of digital currency has created for the first time a circulating currency that is not related to national, multinational government decisions or any real economy. In reality, the value of digital currency fluctuates greatly, but its direction and time are different from the market, thus maintaining non-correlation with a certain country's currency or stock market. As a result, Bitcoin has been called “digital gold,” and like gold, digital currencies have been used as safe-haven assets to limit the impact of macroeconomic risks.

In conclusion, before we delve into the amazing utility of blockchain in risk management, it is important to understand that blockchain is not a panacea. It should be viewed as one of many technologies building the next generation of risk management infrastructure.

H. How to detect the risk level of blockchain smart contracts

With the acceleration of digital transformation in Shanghai, blockchain technology has been widely used in government affairs, finance, logistics, justice, etc. It has been widely used in many fields. During the application process, not only new business forms and business models have been born, but also many security issues have arisen, so security supervision is particularly important. As one of the important means of supervision, security evaluation has become a focus of many blockchain R&D manufacturers and application companies. This article talks about some of our exploration and practice on the blockchain compliance security assessment that everyone is concerned about.
1. Blockchain technology evaluation
Blockchain technology evaluation is generally divided into functional testing, performance testing and security evaluation.
1. Functional testing
Functional testing is a test of the basic functions supported by the underlying blockchain system, with the purpose of measuring the capabilities of the underlying blockchain system.
Blockchain functional testing is mainly based on GB/T 25000.10-2016 "System and Software Quality Requirements and Evaluation (SQuaRE) Part 10: System and Software Quality Model", GB/T 25000.51-2016 "System and Software Quality" Requirements and Evaluation (SQuaRE) Part 51: Quality Requirements and Testing for Ready to Use Software Products (RUSP)"Details" and other standards to verify whether the software under test meets the requirements of relevant testing standards.
Blockchain function testing specifically includes networking methods and communication, data storage and transmission, encryption module availability, consensus function and fault tolerance, smart contract function, system management stability, chain stability, privacy protection, and interoperability , account and transaction types, private key management solutions, audit management and other modules.
2. Performance testing
Performance testing is a type of test implemented and executed to describe the performance-related characteristics of the test object and evaluate it. Most of them are used in project acceptance evaluation to verify the established Whether the technical indicators are completed.
Blockchain performance testing specifically includes high-concurrency stress test scenarios, peak impact test scenarios, long-term stable operation test scenarios, query test scenarios and other modules.
3. Security Assessment
Blockchain security assessment mainly conducts security testing and evaluation of account data, cryptography mechanisms, consensus mechanisms, smart contracts, etc.
The main basis for blockchain security evaluation is "DB31/T 1331-2021 General Requirements for Blockchain Technology Security". You can also refer to standards such as "JR/T 0193-2020 Blockchain Technology Financial Application Assessment Rules" and "JR/T 0184-2020 Financial Distributed Ledger Technology Security Specifications" based on actual testing needs.
Blockchain security assessment specifically includes storage, network, computing, consensus mechanism, cryptography mechanism, timing mechanism, personal information protection, networking mechanism, smart contracts, services and access, etc.
2. Blockchain Compliance Security Assessment
Blockchain compliance security assessment generally includes “Blockchain Information Service Security Assessment”, “Network Security Level Protection Assessment” and “Special Funding Projects” "Acceptance Evaluation" three categories.
1. Blockchain information service security assessment
Blockchain information service security assessment is mainly based on the "Blockchain Information Service Management Regulations" issued by the Cyberspace Administration of China on January 10, 2019 (hereinafter referred to as "Regulations") and refer to the national blockchain standard "Blockchain Information Service Security Specification (Draft for Comments)".
The "Regulations" aim to clarify the information security management responsibilities of blockchain information service providers, standardize and promote the healthy development of blockchain technology and related services, avoid blockchain information service security risks, and provide blockchain Provide effective legal basis for the provision, use and management of information services. Article 9 of the "Regulations" states: Blockchain information service providers that develop and launch new products, new applications, and new functions must report to the national and provincial, autonomous region, and municipality Internet Information Offices for security assessment in accordance with relevant regulations.
The "Blockchain Information Service Security Specification" is a construction and preparation project led by the Institute of Information Engineering of the Chinese Academy of Sciences and jointly participated by Zhejiang University, China Electronics Technology Standardization Institute, Shanghai Information Security Evaluation and Certification Center and other units. National standards for evaluating the security capabilities of blockchain information services. "Blockchain"Information Service Security Specification" stipulates the security requirements that blockchain information service providers in consortium chains and private chains should meet, including security technical requirements and security assurance requirements as well as corresponding test and evaluation methods. It is suitable for guiding the security of blockchain information services. Assessment and security construction of blockchain information services. The security technical requirements and guarantee requirements framework proposed by the standard are as follows:
Figure 1 Blockchain information service security requirements model
2. Network security level protection evaluation
The main basis for network security level protection evaluation includes "GB/T 22239-2019 Basic Requirements for Network Security Level Protection" and "GB/T 28448-2019 Network Security Level Protection Evaluation Requirements".
As an emerging information technology, the application system built by blockchain is also an object of level protection and needs to be evaluated for level protection in accordance with regulations. The general requirements for level protection security evaluation are applicable to the evaluation of the infrastructure part of the blockchain, but currently there are no blockchain-specific security requirements. Therefore, the expansion requirements for blockchain security evaluation still need to be further explored and studied.
3. Special fund project acceptance evaluation
According to the relevant regulations of the Municipal Economic and Information Technology Commission, information technology special fund projects are required to issue a safety evaluation report during project acceptance. The acceptance evaluation of blockchain application projects will be carried out in accordance with Shanghai’s latest blockchain local standard "DB31/T 1331-2021 General Requirements for Blockchain Technology Security".
3. Exploration and practice of blockchain security assessment
1. Standard preparation
Shanghai Assessment Center actively participates in the preparation of blockchain standards. Led by the Shanghai Evaluation Center, Suzhou Tongji Blockchain Research Institute Co., Ltd., Shanghai Qiyin Information Technology Co., Ltd., Shanghai Moheng Network Technology Co., Ltd., the First Research Institute of Telecommunications Science and Technology and other units participated in the preparation of the blockchain local standard " DB31/T 1331-2021 "General Requirements for Blockchain Technology Security" was officially released in December 2021 and will be officially implemented on March 1 this year. The blockchain national standard "Blockchain Information Service Security Specification", which the Shanghai Assessment Center participated in the preparation of, is in the stage of soliciting opinions.
At the same time, the assessment center also participated in the compilation of primary and intermediate textbooks for blockchain engineering technicians organized by the Ministry of Human Resources and Social Security and led by Tongji University, and was responsible for compiling the chapter "Testing the Blockchain System".
2. Project Practice
In recent years, the Shanghai Assessment Center has conducted a large number of blockchain security assessment practices based on relevant technical standards, including grade protection assessment, information service security assessment, project security assessment, etc. In the evaluation practice, the main security issues discovered are as follows:
Table 1 Blockchain is mainly a security issue
Serial number
Evaluation items
Problem description
1
Consensus algorithm
The consensus algorithm uses Kafka or Raft consensus, does not support Byzantine fault tolerance, and does not support node maliciousness.Behavior.
2
On-chain data
On-chain sensitive information is not encrypted, and all data on the chain can be accessed through the query interface or blockchain browser.
3
Cryptographic Algorithm
The random numbers used in the cryptographic algorithm do not meet the randomness requirements of GB/T 32915-2016.
4
Node Protection
For the alliance chain, security protection measures failed to be configured for the area where the node server is located.
5
Communication transmission
When communicating between nodes, the blockchain and upper-layer applications, no secure information transmission channel has been established.
6
Consensus Algorithm
The number of nodes deployed in the system is small, and sometimes the number of fault-tolerant nodes required by the consensus algorithm is not even reached.
7
Smart Contract
The operation of the smart contract is not monitored, and problems that arise during the operation of the smart contract cannot be discovered and dealt with in a timely manner.
8
Services and Access
Upper-layer applications have access control flaws such as unauthorized and unauthorized access, leading to business confusion and data leakage.
9
Smart Contract
Smart contract coding is not standardized. When an error occurs in the smart contract, the smart contract freezing function is not provided.
10
Smart Contract
The running environment of smart contracts is not isolated from the outside, and there is a risk of external attacks.
3. Tool Application
When the evaluation center organized and compiled the "DB31/T 1331-2021 General Requirements for Blockchain Technology Security", it has considered the connection needs with the graded protection evaluation. The "infrastructure layer" security in DB31/T 1331 is consistent with the relevant requirements of the secure physical environment, secure communication network, security area boundary, secure computing environment, security management center, etc. of level protection, "protocol layer security", "extension layer" "Security" more reflects the unique security protection requirements of the blockchain.
Based on the relevant security requirements of DB31/T 1331, the assessment center is organizing and compiling extended blockchain assessment requirements. The relevant results will be applied to the network security level protection assessment tool - Assessment Expert. By then, evaluation institutions using the "Evaluation Expert" software will be able to conduct blockchain security evaluations accurately, standardly and efficiently, discover blockchain security risks, and put forward corresponding rectification suggestions

I. Banking Industry What are the risks in the application of blockchain technology?

The first is the risk of immaturity of new technology; the second is the management risk of new and old models running in parallel. The third is the regulatory risk caused by the asynchronous application of blockchain technology by banking institutions. For other related information, it is recommended that you familiarize yourself with the official public account "SMIC Blockchain Service Platform"