各位小幽灵的家人们大家好,首先我们要为抢购过程中的不好体验道歉,同时我也想与大家分享一下这几天小幽灵在看不见的战线上所经历的战争,让大家对于小幽灵的大家庭有更深的理解。 Hello, all supporters of LilGhost. First of all, we would like to apologize for the bad experience during the public sale. At the same time, I also want to share with you the wars that the LilGhost has experienced on the invisible front in the past few days, so that everyone can have a deeper understanding of the big family of the LilGhost.
我将从以下几点向大家复盘目前小幽灵所经历的隐秘战争。 I will give you a review of the invisible war that the LilGhost is currently going through from a few points.
一、网站保卫战
1.Website defense battle
相信大家也听闻或经历过项目网站被挂上后门、木马,对参与者造成难以估量损失的事件。 Most of you have probably heard of or experienced incidents where project websites were backdoored or implanted with Trojan horse, causing immeasurable damage to participants.
在网站公布后有很多黑客一直尝试通过扫描前后端漏洞、leak的方式挂载木马或修改前端显示的合约和地址信息达到诈骗的目的,为此我们的小幽灵工程师一直在努力抵御这些阴谋,而直到公售结束的现在 机器人对网站的攻击还在继续,但是我们抗住了。 After the website was announced, many hackers have been trying to mount Trojans or modify the contract and address information displayed on the front-end by scanning the front-end and back-end loopholes and leaks to achieve the purpose of fraud. Our LilGhost engineers have been working hard to fend off these attacks. Even after the public sale ended, the bot attacks on the site continued, but we resisted.
二、计中计:真假验证码 2.Scheming within scheming: true and false verification code
项目公售科学家一锅端是一个老生常谈的问题,为此在小幽灵项目的成立之初,我们便定下目标,让更多的能够真正认同我们的朋友们参与进来,因此我们综合考虑目前NFT发售科学家抢购的各种方式,设计了很多验证防盗措施来防止科学家一锅端。 During the public sale phase of a project, it is a commonplace problem that all NFTs are bought by bots. For this reason, at the beginning of the establishment of the LilGhost Project, we set a goal to allow more people who can truly identify with us to participate. Therefore, we have comprehensively considered the various ways in which scientists rush to buy NFTs, and designed many verification measures to prevent them from being bought by bots.
在21点正式公售开始前夕,便有黑客尝试破解网站前端,并成功偷出一张用于做验证的密码表,并且采用机器学习等方式尝试做批量化处理。 Before the official public sale at 21:00, some hackers tried to crack the front end of the website, and successfully stole a password table for verification, and used machine learning and other methods to try to do batch processing.
但其实这是我们故意留下的后门,上线前我们将假的图形放到了前端,等待正式上线后我们准备了完全不同的图形密码表,而且上传了更多的随机化元素,来保证更多的人能够参与 。 But in fact, this is a clue we left on purpose. Before going online, we put fake graphics on the front end. After waiting for the official launch, we prepared a completely different graphics password table, and uploaded more randomization elements to ensure more people can participate.
而另外一点,如果仅仅通过后端合约进行防御科学家,无异于家门大开,所以我们在设计指出增加了前端验证后后端合约才能够有效执行的方式,也就是按照要求输入随机生成的验证码之后才能执行合约,单独合约mint On the other hand, defending bots only through backend contracts is futile. Therefore, we design and point out the way that the back-end contract can be effectively executed after the front-end verification is added, that is, the contract can be executed only after the randomly generated verification code is entered as required, and a separate contract mint is used.
三、排山倒海的热情 3.The overwhelming passion
在团队对公售策略讨论的过程中就决定想办法将尽可能多的公售名额留给社区,因此拦截科学家和黑客就成为了我们发售任务的重中之重。 During the discussion of the public sale strategy, our team decided to leave as many public sale places as possible to the community, so blocking bots and hackers has become the top priority of our public sale mission.
公售过程中不仅有DDoS,也存在大量机器人脚本尝试扫描漏洞、注入 等。科学家在破解我们的拦截失败后,于是便发起更大的流量攻击来拖延时间,在公售开始那一刻有23万的机器人大军,相当于三个鸟巢的人同时访问。 During the public sale, there were not only DDoS, but also a large number of robot scripts trying to scan for vulnerabilities, injections, etc. After Bots failed to crack our interception, they launched larger traffic attacks to delay time. There were 230,000 simultaneous visits at the moment the public sale started, many of them bots.
访问压力只有一小部分来自于真实用户,绝大部分来自于机器人的非法行为。虽然我们已准备好所有的常用防护手段,但对于科学家的极端手段没有做好正确预估,于是我们在北京时间21:05小幽灵又启动钞能力用来进行全面升级。 Only a small part of the access pressure comes from real users, and the vast majority comes from the illegal behavior of bots. Although we have prepared all the common protection measures, we have not made a correct estimate of the extreme measures of the bots, so we spent a high price to upgrade the server at 21:05 Beijing time.
结果就是大家在网站加载过程可能会显示502等报错信息,这实际是一个排队筛选机制,如果多次重复刷新的会被直接防护掉,而在此排队过程中也有很多普通朋友成功进入网站,并mint成功。 As a result, you may display error messages such as 502 during the loading process of the website. This is actually a queuing screening mechanism. If it is repeatedly refreshed, it will be directly banned. During this queuing process, many people successfully entered the website and mint successfully.
如果我们没有做出这个决定,科学家便不会对网站进行攻击,网站自然会更加流畅,但带来的后果便是在普通用户进入网站的那一刻,NFT便已售罄。虽然我们可能会承受更多的指责,但是我们小幽灵团队还是希望能够将更多小幽灵交到真正喜爱他的朋友手中,而不是交给冰冷无情的技术。 If we hadn't made this decision, bots wouldn't have attacked the site, and the site would have been smoother. But the consequence of this is that the moment ordinary users enter the site, our NFTs are sold out. Although we may take more blame, our team still hopes to put more LilGhosts in the hands of people who really love them, instead of cold and ruthless technology.
最后我们经过统计。只有少部分的transaction拥有相同的设置参数极可能是科学家。大部分朋友还是没经过gaswar就成功了。 Finally, after statistics, only a small number of transactions have the same setting parameters, which are most likely done by bots. Most people successfully bought our NFTs without going through the gas war.
即使考虑筹划了很多,也有很多不尽人意的地方,再次向大家表示诚挚的歉意,未来我们会结合过往经验在交互体验和防控方向做出更多的努力和措施,在保证大家有良好体验的前提下,尽力让每一个进入家园的朋友都是真正认同小幽灵家庭的好朋友,并为大家带来更好的使用体验。 Even though our team has planned a lot, there are still a lot of unsatisfactory places. Once again, we sincerely apologize to everyone. In the future, we will make more efforts and measures in interactive experience based on past experience. We hope that on the premise of ensuring that everyone has a good experience, we will try our best to make everyone who enters our community a person who truly agrees with the value of LilGhost.
最后向小幽灵的朋友公布一些数据: Finally some data for you:
1、本次公售我们准备了30种不同的验证码系统随机展示,在21:00之前没有上传正确的图像。 预售中所涉及到的所有签名及salt在公售中都无效;
For this public sale, we have prepared 30 different verification code systems for random display, and the correct images were not uploaded in the system before the public sale at 21:00. All signatures and salts involved in the pre-sale are invalid in this public sale.
2、公售过程中不仅有DDoS,也存在大量机器人脚本尝试扫描漏洞、注入等。我们需要处理的主要问题是各类非常规的攻击手段,而非高并发的压力。服务器没有进入黑洞。在网站公开到公售结束之后,一直有人尝试在前端挂木马;
During the public sale, there are not only DDoS attacks, but also a large number of robot scripts trying to scan for vulnerabilities and injections. The main problem we need to deal with is various unconventional attack methods, not the pressure of high concurrency. The server didn't go into a black hole. After the website was released to the end of the public sale, there have been attempts to implant Trojan horses in the front end.
3、经过调查统计,科学家买到的NFT所占份额很低。这一点可以通过统计合约来验证,没有发现大批使用同一Max Gas或Max Priority的交易,使用同一参数的连续交易数量通常只有2~4个交易。同时我们系统建议的Gas Limit为15万,只有使用15万以外的数值作为Gas Limit才可能是科学家,这在所有成功交易的占比是极少的;抢购成功的普通用户也并未经历Gas War;
After investigation and statistics, the share of NFT purchased by bots is very low. This can be verified by statistical contracts. There is no large number of transactions using the same Max Gas or Max Priority. The number of consecutive transactions using the same parameter is usually only 2~4 transactions. At the same time, the Gas Limit suggested by our system is 150,000. Only by using a value other than 150,000 as the Gas Limit can a scientist be a scientist, which accounts for a very small proportion of all successful transactions. Ordinary users who have successfully snapped up have not experienced Gas War.
4、 合约没有漏洞,本次公售极大限度地保证了非科学家可以拿到的份额。
The contract has no loopholes. This public sale greatly guarantees the share that non-bots can get.
5、服务器的容量是有冗余的,并没有因大量机器人和攻击涌入而宕机。
The capacity of the server is redundant, and there is no downtime due to the influx of robots and attacks.
关于机制 About the mechanism
通过我们对众多项目的观察与研究,大多数科学家采用的方式是绕开网站直接通过后端进行铸造,而在技术方面,很少有人能同时掌握较高水平的后端与前端技术,于是我们采用的方式是强迫后端科学家在前端完成破解后,才可以在后端进行操作,也就是说如果科学家想要大批量抢购,要么花费更长时间做自己不擅长的事情,要么找到前端程序员来配合。而此前的其他项目抢购过程中,科学家并不需要前端程序员的参与,这也让他们这一次在找人配合时存在较高的难度。 Through our observation and research on many projects, the way most bots use is to bypass the website and directly cast through the backend. In terms of technology, few people can master high-level back-end and front-end technologies at the same time, so our approach is to force back-end scientists to complete the cracking on the front-end before they can operate on the back-end. That is to say, if bots want to buy in large quantities, it will either spend more time doing things that they are not good at, or find front-end programmers to cooperate. In the previous snap-up process of other projects, bots did not require the participation of front-end programmers, which also made it difficult for them to find people to cooperate this time.