I am wondering about how to find out bad transactions on Algorand.
For example, all users are expected to send useful information to the smart contract. But, some malicious users will send trash contents to my smart contract via application calls. Other bad users could send malware contents to the blockchain, which will attack the local computer after they are fectched by indexer functions.
Is there any existed solution to deal with those problems?
For the first issue, your smart contract must be develop to handle potentially malicious data.
You must design it that way.
This is true for any blockchain.
For the second issue, the indexer does not execute code apart from the smart contracts that are essentially executed in a sandbox (in particular, they are not compiled nor executed directly on the CPU).
That being said, as for any software, algod or the indexer may have bugs that allow malicious behavior. Algorand takes the security of the platform and of its users very seriously and has programs to mitigate these risks: https://www.algorand.com/contact/security
Thanks for your reply @fabrice .
I think currently it is not possible to solve the first issue on the smart contract. I remember there is a limit of computation power on the smart contract. Simply I can’t write the malcontent detection code inside the contract TEAL code. Any idea on this problem?
I’m not sure why you think that it’s not doable. Many of the examples for TEAL that are available are doing just that. I’m sure that there are certain types of validations that would not be possible on a blockchain, but I’m not sure if these execution paths should even be executed on the chain.
Could you please provide an example for such a case where you believe the smart contract would not be able to validate ?
Thanks for your reply @tsachi .
Maybe I was wrong on how to detect and filter out the malicious content in transactions. What I want to do is writing the filtering code of malicious content in my smart contract. However, as far as I know, the smart contract has a computation power limit (my previous question: Question on smart contract TEAL code size and global state readings - #7 by fabrice), and it could be possible for the smart contract not able to execute complex computation like long regular expressions.
I am grateful if you could provide me with some examples on how to do this kind of tasks. Thanks for your help in advance.
Algorand smart contract needs only to validate the fields that it interact with, as well as those who might affect its correctness. i.e. I can think of testing various related transaction fields, testing expected application state ( local/global ), checking the positions of different transactions on the transaction group ( if applicable )… but that’s it. Beyond that, there isn’t much else that I believe need to be validated.
The smart contract itself is usually referenced by its hash value - and it uses the assumption that a hash is a single direction function. If you compare that hash to a known hash, you’re guaranteed that the smart contract content is valid.
Is that answers your questions ?