Back end

In the parameter verification phase, two problems, i.e. parameter pre exposure and private key exposure, are mentioned , The corresponding solution is ：

API protective

To prevent parameters from being exposed in advance ,API The end controls the parameter return condition ：

• Return signature data according to the time stamp or starting block according to the project requirements
• Dynamically adjust return value structure , Or you can try to encrypt the data twice

Private key protection

Private key protection can start from two aspects ：

• Provided by the server API Used to complete the process of parameter construction and signature , Avoid exposing the signing private key on the front end
• Sign at the test address before sale , The production address is enabled for signature at the time of sale

If you complete the above two steps, is it safe ？ For most popular projects, yes , Because for popular projects, the public offering is basically sold out in a few minutes , Exaggeration may be short selling in several blocks , So there is not enough time left for scientists to crack . Then there is a long waiting time for the Dutch auction mechanism to be adopted , This method also fails , Because scientists have enough time to dock API Get the validation parameters to call the contract , Finally, the inventory will be wiped out at the expected price .

IP Limit

In addition, to prevent the same user from getting too many, you can target the same IP Limit the number of signatures , Prevent the same user from using different addresses to participate in the sale .

front end

The front end will be protected from the source code 、 Simulator and group control detection 、Cloudflare Set up three aspects to chat . The following schemes are some ideas , In terms of specific implementation, it is ultimately the project party and scientists who fight for wisdom and courage , It depends on who is better , Watch the great gods perform .

Source code protection

Completed the contract and back-end protection , For the front end, encryption can be used to improve the security of the business 、 confusion 、 compile 、 Packaging and other methods , The front-end partners may be familiar with this aspect . There is an idea as follows  JavaScript obfuscator + bytenode + node-packer .

At the same time, the code of the logical part will be deployed a few minutes before the release , This makes it too late for scientists to extract more information from the front end . Don't forget to refresh after deployment CDN The cache of , Protect users from old caches . The following figure for Cloudflare Clear cached pages in ：

It should also be noted that for the contract address and contract ABI Some encryption methods can be used to hide or confuse , For example, split multiple terminals and then base64, Avoid scientists from confusing the Js Through regular extraction .

Simulator and group control detection

In addition to the source code, the front end should also make some judgments about group control or simulator , For example, check the browser screen size , Judge Selenium This kind of automation plug-in , Generally speaking, this kind of plug-in will be in js Insert some functions and variables into the global variables , There are many detection schemes to try , There are many online resources, so I won't go into details here .

Cloudflare Set up

Cloudflare Some configurations in can help us improve our understanding of Bot The protection of , Of course, there are still some ways to crack it , There is no one size fits all policy , What we can do is to do our best to protect .

Bot Fight Mode

Need to buy Cloudflare Pro edition , The price for $20 / month .

 Under Attack Mode

The launch phase starts Under Attack Mode Pattern , That is, the common five second shield is used to verify the validity of the request .

Legacy Captcha

If the degree of protection needs to be improved , Can be opened legacy captcha, But this will affect some user experiences , Explain to the user in advance that verification codes may be encountered, and some verification codes are difficult to identify .

The opening path is ：Firewall Rules → Managed Challenge → Legacy CAPTCHA