Explore Sui: Technology and contract security behind high performance

Background

Some time ago, we discussed the characteristics of TON and the security of user assets in the article Getting to know TON: Accounts, Tokens, Transactions and Asset Security. Today, let's learn about another emerging high-performance blockchain platform, Sui, which has many innovative technologies and unique features that have attracted the attention of developers and researchers. Sui focuses on providing a fast and secure transaction experience that is suitable for a variety of application scenarios. This article will help readers understand Sui by explaining Sui's account model, token management, transaction mechanism, and asset security. Sui follows widely accepted wallet specifications in the cryptocurrency industry, including BIP-32 (and its variant SLIP-0010), BIP-44, and BIP-39, to provide key management for users.

To derive a 32-byte Sui address, Sui concatenates the signature scheme flag (1 byte) with the public key bytes using the BLAKE2b (256-bit output) hash function. Sui addresses currently support pure Ed25519, Secp256k1, Secp256r1, and MultiSig, with corresponding flag bytes of 0x00, 0x01, 0x02, and 0x03, respectively.

Balance

On Sui, everything is an object, and the user's balance is also an object. During the transfer process, if the balance contained in the object is not equal to the required value, the object needs to be split or merged. For example, if you have an object containing 100 SUI, but you only want to transfer 30 SUI, the system will split the object into two objects: one containing 30 SUI and the other containing 70 SUI. You can transfer the object containing 30 SUI and keep the rest. Conversely, if you need a larger amount, you can also merge multiple balance objects into a larger amount object.

Token Management

Sui officially implements the standard code of Coin. When issuing Coin, developers only need to call `use sui::coin;` in the contract to use all the functions of this standard library.

Due to the use of Move language, which is different from other commonly used programming languages ​​for blockchains (such as Solidity), developers need to understand and pay attention to some unique functions or features when using it. Let's take a look at a piece of code:

This is a complete Coin issuance contract. The smart contract design on Sui is different from blockchain platforms such as Ethereum or Solana. We can't see the management of permissions in the source code. When using this function to create a Coin (coin::create_regulated_currency), the creator of the contract receives a TreasuryCap object, which is required to mint new coins or destroy existing coins. Only addresses that have access to this object can maintain Coin issuance.

For users who receive Coin, his account controls the ownership of these tokens. When calling smart contracts to use these tokens, these objects must also be passed in and the transaction must be signed.

Transaction Mechanism

Transactions are a basic concept in the blockchain world. It is a way to interact with the blockchain. Transactions are used to change the state of the blockchain and are the only way. In the Move programming language used by Sui, transactions are used to call functions in packages, deploy new packages, and upgrade existing packages.

When constructing transactions, it is important to note that each transaction must explicitly specify the object it operates on! This is somewhat similar to Solana's transaction requiring an account to be passed in.

Transaction content:

• Sender -- The account that signed the transaction

• Instruction list (or instruction chain) -- The operations to be performed

• Command input -- Parameters of the command: plain text -- Simple values ​​such as numbers or strings, or objects -- Objects that the transaction will access

• Gas object -- Coin object used to pay for the transaction

• Gas price and budget -- Transaction cost

Contract security

Sui usage As a programming language for smart contracts, Move can, to a certain extent, solve the common vulnerabilities of Solidity, such as reentrancy attacks, integer overflows, double spends, DoS attacks, and compiler problems. However, it cannot prevent developers from introducing errors in the code, so security audits are still necessary. The following are some things that developers need to pay attention to during the development process:

1. Permission check:Analyze the type of objects received by external functions. For privileged functions involving sensitive operations, it is necessary to ensure that the objects passed in are privileged objects. If a function receives and uses a privileged object, the function caller must be the legal owner of the object.

2. External function check:Some functions themselves should not be called directly from the outside. If there are function interfaces that should not be released externally, developers should propose that the function should not be made public.

3. Object analysis and inspection: Since objects in Sui can be converted into shared objects, developers need to sort out the types of all objects used, confirm whether they are static or public, and whether there are any errors. If an object that should be privatized is converted into a public object, then anyone can use this object, which poses a security risk.

4. Coin consumption check:Sui's token model is different from other chains. Its design allows token objects to be contained and held by other objects, and can also be split, which derives several token consumption modes:

• Directly transfer the token object to another object;

• Adjust the structure of the token object to generate a new object, and then transfer it to the target object;

• Split the token object and transfer the split part to the new object.

Therefore, in the case of token consumption, developers need to check the following points:

• Is the amount consumed correct?

• Is the object transferred?

• If there is a split, is the amount of the split correct?

5. Oracle price manipulation attack:If the contract on Sui uses an oracle to obtain prices, it is also necessary to pay attention to the possibility of price manipulation. Developers can prevent the risk of a single data source being manipulated by introducing multiple data sources and consensus mechanisms. In addition, the time-weighted average price can be used to prevent the risk of oracle manipulation.

6. Governance attack:In the contract on Sui, if the voting rights of the governance token are not designed reasonably, there is also a risk of governance attack. In this regard, you can refer to the community governance logic of some mature decentralized organizations.

7. Arbitrage attack:If the logic design is unreasonable, the DeFi contract on Sui is also at risk of arbitrage attack. Developers should carefully review the logic in the contract during development to avoid being exploited by attackers.

8. Fake recharge attack:When the exchange or developer handles the recharge of Sui tokens, it is also necessary to check whether the status of the transaction is successful and whether the Package ID of the token is correct to prevent fake recharge attacks.

Summary

In this article, we briefly discussed the design features of Sui, including its account model, token management, transaction mechanism, and contract security. Using the Move programming language, Sui not only ensures high performance and low latency, but also introduces innovative data models and object storage methods, significantly improving security and flexibility. Compared with other blockchain platforms, the Move language performs well in preventing common smart contract vulnerabilities (such as overflow, reentrancy attacks, etc.), which makes Sui more robust and reliable at the technical level. However, developers still need to pay attention to the security of the business logic level, especially in terms of permission management, the use of object types, and token consumption, to prevent asset losses due to errors in the code or improper design.

Reference link:

https://docs.sui.io/

https://docs.sui.io/standards/coin

https://move-book.com/