Trust No One: Ethereum Smart Contract Security Is Advancing
"Everyone here is a target for attack. Be paranoid."
That's how Ethereum Foundation security lead Martin Swende ended his deep-dive lecture on smart contract security at Devcon3 yesterday. At this point, he's witnessed his fair share of attacks on ethereum and wants the community to know what they're getting into.
There was The DAO hack, where millions of dollars in ether was stolen due to a smart contract bug. There was the time ethereum transactions slowed because of an unknown attacker – this on one of Swende's first days working on the protocol, no less. And then just a few months ago, ethereum client Parity lost $30 million after being hacked.
And that's not to mention all the bitcoin-related hacks.
With this, developers point out that – as revolutionary as ethereum can and could be – there's still a lot of kinks to iron out, one of the reasons the open-source projet's flagship conference saw such a focus on security on its second day, with developers and academics alike releasing new tools to take smart contract security a step further.
Despite these major attacks, though, developers are optimistic about where smart contract security is heading.
RSK Labs chief scientist and cryptocurrency security consultant Sergio Demian Lerner told CoinDesk:
"The whole ecosystem is maturing in terms of security."
The right tools
While there are different pieces of ethereum that need securing, the second day of Devcon focused on smart contracts, likely because vulnerabilities in these mechanism's code are the genesis of people losing money.
Manual Araoz, CTO of blockchain security company Zeppelin, called 2016 the "dark ages" of ethereum security, but, like others, noted that things have been improving.
For one, "upgrading" smart contracts once they're live on ethereum is a huge open problem. Unlike with more traditional software, if there's a bug in a piece of smart contract code, and it's written without safeguards, there's no way developers can just update the code.
But Araoz and his team at Zeppelin have been working on a helpful tool, recently unveiling a new OS project that looks to make it easier to tinker with code that's already up and running.
"If we have a bug or need to improve the program, we can do so. It can be used to fix production code," he said.
While it doesn't solve the upgrading problem completely, the project provides a new tool – and these additions to the ethereum developer toolbox are acknowledged widely as moving smart contract security ahead.
Another project unveiled at the event, Securify is touted as a "push-button security auditing tool." Revealed in a session titled "Not Your Grandma's Smart Contract Verification," it offers an easy interface for developers to plug in smart contracts and check for certain types of bugs.
During the session, ETH Zurich Software Reliability Lab researcher Quentin Hibon said Securify is a strong security guarantee.
With developments like this, according to Lerner, everything is headed in the right direction.
Ethereum's virtual machine has been improved on in terms of security, he said. Formal verification has been added, which uses math proofs to detect whether smart contracts work properly, he continued. And ethereum's main smart contract language, Solidity has matured, so now many mistakes are corrected at the Solidity level, he concluded.
'Always worried'
This isn't to say there won't still be problems with smart contracts going forward. Almost every security talk of the day ended with a call to action, a warning or a list of open problems facing the second largest cryptocurrency protocol by market cap.
RSK's Lerner, for one, mentioned that he takes apart initial coin offering (ICO) contracts in his spare time and spots many obvious bugs. The fact that token issuers are now soliciting the help of security experts to audit their smart contract code is a good sign, he said.
And researchers from a handful of universities are also trying to tweak the incentive structures around bugs, in an effort to encourage hackers to report vulnerabilities instead of exploiting them.
As reported by CoinDesk yesterday, Hydra riffs off the traditional bug bounty model: programmatically offering hackers more in the way of rewards to inform developers about a bug than exploiting the bug would pay out.
But many of these projects are still in the early stages.
Ethereum – and cryptocurrencies in general – remain a sort of hacker's paradise.
"The hacking scene has changed tremendously. The revenue stream for hackers was with botnets for denial of service attacks; that’s pretty difficult to build. Now, after crypto, it’s so monetizeable, and there are low risks," said the Ethereum Foundation's Swende.
This brings new challenges blockchain developers must prepare for, and the first step, according to Swende, is to remain vigilant.
He stated:
"I'm always worried."