"Everyone here is the target of an attack Be paranoid."
This is how Ethereum Foundation security officer Martin Swende yesterday concluded his conference on the security of smart contracts at Devcon3. At this point, he has witnessed his fair share of the attacks on Ethereum and wants the community to know what they are engaging in.
There was the DAO hack, where millions of dollars in the ether were stolen because of a smart contract bug. There was the time when the Ethereum transactions were slowed down because of an unknown attacker – this during one of the early days of Swende working on the protocol, not least. And then a few months ago, the ethereal customer parity lost $ 30 million after being hacked.
And that does not mean all the hacks related to bitcoin.
With that, developers point out that – as revolutionary as Etherium can and could be – there are still many problems to be solved, one of the reasons why the open-source project's flagship conference saw such a focus on security on its second day, with developers and academics releasing new tools to take the security of smart contracts a step further.
Despite these major attacks, developers are optimistic about the direction of smart contract security.
Sergio Demian Lerner, RSK Labs Chief Scientist and Cryptocurrency Security Consultant, told CoinDesk:
"All the ecosystem matures in terms of security."
The right tools
Although there are different pieces of ethereum that need to be secured, the second day of Devcon's focus is on smart contracts, probably because vulnerabilities in the code of these mechanisms are the genesis of the losers.
Manuel Araoz, CTO of blockchain security company Zeppelin, called 2016 the "dark ages" of the ethericeum security, but, like others, noted that things are going on. improving.
To begin, "improve" smart contracts once they're online on ethereum is a huge open problem. Unlike more traditional software, if there is a bug in a smart contract code, and it is written without backup, developers can not update the code.
But Araoz and his team at Zeppelin have been working on a useful tool, recently unveiling a new operating system project that aims to make DIY easier with code already operational.
"If we have a bug or we need to improve the program, we can do it, it can be used to correct the production code," he said.
Although it does not completely solve the upgrade problem, the project provides a new tool – and these additions to the toolbox of the developer ethereum are widely recognized as a breakthrough in contract security intelligent.
Another project unveiled at the event, Securify is touted as a "Push Button Security Audit Tool". Revealed during a session titled "Not Smart Verification of Your Grandma's Contracts", it offers developers an easy interface to plug in smart contracts and check for certain types of bugs.
During the session, Quentin Hibon, a researcher at the ETH Zurich Software Reliability Laboratory, said that Securify is a solid security guarantee.
With developments like this, according to Lerner, everything is going in the right direction.
The Ethereum virtual machine has been improved in terms of security, he said. Formal verification has been added, which uses mathematical evidence to detect whether smart contracts are working properly, he continued. And the main smart contract language of the ethereum, Solidity has matured, so now a lot of errors are corrected at the Solidity level, he concluded.
That does not mean that there will be no problems with smart contracts yet. Almost all the talk about the security of the day ended with a call for action, a warning or a list of open issues facing the second largest market-based cryptocurrency protocol.
RSK's Lerner, for one, mentioned that he is disassembling the initial contracts of the Coin Offering (ICO) in his spare time and spotting many obvious bugs. The fact that symbolic transmitters are now soliciting the help of security experts to audit their smart contract code is a good sign, he said.
And researchers from a handful of universities are also trying to modify the incentive structures around bugs, in order to encourage hackers to report vulnerabilities instead of hackers. exploit.
As reported by CoinDesk yesterday, Hydra riffs the traditional bug bug pattern: programmatically offering hackers more rewards to inform developers about a bug that bug exploitation would pay off.
But many of these projects are still in the early stages.
The Ethereum – and crypto-currencies in general – remain a kind of paradise for hackers.
"The hacking scene has changed dramatically: zombie networks for denial of service attacks, which is quite difficult to build after cryptography, is so monetizable and the risks are low," said L & # 39; Ethereum. Swende Foundation.
This creates new challenges that blockchain developers must be prepared for, and the first step, according to Swende, is to remain vigilant.
"I am always worried."
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which owns an interest in RSK Labs and Zeppelin.
Image Devcon3 via Rachel Rose O 'Leary
Leader in blockchain information, CoinDesk is an independent media company that strives to achieve the highest journalistic standards and adheres to a strict set of editorial policies. Do you want to offer your expertise or ideas for our reporting? Contact us at firstname.lastname@example.org.