Ethereum Security Flaws and Developments: Devcon3 Discussion
Martin Swende – Ethereum Foundation Lead ended his lecture on security and smart contracts security on the note: “Everyone here is a target for attack. Be paranoid.”
There was The DAO hack, where millions of dollars in ether was stolen due to a smart contract bug. There was the time ethereum transactions slowed because of an unknown attacker – this on one of Swende’s first days working on the protocol, no less. And then just a few months ago, ethereum client Parity lost $30 million after being hacked.
Keeping in mind the various BTC related attacks.
Having said that, enthusiasts and developers believe that there is much room for improvement when it comes to Ethereum’s security despite its ‘era-changing’ technology.
On the second day of this years Devcon event, much was talked around the security of smart contracts as their vulnerabilities in the code are the origin where many are loosing money.
The CTO of Zeppeling [blockchain security company] – Manual Araoz, commented on the matter as 2016 was the dark age of ethereum’s security however there are improvements that took place and are being made.
Just to have in mind, upgrading the smart contracts security or anything once they are running is very problematic. If there is a bug in the code of the contract which is made without safeguards there is no hope for developers to improve it.
However, a new OS project by Zeppelin is on the work which will make it very much easier to ‘edit’ around the code once it is on the ‘go-phase’.
“If we have a bug or need to improve the program, we can do so. It can be used to fix production code,” he said.
While it doesn’t solve the upgrading problem completely, the project provides a new tool – and these additions to the ethereum developer toolbox are acknowledged widely as moving smart contract security ahead.
Another project unveiled at the event, Securify is touted as a “push-button security auditing tool.” Revealed in a session titled “Not Your Grandma’s Smart Contract Verification,” it offers an easy interface for developers to plug in smart contracts and check for certain types of bugs.
However, this is not like there will not be any problem left related to the security of the self-execute contracts as every project talk, idea or discussion ended with a warning or list of problems.
For example – RSK’s Lerner – mentioned that he takes apart initial coin offering (ICO) contracts in his spare time and spots many obvious bugs. The fact that token issuers are now soliciting the help of security experts to audit their smart contract code is a good sign, he said.
On a general idea – Swende of the Ethereum Foundation added:
“The hacking scene has changed tremendously. The revenue stream for hackers was with botnets for denial of service attacks; that’s pretty difficult to build. Now, after crypto, it’s so monetizeable, and there are low risks,”
As a initiative step for all crypto-related individuals is to be worried and vigilant – ended Swende.