Best practices to build secure smart contracts
3 likes446 views
The document provides insights into best practices for developing secure smart contracts in the blockchain ecosystem, with an emphasis on differentiating between developers, investors, and speculators. It discusses the evolution of blockchain technology from Bitcoin to Ethereum and EOSIO, comparing their performance metrics like transaction speed and fees. Additionally, it highlights common vulnerabilities in smart contract coding, significant hacks, and offers recommendations for enhancing security through design patterns and testing methodologies.
Best practices to build secure smart contracts
- 1. Developer Weekly #1 LetsBuildEOS | Blockchain Developer Community Best practices to build secure smart contracts August 2, 2018 Gautam ANAND [email protected] n
- 2. About Gautam ANAND “Non-Blockchain Tech (Microservices/AI)” ● 5 Years of FullStack Software Development ● Software Architecture Design (Microservices) - Build & Scale ● JavaScript ES6 (Node.js), C++ (EOSIO Smart Contracts) and Python (Scikit-Learn & TensorFlow) ● DevOps (Docker/Kubernetes/Serverless) ● Databases (Mongo, Redis and PostgresQL) ● Machine Learning Models to Cloud Agnostic APIs ● Code Reviews
- 3. About Gautam ANAND “Blockchain Tech” ● Won 3 Blockchain Hackathons in June 2018 (Hong Kong & Singapore) ● Invited to compete for EOS Hackathon Finals (~500K USD + Funding/EOSVC) ● Built two EOSIO based projects (SmartCitySteriods & ReliefChain), continuing working on them. ● Part of Global EOS Community. ● Participating in IBM CallforCode Hackathon (ReliefChain, ~200K USD Cash Prize) ● Mentoring “Advanced Blockchain Programming Fellowship” at Blockfellows.io (Solidity Programming)
- 4. The Blockchain Ecosystem Developers (15%) Investors (40%) Speculators (45%) (not users) Blockchain
- 5. The Crisis Situation “You can run a blockchain company without a product, just need to have a good ICO for your cryptocurrency” ● Speculators are not “Users” (Let's agree, they are in for the hype) ● Users help build profitable businesses ● Speculators help build profitable cryptocurrencies ● Startups misuse ICO (Initial Coin Offerings) to raise funds during seed rounds without delivering a proof-of-concept. Beware of “Scam projects” Now this trend is moving towards building “Sustainable Profitable Products”, but do we have the technology to do?
- 6. About Blockchain Technology How developers see it? ● Decentralized Database running on millions of computer ● Public chain (You don’t the location); Private Chain (Your defined network) ● Data entry is one way i.e. NO UPDATE and NO Delete. Only Create and READ is allowed. In nutshell, 1. Data (Transactions) is immutable 2. Network as a secure model
- 7. About Blockchain Technology “Bitcoin vs Ethereum vs EOSIO” ● Blockchain 1.0 - Bitcoin ● Blockchain 2.0 - ETHEREUM ● Blockchain 3.0 – EOSIO and more https://eos.io
- 8. About Blockchain Technology “Bitcoin vs Ethereum vs EOSIO” ● Block Time per request: Bitcoin (600K milliseconds) vs ETH (15K milliseconds) vs EOSIO (500 milliseconds) ● Transactions per Second: Bitcoin (7 tps) vs ETH (50 tps) vs EOSIO (>3000 tps, July 2018) ● Transactions Fee: Bitcoin (~1 USD) vs ETH (~5.5 USD) vs EOSIO (Free) Block time and tps metrics reference: https://bitinfocharts.com/comparison/bitcoin-confirmationtime.html How transactions are free?: https://bytemaster.github.io/article/2016/02/10/How-to-build-a-decentralized-application-without-fees/
- 9. About Blockchain Technology “Building Payment Gateway on Public Chain” ● Average 6 steps for any payment gateway backend request Bitcoin (~60 mins, 1.38 USD) ETH (~1.5 mins, 36 USD) EOSIO (~ 3 seconds, 0 USD), this may be competitive with centralized payment solutions such as VISA/Mastercard etc? For the very first time, blockchain solutions can be as good as regular centralized solutions, maybe profitable.
- 10. Security In Blockchain ● Security Mindset ● 3 Solidity Code Vulnerabilities ● 5 Attack Scenarios ● 4 Design Patterns ● 2 Major Hacks (~100 million USD)
- 11. Your Security Mindset ● Centralised: Database (server) is hidden behind a client (mobile app, browser etc). ● Decentralised: Blockchain database (server) is public and exposed to all vulnerabilities you can ever imagine.
- 12. 3 Solidity Code Vulnerabilities
- 13. Integer Underflow ● Solidity can handle 256 bit numbers ● Underflow: Token holder has 100 tokens but attempts to spend 101 Bad pattern: https://ethfiddle.com/IGJ2w0vPsX Good pattern: https://github.com/OpenZeppelin/op enzeppelin- solidity/blob/master/contracts/math/ SafeMath.sol
- 14. Protect your Functions ● Public: Anyone can access it. ● External: Other smart contracts can access it. ● If anyone can execute your functions from public, they can steal all your tokens. Use Private or Internal functions. Example: https://ethfiddle.com/1q- YzAPV9W
- 15. Fallbacks & DelegateCALL ● Fallback: Every smart contract can have exactly one unnamed function. This will execute if none functions are found. It only has msg.data to retrieve any payload. ● DelegatedCALL: It is identical to a message call (internal transaction) apart from the fact that the code at target address is executed in the context of the calling contract and msg.sender and msg.value do not change their values Example: https://ethfiddle.com/G3W7FEdrWj
- 17. Parity Attack ● Contract A has a public function titled “myproject” that implements DelegatedCALL. It holds all 100k Tokens. ● Contract B is a hacker exploit, that tries to call ContractA.myproject(). Since this is public authority, contract B steals all the tokens.
- 18. DAO Attack (Decentralised Autonomous Organisation) ● Check my account balance in the starting ONCE. ● Second time onwards, ignore balance check and initiate transfer request. # Fix - Reduce senders balance before making transfer. - require(msg.sender.transfer(_value)) Example: https://ethfiddle.com/VDH-hqXQZ_
- 19. SelfDestruct ● Mechanism to delete smart contract ● Contract’s fund is sent to the target address ● Accidently create scenarios that it can be triggered Example: https://ethfiddle.com/dmsDZVYcBX
- 20. Denial of Service ● Take ownership of the smart contract by sending enough ethers to insecure contract. ● The attacker knows the transaction will fail and will be refunded. This will block the service. Example: https://ethfiddle.com/jJNl3ILO-Z
- 21. Shortest Address Attack ● Attackers abuse ERC-20 transfer function to withdraw a large amount thatn he/she is allowed to. ● Culprit: The input address has no trailing zeros, the exchange doesn’t do input validation. The EVM corrects this and the balance is increased. ● Exchanges are the biggest victims here Details: https://vessenes.com/the-erc20- short-address-attack-explained/
- 23. Avoid External Calls ● Avoid a call from one contract to another untrusted contract or account. ● delegatecall, callcode, call ● Types of attacks: The Dao hack, The Parity multisignature wallet hack ● Use .send() and .transfer() over .call.value()
- 24. Use Assert(), Require() & Revert() ● require(condition) for input validation ● assert(condition) for internal error check ● revert() returns unused gas ● throw() will continue to consume all gas
- 25. Test Driven development ● Smart contract once deployed cannot be improved. No version control. ● Do Unit Testing ● Do Test coverage ● Simulate on testnet.
- 26. Offline contracts shouldn’t be paid ● Contract A sends to Contract B, 1000 Tokens. ● Contract B is dead ● Contract A lost money
- 27. 2 Major Hacks (~100 million USD)
- 28. ETHEREUM DAO was hacked for 70 million USD (ETH Classic is born) https://www.coindesk.com/underst anding-dao-hack-journalists/ ● Attacker was able to ask the smart contract (DAO) to give the ether back multiple times before the smart contract could update its own balance. ● Ethereum Classic was forked and all transactions before attack were reverted.
- 29. Parity Client vulnerability costed 30 million USD (Check this is real?) The code that did this: https://github.com/paritytech/parity -ethereum/pull/6102/files ● Parity is a ETH Client used by many people. You can call it from smart contracts. ● Three ICO (Edgeless casino, Swarm City and aeternity) were using parity client v.15, to check balance for raised funds. ● The function in wallet smart contract was Public DelegatedCALL, that let attackers steal the tokens.
- 30. Thanks, Stay in touch! Telegram Linkedin