Last November, a user accidentally froze around 514,000 ETH (worth approx. $155 million) in Parity, a popular Ethereum wallet. The culprit was a bug in the wallet’s software, which the user in question accidentally triggered.
This wasn’t the first incident on the Parity wallet. Only months earlier, another bug in Parity’s software enabled hackers to get away with 150,000 ETH (approx. $30 million). Neither is Parity the only Ethereum application that has suffered from smart contract vulnerabilities.
In 2016, in the famous DAO hack, hackers got away with 3.6 million ETH, 15 percent of all Ether in circulation at the time. The incident caused a rift in the Ethereum community and resulted in a hard fork, creating two versions of the famous cryptocurrency.
Like many other hacks that have happened since Ethereum launched in 2015, these incidents were tied to smart contracts, code that runs on the Ethereum blockchain and enables the creation of decentralized applications (dApps). Smart contracts are a very important component of the blockchain industry, and despite these hacks, their use is growing. But they are also a very attractive target for hackers, and unless we create smart auditing processes to develop sturdier smart contracts, more costly incidents loom on the horizon.
The solution might be in deploying even more smart contracts.
Why is smart contract security so difficult?
A smart contract is code, just like any other software that runs on computers. However, a few factors make smart contracts more sensitive from a security perspective.
First, like transactions on the blockchain, smart contracts are immutable. Once developers deploy smart contracts on the blockchain they can’t make any changes to them. The positive side is that they can’t be tampered with. But the tradeoff is that any bugs in the code remain permanent too. There are workarounds to fixing bugs in smart contracts, but they’re clunky and hard to adopt.
Second, smart contracts are directly tied to payments and can hold millions of dollars’ worth of digital currencies. There’s a clear difference between a software bug giving hackers access to your family pictures and one that gives them control of your digital fortune.
Third, smart contracts are still a new practice, not even a decade old. We still haven’t developed best coding practices and development lifecycles tailored for decentralized apps.
This makes smart contract security auditing of paramount importance because while developing traditional software involves continuous write-release-fix cycles, with smart contracts you must get it right the first time — unless you want to learn the hard way and lose millions of dollars (and your reputation) in the process.
Auditing smart contracts
A handful of firms have stepped forth to provide auditing services for smart contracts, reviewing the code and providing feedback on its quality and security. This is very much similar to the security practices that exist in the traditional software industry.
However, the services of smart contract auditing companies cost a lot, much more than bootstrapped blockchain startups can afford. Another problem is that the investors and users who will be staking money in those smart contracts in the future can’t verify the auditing process. This goes against the norms set by the blockchain, which establishes trust by making everything visible to everyone.
An alternative to the de facto code verification method is to use blockchain and smart contracts to create a transparent and verifiable auditing process, where all the involved parties have a stake in creating secure and reliable smart contracts. This is the approach that Solidified, a leading audit platform for smart contracts, uses to help developers avoid becoming the next Parity, or DAO, or PoWHCoin.
Solidified is a company that has proven experience in auditing and securing smart contracts of several key Ethereum projects including Gnosis and Polymath, and now it is preparing to launch a decentralized bug prediction market that will enable a crowdsourced way to verify the security of smart contracts. The ingenuity of bug prediction markets is that they make sure all the involved parties are fairly rewarded — or penalized — for the quality of their work or lack thereof.
With Solidified, developers can place audit requests for their smart contracts. Next, Solidified code reviewers, a network of more than 200 Solidity experts, can present their terms for reviewing the code and the bounty they expect to receive. Once the developer and auditor agree on the terms a smart contract is created.
Auditors then review the code and publish their findings on the issues and bugs they find on the code and the developer fixes them. But before the auditors can claim their bounty, the fixed smart contract is put up for a bug bounty. During this process, a large network of auditors will get to review the code. If they find new bugs in the code, they claim a share of the original auditor’s bounty. At the end of the bug bounty period, the audit request’s smart contract distributes the staked tokens among the auditors involved. The crowdsourced mechanism of cross-review and staking rewards ensures the highest quality of auditing.
Bug Prediction Market
Code audits and bug bounties are nothing new. In fact, some of the biggest tech companies and government agencies regularly hold bug bounty programs to vet the security of their software. However, a blockchain-based bug prediction market has several benefits that make it more beneficial than traditional code.
First, it provides transparency. Everything and everyone involved in the auditing process is registered on the blockchain and accessible for review. This is very important for the users and investors who are going to buy a company’s tokens or direct funds to their smart contracts. They’ll be able to see the history of the contract’s auditing process and decide for themselves whether a dApp’s smart contracts have been thoroughly vetted by qualified professionals or not. It will also provide investors with a basis to identify and ignore blockchain scams, which have become rampant lately.
Second, it creates a confidence metric for how secure the community believes each smart contract is. This security confidence metric is derived from the current price of outcome tokens in its associated Bug Prediction Market, and provides a properly incentivized assessment of the quality of any smart contract. The movement of this confidence metric over time can be used as an early warning system to notify stakeholders of potential risk, so they can exit before a bug is disclosed publicly.
Finally, it will improve the quality of the vetting by incentivizing reviewers when they file successful bug reports or help resolve disputes. Reviewers will also be staking Solid tokens in the reports they create, which they can lose if they don’t do quality work. This ensures the fair use of the platform and disincentives schemes to hide bugs and later exploit them.
Solidified will also expand the market for a much wider range of organizations and experts. For the moment, Solidified is making the reviewing tools available to its vetted list of experts. But in time, the platform will become available to anyone who wants to earn rewards for helping secure smart contracts.
Solidified has opened the registration for its tokensale and is currently offering a 20 percent bonus to developers, auditors and security experts.
In the past, we had come to believe that there’s no such thing as 100 percent secure software. As smart contracts become more pervasive, we might be forced to change our beliefs.