Evolution of Smart Contract Security in the Ethereum Ecosystem
Manuel Araoz, CTO at
@maraoz
The Year in Smart Contract Security
New Security Patterns and Techniques
Pending Challenges
Pre-history: The Dark Ages
Pre-history: The Dark Ages
The DAO
FirePonzi scam
RNG seed fails
Governmental
ETH-backed ERC20 token
The King of the Ether
Rock paper scissors
Rubixi
2016
Pre-history: The Dark Age
MAY 2016:
“We Need Some Best Practices For Smart Contracts”, Peter Vessenes
JUNE 2016: TheDAO Hack��- 14% of all ether tokens were held by TheDAO contract.
- 50M in USD value stolen with the hack.
- Solution: Hard fork :/
The Age of Enlightenment
OpenZeppelin
SEPT 2016: OpenZeppelin is born, a week before DEVCON2!
OpenZeppelin
2017
>8% weekly growth for 3 months.
1800+ slack members��60+ contributors
280+ pull requests
220+ issues
OpenZeppelin
2017
>8% weekly growth for 3 months.
1800+ slack members��60+ contributors
280+ pull requests
220+ issues
Ethereum platform updates
Ethereum platform matured a lot
EIP150
callstack
attack
Solidity new keywords
payable
assert
transfer
pure/view
require
revert
Serpent R.I.P.
Byzantium’s impact on Security
Added support for big integer modular exponentiation (EIP198)
=> RSA signature verification
https://github.com/ethereum/EIPs/pull/214
New opcode: STATICCALL (EIP214)
=> non-state-changing calls to other contracts
https://github.com/ethereum/EIPs/pull/214
Added opcodes for return data handling. (EIP211)
=> upgradability proxies
New Security Patterns and Techniques
Adding features safely
Token with lockup: design
Goals:
Token with lockup: design
Goals:
Idea:
Token with lockup: code (1/3)
Token with lockup: code (2/3)
Token with lockup: code (3/3)
Token with lockup: code (3/3)
Can you spot the problem?
Can you spot the problem?
Token with lockup: simple fix
Token with lockup: modular approach
Security and Functionality
Crowdsale: modular approach
Crowdsale.sol
Token.sol
What can Software Engineering
teach us on
Smart Contract Security?
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
!=
Security and Software Engineering
Security and Software Engineering
StandardToken.sol MyToken.sol Token.sol
ERC20.sol Coin.sol
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
Security and Software Engineering
Security and Trust Reduction
Security and Trust Reduction
Security and Trust Reduction
Add tokens for the Foundation please. This ERC20 token will be GREAT!
Security and Trust Reduction
Add tokens for the Foundation please. This ERC20 token will be GREAT!
Sure boss!
Security and Trust Reduction
Security and Trust Reduction
But make it
��TRUSTLESS
Security and Trust Reduction
Security and Trust Reduction
msg.value = 0
“Sometimes, it’s totally OK to reduce trustlessness in order to increase security”
Open Problems
in Smart Contract Development/Security
Pending Problems
upgradability
gas costs
code duplication
interoperability
Pending Problems
upgradability
gas costs
code duplication
interoperability
Code Duplication
Upgradeability
Upgradeability
Scheduler and Marketplace
Scheduler and Marketplace
Smart Contract SDK
Manuel Araoz
@maraoz
Thanks! We’re hiring!