As a software company that specializes in modernization projects, helping teams guard against security vulnerabilities is a big part of our work. Most people...
Creating Secure Smart Contracts for the Blockchain
Originally posted to the Corgibytes Blog on 31/Oct/2022 as Creating Secure Smart Contracts for the Blockchain
As a software company that specializes in modernization projects, helping teams guard against security vulnerabilities is a big part of our work. Most people think this work only applies to large legacy systems that are running Java Enterprise or .NET. While we definitely work on those projects, security vulnerabilities can creep in on even the newest of projects.
Security vulnerabilities are something you want to avoid in pretty much any industry, but when it comes to people’s money and sensitive information, the stakes are even higher. Given all the buzz around Decentralized Finance (DeFi), I was curious — how are teams in this space doing when it comes to managing their security vulnerabilities?
Solidity, the most common programming language for writing Smart Contracts (computer programs that are hosted and executed on a blockchain network) on Ethereum and Ethereum Compatible (EVM) blockchains, is a powerful language. However, there is a caveat, writing secure Smart Contracts without vulnerabilities is much harder than just learning the correct syntax and getting the contract to compile and execute. And learning lessons of the vulnerabilities that can arise in a contract has been very expensive, into the millions and even billions of dollars. There is a lot of great work being done to help mitigate the vulnerabilities and the risk of funds. However, in almost all cases, especially in recent months, the loss very likely could have been avoided by enforcing good software development practices, most notably code coverage rules and requiring code reviews.
A Bit of Background About Smart Contracts
Like many people, I had been hearing the murmurings of Bitcoin, The Blockchain, Smart Contracts and Crypto Currencies over the past several years. At first, I mostly dismissed it as another technology trend that sounded interesting and probably had a lot of merit, but nothing that I should let distract me.
However, toward the end of 2021 The Blockchain started becoming more and more interesting to me. I began digging into it little by little, gaining a deeper understanding of the core Blockchain technology, Smart Contracts, Mining, and DeFi. As a software developer who has spent many years creating, maintaining and upgrading new and old software, the immutability of a Smart Contract really struck me. In an enterprise development environment, the goal is to release quickly and often. The idea of not being able to update or modify the contract once it has been deployed was a bit mind blowing, and something that took some time to really comprehend.
This made me wonder how someone could write an immutable Smart Contract. I would assume with an overabundance of tests and rigorous code reviewing. Otherwise, how would you know that it is doing what it is supposed to do and not doing the things it is not supposed to do? Additionally you have to know this with certainty before the contract is deployed.
Along the way, I began learning about what promises to be a useful subset of Smart Contract projects, which is commonly known as DeFi. DeFi is an umbrella term for peer-to-peer financial services on public blockchains. This is a very interesting use case for Smart Contracts and The Blockchain as it has a tremendous amount of potential for many types of people. However, not long after exploring this ecosystem it became apparent that my theory about immutable Smart Contracts being well tested and reviewed before deployment was not true…
The Costs of Vulnerability Mismanagement
In February of 2022 the DeFi project Titano Finance lost $1.9M due to an exploit left by a contract developer. In April of 2022 another DeFi project called Elephant.Money lost $11.2M due to a small coding oversight in their Smart Contract. In a matter of weeks and months, DeFi project after DeFi project experienced some sort of loss in funds and reputation due to exploits in vulnerable code.
Vulnerabilities were created either intentionally by malicious developers or mistakenly by well intentioned developers. Some projects survived while others did not. Millions and millions of dollars were stolen by bad actors. Many of these bad actors likely did not even have crazy hacker skills one might expect for the amount of money stolen. Some of these exploits simply took advantage of sloppy coding and development practices while others were due to these projects having untrustworthy contractors or employees who created the vulnerable code intentionally.
The publicity this draws can lead more and more people to the idea that The Blockchain, more specifically, DeFi, is the Wild, Wild West all over again: no enforceable laws, malicious actors, and a generally dangerous and unpredictable landscape. This can lead many people to shy away from crypto currencies, The Blockchain and DeFi specifically. But is it really the Wild, Wild West again? And if so, does it have to remain that way? Let’s explore a bit to understand possible ways to solve the problems.
Taming the Wild West
But first, a caveat. Let me be up front and tell you that I am not a historian. Almost all of my knowledge and understanding about the Wild, Wild West comes from Hollywood’s portrayal of the era, so it’s important to acknowledge that we are leaning on tropes here. The metaphor is still useful to communicate the ideas I wanted to explore in this post, so let’s go with it for now.
Back to the analogy: The West that was once considered so Wild and lawless long ago is now considered some of the best land with some of the most desirable places to live in the country. How? Well, sure some of it was due to rules and regulations of governments and their enforcement, in two words: The Law. But, another contributing factor was good people with the right tools and abilities that desired to help tame the Wildness of “The West”. Some people, farms, towns and cities hired these people of good character and merit to help protect them from the dangers and maliciousness of that time. These benevolent characters brought peace and security to the areas under their responsibility.
Well, this same idea is also becoming part of the landscape in DeFi specifically and The Blockchain as a whole. There are good people with the right skills, abilities and character who are helping tame this new wild, wild west and trying to make it safe for all. One such developer was paid $6M by Aurora Labs for saving 70,000 ETH (worth about $210M at the time the bug was reported). Another developer was paid $10M for finding and fixing a bug in Wormhole bridge. Projects like Code4rena and Immunefi are helping match DeFi projects with developers who have the skills to help find and resolve vulnerabilities before funds become at risk. Organizations like OpenZeppelin, ConsenSys and Gnosis are helping developers build better and more secure Smart Contracts in the first place with helpful tools and libraries.
Where Do We Go From Here?
Even though DeFi might feel new and shiny, it’s still susceptible to many of the same problems of any other software system. As the DeFi industry matures, here are some ideas for teams who are looking to scale safely.
Balance Optimism with Diligence
When we’re overly optimistic, we can inadvertently ignore important problems. Over the years, we’ve found diligence to be an excellent counterbalance to optimism bias. Adopting a pragmatic stance helps us spot problems early, when they’re easier, cheaper, and safer to resolve. As mentioned earlier, in a number of the cases, diligent code review practices quite possibly could have caught vulnerabilities before they had been released to the blockchain and put funds at risk.
Cover Critical Code With Tests
Think of your automated test suite as a safety net. All of your critically important logic, especially anything that has to do with financial transactions, should be covered by tests. Unfortunately, one of the big challenges in building Smart Contract tools such as solidity-coverage, which can help you determine which logic is and isn’t covered, are still in their infancy. If you want help getting started, overcoming inertia, or maintaining momentum on these efforts, Corgibytes is happy to help.
Code with Compassion
If you’re writing code in the DeFi space, remember the importance of empathy, which is at the core of the Corgibytes culture. At the end of the day, what you’re building has a real impact on real people. Don’t lose sight of the humanity in your work.
Watch Out for Hero Culture
As the industry moves away from its Wild West roots, it’s tempting to hail the heroes who come in and save the day. However, celebrating heroes can backfire. It creates an environment where people are incentivized to create and hide problems.
Calm the Chaos
New ideas are exciting, and sometimes a bit of short-term stress can help a project cross a major milestone. But when a culture of urgency becomes the norm, it’s easy for even the most diligent of developers to make mistakes.
Remember that Trust Isn’t Absent
While the big appeal of DeFi is the chance to make profits off of what promises to become a digital alternative to Wall Street, there is still a need for Trust. One of the promises of blockchain technology is the idea of Trustlessness. Without going into a lot of detail about the merits and drawbacks of Trustlessness, the basic premise is that the parties involved in a transaction do not have to trust each other as long as they can trust the contract. But therein lays the challenge with DeFi. The DeFi contracts that have come on the market have rather complex logic, making it difficult for the average investor to read and understand them. Trusting the contract in this context is all but impossible, unless you know the contract language and the possible vulnerabilities that could expose your investment. Which means trusting the developer who created the contract, if they are even known1. This has created an opportunity for Contract Audit companies to certify the contract, ensuring it does what it claims to do and nothing more. But this just moves the trust relationship one step further down the path, as in, how to know the audit company is trustworthy. And even if it is, is the audit report even understandable enough to have confidence in the contract.
The point is, with all the marketing hype around blockchain technology being Trustless, there is still a certain amount of trust in one third party or another that must be taken into account.
Carefully Manage Your Deployments
This shifted burden of trust shouldn’t be taken lightly. If the development team wants to establish itself as a trusted entity, it must take care when developing and deploying contracts. Not just by ensuring a trusted audit company has certified the contract or is able to do so, but by incorporating good development practices and processes.
Given that deployed contracts are immutable2, before changes are accepted into the production version of the Smart Contract, the code should be rigorously tested and reviewed. There should also be an ability to roll back changes prior to release, quickly if needed. While there is no guarantee that a Smart Contract will be free of bugs or vulnerabilities, proper development practices and additional oversight can help reduce them considerably.
At the end of the day, when it comes to vulnerability management, a Smart Contract isn’t that different from other software systems. While DeFi is an exciting new technology, it’s important to realize that software developers in this industry have an even greater responsibility to care for their codebases. Over the years, we’ve learned that values such as pragmatism, patience, empathy, and technical excellence are some of the best ways to defend against software system vulnerabilities, no matter how old — or young — the technology is.