Smart contracts are vulnerable to attacks, that is the conclusion reached by the OpenZeppelin team, the company that creates tools for developers and performs security audits for systems distributed through smart contracts, the blocks that make up the Ethereum network and the responsibility for the transfer of millions of dollars.
The UK-based company, founded in 2015, boasts having networks worth more than $ 4.5 billion built using its systems. In addition to security audits for decentralized applications (Dapps), the company also builds an open-source infrastructure to make it easier for new developers to create complex applications on the blockchain.
If the decentralized applications were arteries, the smart contracts would be the blood that circulates through them. Any defect within this code could be a problem for a company, which in this system would be like the human body. However, there are doctors who in our analogy would be the OpenZeppelin team.
Earlier this year, MakerDAO, the Decentralized Autonomous Organization (DAO) behind the stablecoin DAI, announced a critical security update after a vulnerability was discovered in the smart governance contract.
The problem that arose in the voting system for the governance of MakerDAO originated in a vulnerability in the operation of smart contracts implemented for the voting process, which was discovered during the second round of security audits, which at that time He was part of the work carried out together with the Coinbase and OpenZeppelin cryptocurrency exchange house. An important achievement for the security team’s developer team.
On these aspects, Iván Gómez de CriptoNoticias spoke with Martin Abbatemarco and Juan Carpanelli, representatives of OpenZeppelin in Argentina.
What have been the most frequent vulnerabilities or the most common errors they encounter when reviewing contracts?
The last one we found is the most interesting, which was found on Maker, one of the biggest processes we made with millions of dollars supported by their contracts. Zeppelin ended up finding a very important vulnerability in the Maker voting system that led to Maker’s smart contracts having to be looked at in order to avoid that vulnerability, so that was one of the most important.
What happened was that problems were found in business or smart contracts. They are not vulnerabilities associated with Ethereum in particular or with the Ethereum base protocol, but simply we found errors in the programmers and therefore they ran some bad or somehow wrong function and we as attacking vitality system, we just had to find them and attack them and well it went right.
And precisely those errors are of adequacy of the contract, of the business idea?
Yes, fundamentally that is. Sometimes they are not very clear about the specifications of their projects and we need these specifications to try to understand between what the code does and what the code wants to do. Many times not even the project is clear about what the code wants to do and we manage to find ways to attack the project where they are not expected to attack because they think about the project in a certain way, but we as auditors have the ability to think about the project otherwise
And do you think these errors occur because the number of developers in the ecosystem have not matured enough, or is it due to the lack of talent or experience, or due to some difficulty in the languages?
I think it is a normal issue, because making mistakes is something human and that is inherent in software development and there will always be mistakes. The issue is that here you have to emphasize doing things right because there is a lot of money involved. We have a smart contract, it’s not like any software, and if someone finds a vulnerability before we find it or before the contract owner finds it, it can be exploited and there are investments at stake, and that’s why we have to do More emphasis on that part. But it is inherent in the software development cycle. There will always be vulnerabilities and the issue is to take it to a process in which you can mitigate all that in the best way.
And in terms of blockchain language programming issues, especially in Ethereum, where it has been talked about that Solidity is a more or less complicated language, just like the Bitcoin language, they are difficult languages to develop. How do you see this area, there is more maturity in development, are there searches to make a simpler language for safer developments?
There are other languages, there is also Vyper which is a language very similar to Python and yet Solidity is the language that is most stable today, which we also recommend using. Even our smart contracts in Zeppelin are made in Solidity, the new ones in Zeppelin (contracts) too. There is a community behind Solidity, of very intelligent human beings who have made a language something that is quite green, something that has matured enough. And if I had to recommend a language, it is certainly Solidity.
What is Zeppelin doing now, what are the next projects? What do they have on the table? How is the company moving forward?
The company basically today consists of two teams: the research team , which is basically engaged in project audits. There is, on the other hand, the platform team that is composed of two edges: the contracts that are all known as OpenZeppelin contracts and the platform edge that are responsible for having everything to create the smart contract , upload them to a blockchain, to be able to make a Dapp and communicate with those contracts in an easy, fast, simple way, without having a super-deep knowledge of what it is, not only software development in general, but blockchain development.
Additionally OpenZeppelin is working on a set of products for Ethereum developers , which includes contracts, SDKs and starter kits. They also work at Gas Service Stations for meta transactions. It is a decentralized network of retransmitters that are used to send ETH transactions without end users paying for the gas normally charged for the cost of the transactions.
The Stations Gas Service (GNS for its acronym in English) emerged as an alternative to the barriers to widespread adoption of criptomonedas, in the case of network ethereum require interact with multiple applications, install extensions and pay solution by gas, among other requirements for the user.