Smart Contracts and the new Security Challenges
101 Blockchains define <<smart contract security is the collective term for security principles and practices leveraged by exchanges, developers, and users during the creation of smart contracts and interactions with them>>.
Let’s face it, smart contracts pose new security challenges to software security officers. As opposite to conventional software applications, once a smart contract is deployed onto a blockchain, it cannot be changed or deleted. This means that any bugs or vulnerabilities in the code are permanent and can be exploited by attackers.
There have been a number of high-profile smart contract security breaches in recent years, resulting in the theft of millions of dollars worth of cryptocurrency and other assets. As a result, it is essential for developers, users, and businesses to be aware of the security risks associated with smart contracts and take steps to mitigate them.
I’ll dig into this topic more in detail in one of the next articles, but just as a first input, common smart contract vulnerabilities include:
· Reentrancy: This vulnerability occurs when an attacker can repeatedly call a function within a smart contract to steal funds or other assets.
· Integer overflow: This vulnerability occurs when an arithmetic operation results in a number that is too large to be stored in the variable type. This can allow an attacker to overflow a variable and steal funds or other assets.
· Denial of service: This vulnerability occurs when an attacker can prevent a smart contract from functioning properly. This can be done by sending a large number of transactions to the contract or by exploiting other vulnerabilities.
· Front-running: This vulnerability occurs when an attacker can monitor the blockchain for pending transactions and place their own transactions ahead of them in the queue. This can allow the attacker to profit from the pending transactions, such as by buying assets at a lower price and selling them back to the legitimate trader at a higher price.
There are a few other potential vulnerabilities that are not trivial, including faulty logic and dodgy oracles. As promised, I’ll get back to this in one of the next articles, as well as presenting some best practices for smart contract security. Very briefly for now, you can read tons of articles that recommend the use of secure coding practices, conducting formal verification, and performing extensive testing. Absolutely, all good tips. But who doesn’t do it already! (and if you don’t, well, time to start doing it, then!).
Very critical to have a strong security posture in smart contracts is all of the following:
· Limit access to smart contracts: Access to smart contracts must be limited to authorised parties only. Developers can use access control mechanisms such as the require() or assert() functions to restrict access to smart contracts and ensure that only authorised parties can execute transactions.
· Use a formal verification tool: Formal verification tools can be used to analyse smart contracts for potential vulnerabilities. These tools can help to identify and fix bugs before they are deployed.
· Use multi-signature wallets: Smart contracts that manage large amounts of cryptocurrency must be secured using multi-signature wallets. Multi-sig wallets require multiple signatures to execute a transaction, reducing the risk of unauthorised transactions.
· Use auditing services: Auditing services are designed to review the smart contract code and identify potential vulnerabilities. Developers can use third-party auditing services to ensure that the smart contract code is secure and free from vulnerabilities. Auditing services can also help identify potential coding errors that may have been missed during the development process.
BlockChainSentry, a startup that offers products and services to the blockchain security market, correctly writes in their blog on why security audits for smart contracts are important. Speaking of DeFi specifically, <<a smart contract audit report is mandatory for crossing the bridge and deploying the smart contract on the blockchain network for peer-to-peer transactions>>.
If not enough convincing yet, the already mentioned 101 Blockchains warn you that <<trivial errors in smart contract code can cost an organization millions, or even billions, of dollars>>.
BlockGeeks go deep into the infamous hacked DAO story by saying that << In 2016, someone exploited this very loophole in the DAO and siphoned away one-third of the DAO’s funds. That’s around $50 million dollars>>.
For your consideration, the Duke University has a professional course about Blockchain and Smart Contracts Security, a sign that the interest in the market is vivid and security professional must be formed with proper academic preparation.
(I’m not associated with the Duke University, I’m just reporting this information :-).
In the next article, I’ll talk about growing a smart contract security mindset and introducing regular and automated smart contract security best practices in your secure software development lifecycle (S-SLDC). We’ll also have a look at common tools and techniques for SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) of smart contracts, and the Smart Contract Security Verification Standard. Stay tuned!
References
101 Blockchains, A Guide To Smart Contract Security, Oct 2022, https://101blockchains.com/smart-contract-security-guide/
BDO, Ensuring the Security of Smart Contracts in Blockchain Systems: Challenges, Best Practices, and Future Directions, May 2023, https://www.bdo.com.sg/en-gb/blogs/bdo-cyberdigest/may-2023/ensuring-the-security-of-smart-contracts-in-blockchain-systems-challenges-best-practices-and-futu
BlockChainSentry, Why Security Audits For Smart Contracts Are Important , May 2022, https://blockchainsentry.com/blog/why-security-audits-for-smart-contracts-are-important/
BlockGeeks, Why are Smart Contract Security Audits So Important?, Feb 2021, https://blockgeeks.com/smart-contract-security-audits/
