Good morning/afternoon/evening, I am working on a school research assignment regarding the smart contract security challenges, and there is a requirement for us to engage with a practitioner with deep expertise in blockchain and smart contracts, to seek some comments for the solutions aiming to overcome the smart contract security challenges, just wondering if you are interested in have a look at the solutions and give some short feedback(it can be very short) if you don’t mind, many thanks.
Establish upgradable smart contracts via separating business logic and data storage into separate contracts, and upgrade (Contract migration based on versioning) on demand to mitigate any potential losses via early detection of vulnerabilities and quick response.
Establish the standardization of the process for establishing well-secured smart contracts, and provide a comprehensive guide for practitioners during development, such as mitigation measures to common security risks according to best practices.
Develop a scalable deep learning model based on comprehensive vulnerability datasets, which helps automated vulnerability detection.
Establish a reward mechanism for detecting vulnerabilities, users who contributed to the security improvement of the open-source code base will be rewarded, motivating the community to develop automated security monitoring tools to realize large-scale detection more effective.
Hey there, sounds like an interesting assignment, I’ll share some of my thoughts based on what I’ve worked with.
This brings to mind the Diamond pattern (EIP-2535) which has similar upgrade and extension patterns for discrete pieces of business logic (facets) and storage. Upgrades work similarly as to how they work with proxies, with similar security concerns if the upgrade is not done in a trustworthy process. Since the proxy could potentially be changed to a malicious upgrade, added processes such as multisig approval or governance systems are generally used to address the additional security concerns. In some cases immutable core contracts used alongside upgradeable contracts is more appropriate.
This is something I’m definitely an advocate for, best practices are necessary to advance the state of the industry. OpenZeppelin is a very popular source of this in practice, at least for certain core contracts and code. Any time I come across a new organization that’s trying to build repositories of best practices I’m always interested, so this strikes me as a good solution.
This would be useful, though practically it isn’t too far from the tools in use today. For reference I tend to follow the practices in this guide A guide to smart contract security tools | ethereum.org which includes fuzzers and symbolic execution. A deep learning tool would be ideal for supplementing audit services like Certik, which currently fulfill much of this role of detecting commonly known vulnerabilities.
Bug bounties are an excellent tool in my opinion, and could certainly be expanded across whole ecosystems rather than individual protocols. Immunefi is one popular board I’m aware of that contains bounties for many different protocols, though there are many others as well.
As a legal engineer, we have observed upgradeable contracts (using proxy or that diamond EIP protocol) to be vulnerable. The problem is that a upgrade you are essentially doing a time-shifted RPC which potentially could change in future, which if you lose control of administering the contract, can be fatal if that RPC gets subverted.
The alternative to 1. is to have versions of smart contract suite (using static analysis and backwards regression testing) and upgrade in lock-step … this could be part of a DevOps cycle/process
Chicken & egg problem … you need skilled security professionals to categorise vulnerabilities and enough corpus to train … in theory this is a more comprehensive solution that augments 2. but getting the behavioural economics right is tough as otherwise incentive to exploit vulnerabiliy rather than reveal
This is the social aspect which complements 3.
There is no right answer, in practice (eg IP appropriation) you have a mix of law (bright line test), technology protective measures, social reframing (notice how Apple shifted from rip-burn-mix advertising towards their walled app garden) and economics (giving a legit avenue for subscribing to tracks instead of overpriced albums).
Thank you so much for such detailed answers HomicidalChicken, your given answers are really meaningful and it is really helpful to hear the thoughts from an experienced practitioner
It’s my pleasure to contribute to this. In a way to make a smart contract more secured one need to be aware of the following:
Putting down more safe smart contract with it’s essential rules followed by leading organization. Write customer checks and properties with Slither, etc. Also, implement security for the wallets of your privileged users using cryptography.
Intermittently carryout a smart contract security audits and penetration testing. You can easily do this by organizing a bug bounty program by defining a proper scope and outsourcing penetration testing if you don’t have an experienced security team available in your organization.
Check out automated security scans for a smart contract. This can help you with the security analysis of your smart contract. It can help you identify bugs in the code that can lead to security vulnerabilities and can also help you prevent tons of attacks. You can use this open-source security scanner for Ethereum smart contract which is supported by Ethereum Foundation called Securify.
Use a trusted Blockchain tools for example, SWC-registry, MythX etc; for design, security, development, auditing and exploiting.
@jackma I appreciate your work, and I believe I may have come across something related to this subject. After all, this subject is frequently discussed, and everyone seems to be interested in it.
There are a few difficulties that must be overcome when creating smart contracts.
•The question of scalability comes first. Smart contracts must be able to process lots of transactions without the network stuttering.
•The second concern is one of security. Smart contracts must be protected from attacks and hacks.
The issue of energy efficiency comes in third. The energy needed to run smart contracts must be kept to a minimum while designing them.
•Fortunately, these challenges can be resolved;
-For instance, cutting-edge protocols like Plasma and Sharding can address the scalability issue.
-As for the security issue, new technologies like zero-knowledge proofs can be helpful.
Regarding the problem of energy efficiency, it is something that can be solved by optimization and intelligent design. You might think about POS over POW if the issue is at the protocol level.