Discussion: Solutions to smart contract security challenges

Hey there, sounds like an interesting assignment, I’ll share some of my thoughts based on what I’ve worked with.

  1. This brings to mind the Diamond pattern (EIP-2535) which has similar upgrade and extension patterns for discrete pieces of business logic (facets) and storage. Upgrades work similarly as to how they work with proxies, with similar security concerns if the upgrade is not done in a trustworthy process. Since the proxy could potentially be changed to a malicious upgrade, added processes such as multisig approval or governance systems are generally used to address the additional security concerns. In some cases immutable core contracts used alongside upgradeable contracts is more appropriate.

  2. This is something I’m definitely an advocate for, best practices are necessary to advance the state of the industry. OpenZeppelin is a very popular source of this in practice, at least for certain core contracts and code. Any time I come across a new organization that’s trying to build repositories of best practices I’m always interested, so this strikes me as a good solution.

  3. This would be useful, though practically it isn’t too far from the tools in use today. For reference I tend to follow the practices in this guide A guide to smart contract security tools | ethereum.org which includes fuzzers and symbolic execution. A deep learning tool would be ideal for supplementing audit services like Certik, which currently fulfill much of this role of detecting commonly known vulnerabilities.

  4. Bug bounties are an excellent tool in my opinion, and could certainly be expanded across whole ecosystems rather than individual protocols. Immunefi is one popular board I’m aware of that contains bounties for many different protocols, though there are many others as well.

Hope that helps. Good luck on the assignment!

6 Likes