Ethereum
DevCon2 turned its focus to security

Day two of Ethereum DevCon2 in Shanghai began with a firm focus on security and smart contracts. This is not surprising given the testing year the community has had thanks to the ill-fated DAO contract, which saw some $60m drained from a contract on the network via a recursive withdrawal attack. The hard-learned lesson was not to trust untested contact code with large amounts of money.

Ethereum security experts have clearly been working hard on this. Joseph Chow, CEO, BTC Relay opened with a screen shot of the offending lines of the DAO code: "one line of code that changed blockchain history."

Chow offered some governing points for smart contract developers. First, prepare for failure; this is not to expect defeat but to prepare for unknown unknowns. Second, roll out carefully; third, keep contracts simple.

Chow suggested some prudent measures such as emergency calls, whereby a server could make calls to contracts every second and if anything untoward is happening regarding withdrawals, funds could be sent to a workshop, rather than to an attacker.

He also cautioned: "Avoid calls to untrusted contracts. This means any contract you have not written yourself. Assume untrusted contracts are malicious."

In detail, he advised the use of "Send ()" and avoid "call.value ()()". The former does not give attackers enough gas to do damage (only 2,300 gas).

Also providing well-measured advice was security expert and Dapp developer Raine Rupert Revere. She said developers can look for specific "code smells". This sounds informal but it can usefully inform investigation.

Static analysis of source code can detect risky or potential vulnerabilities. This can be done by parsing the code to create abstract syntax trees. "Think of it a map of a code; code that reads code."

To this end, Revere has created a Solidity parser and small library called Solgraph. She showed how certain risky functions in the source code can be highlighted in red. So things like "getbalance" are static so pose no risk; functions like "mint" are not called from outside the contract so are highlighted in grey and pose no risk; while "withdraw" is where the risk is and this is highlighted in red.

She talked through three types of developer cultures who bring different truths to the table and have different blindspots. Firstly, web developers who work in Javascript and Python and value simplicity. These guys work at a high level and lack the intuition to see risks to the virtual machine (VM).

Next are system engineers, who are experts at understanding implications and consequences, but who undervalue abstraction — and the right level of abstraction is needed. Third are academics, who can establish rigorous solutions, but they are a small group and these things are sometimes impractical and difficult to incorporate.

Revere added another group of players who should be mentioned, the non-developers. She said these people in the world of enterprise and marketing are essential to the ecosystem of course, but must learn to trust the developer community.

She said this group is often the source of speculation, pointing specifically to the sort of speculation on ether which followed the DAO attack and which filled the media.

"One contract taking down the entire Ethereum network would be like saying one website went down so, oh, the internet is broken," she said.