Smart contract vulnerabilities remain a clear and present danger

In January Ethereum was forced to postpone its hotly anticipated Constantinople upgrade at the last minute, in response to a security flaw that could have allowed for smart contracts to be exploited for additional funds. ETH’s price immediately felt the pressure from this, dropping 11% in a few hours after a strong rally to that point. Much optimism had surrounded the update, in particular the “thirdening”, or reduction to mining rewards of 33%. This would have reduced Ethereum’s inflation rate along with introducing code optimization and reduced fees for smart contract storage.

The security flaw in question was a potential for “reentrancy attacks” exploiting code in EIP 1283, allowing attackers to steal funds in a worst case scenario. This has been theoretically possible for a long time, but the inhibitive price of smart contract storage prevented an attacker from pursuing this route. Constantinople would have reduced this price, and so developers were forced to delay the hard fork to work on a permanent solution.

The Ethereum team understands well the consequences of smart contract vulnerabilities. The platform famously completed a hard fork in response to the DAO hack, one of the most notorious events in the industry’s short history. This exploited a “recursive call” to continually request and receive funds from the DAO smart contract to the tune of around $70 million in total.

The DAO, of course, was not developed or led by Ethereum’s team. It was proposed to the world by Christoph Jentzsch, and became an open source venture to raise and distribute funds for projects, as voted on by its stakeholders. But given that 12 million ETH had been crowd-raised, a huge chunk of the existing Ethereum at the time, the community was faced with a difficult decision: “roll back” the exploit with a hard fork and return the affected ETH to its owners, or continue as normal and allow the hackers to profit from any future gains while investors were left out to dry. Though unappealing, the latter is true to the philosophy Ethereum forwarded in its whitepaper and the philosophy of blockchain technology at large — that no individual or organization should have the power to decide which transactions are legitimate or illegitimate. Nonetheless, the fork happened and Ethereum Classic, believing firmly in those principles of immutability, lost out in the long run (likely making the hackers quite wealthy in the process). Perhaps the best article on that unfortunate period comes from Matthew Leising at Bloomberg, and is highly recommended reading.

The key question underlying the biggest blockchain exploits boils down to this: why do the best coders in the space make so many mistakes? It is unfair to accuse the Constantinople devs of any negligence — they did discover the vulnerability and have disabled EIP 1283 with the Petersburg additional patch. But the issue was discovered the same day as the planned launch, so it was very close to being an potential disaster.

Nouriel Roubini (whom we have discussed previously) levelled some inaccurate criticism on the blockchain industry as a whole during his testimony to the US Senate Committee, but one area where his skepticism is well placed is exactly this — smart contract developers and blockchain developers more broadly make an a lot of mistakes. The research he cited found that:

“Smart contracts on Ethereum are worse than even non-financial commercial code; as of May 2016, Ethereum contracts averaged 100 obvious bugs (so obvious a machine could spot them) per 1000 lines of code. (For comparison, Microsoft code averages 15 bugs per 1000 lines, NASA code around 0 per 500,000 lines.)”

Researchers at the National University of Singapore echo these concerns, with their study showing potential vulnerabilities in around 30% of the smart contracts they examined. This is worrying, not because it is an attack on Ethereum but quite the opposite — because Ethereum could well maintain the best community of coders around, certainly in the blockchain space at least. If their key update code has problems like that identified before Constantinople, one might only imagine how many issues exist in other smart contract platforms. Gambling DAPPs seem to be particularly targeted, with one such example on EOS being hit for $200,000 in 2018.

This is a legitimate cause for concern in the blockchain space. Smart contracts and decentralized virtual machines are an almost unfathomably incredible innovation, but will be ever overshadowed if exploits continue to occur. Nobody is expecting perfection on the level of NASA, but smart contract-enabled blockchain projects need to outperform most other types of technology in terms of security. After all, they are dealing with people’s money.

Article by Byron Murphy, Editor at Viewnodes. All opinions are the author’s alone. Viewnodes helps clients establish and maintain masternodes for the currencies which currently support them. To contact us for information on our masternode services, please submit this contact form.

Smart contract vulnerabilities remain a clear and present danger was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.