Be afraid. Be very afraid. Those are the words that should have been pinned to the wall at the office of Parity, the Ethereum wallet company that let buggy code in one of its smart contracts out into the wild. Millions of dollars later and no one is sure whether the bug has been truly squashed.
Parity got the auditors in to test the code to destruction. The code survived intact until the powers that be at the company decided in their infinite wisdom to tweak the code and in so doing introduce a bug where none had existed before. Not just a silly mistake but a very expensive one that went on to impact the entire Ethereum network. The Parity mishap ultimately led to the loss of $300 million worth of ETH, at November 2017 prices, which was when the problem arose.
And then there was the mess at CoinDash in July last year – the initial coin offering website was penetrated by bad actors and $10 million of client funds vanished. Hackers had managed to change the receiving address for ETH contributions to one under the control of the criminals. The sale had to be abruptly ended.
The previous year, in 2016, the sector saw probably the most famous smart contract debacle with the case of The DAO, which “lost” $150 million worth of contributions to the project. The DAO was an object lesson in the importance of the timely squashing of bugs.
The DAO code had some vulnerabilities that were openly discussed in the community. Among them was a “recursive call bug”. By setting up a “child” DAO that mirrored the structure of the real thing, a hacker was able to drain funds out of the smart contract holding the ETH tokens.
These are salient and obvious lessons that underline the fact that a blockchain project lives and dies by its code.
It’s disasters like those of Parity, CoinDash, and The DAO that keep the leaders of blockchain projects up at nights. It doesn’t do much for the professional pride and career prospects of the coders either.
Solid solutions needed
There’s a way to avoid these nightmares and it entails spending some money on an audit carried out by a reputable and competent outfit.
The lackadaisical attitude of management teams is really quite shocking, and even more so in the face of the clear and present danger. In an indication of the scale of the problem, accountancy firm Ernst & Young estimates that 10% of the funds going into initial coin offerings last year was lost or stolen. That equates to a massive $400 million of the $3.7 billion.
Ok, so you think this is just a problem afflicting small teams perhaps lacking in experience? Nope.
Coincheck is (or was) one of the largest cryptocurrency exchanges in Japan. It had $534 million of client funds stolen in a hack of the hot wallet holding XEM coin. The chief executive of Coincheck is probably kicking himself that he turned down the offer – assuming he had one – of a website penetration test from a firm of software auditors, presumably relying instead on the in-house systems and its team of developers. Big mistake.
Custody has been a problem for crypto from the outset but the well-documented persistence of the security issues relating to storage are only changing attitudes and practices at a frustratingly glacial pace.
Certainly, if a project wants to get the backing of venture capital firms specializing in blockchain investments such as Pantera Capital for instance, then an audit is a must. So chasing venture funds would be an incentive for change. However, most projects don’t go down that route. How, then, is the mindset of project management to be transformed at a quicker pace?
Secure code is a must
Regulation would be one way, taking matters out of the hands of the project itself and making it a statutory fiduciary duty, as it is for the financial accounts of companies to be audited. However, that might lead to the sort of regulatory overreach that crowds out innovation although if the industry does not move to self-regulate in such areas it may invite such an outcome, given the current state of affairs.
The phenomenon of one ruining it for the many shows that it is in the interest of the industry as a whole to secure best practice among its constituent members.
While we wait for influential industry participants – such as Consensys perhaps – to take forward discussions, with a view to an agreement on some basic standards that smart contracts can be validated against, it is incumbent upon those in charge of blockchain projects to make sure they prioritize some critical tasks.
First, hire auditors to check the smart contracts and to run penetration testing on the project website. The smart contract audit should include GPG signature verification for all commits on software repository Github.
The project whitepaper must inform the reader that an audit has been successfully completed. The firm hired to conduct the audit should be able to show a proven track record of competence, and this information communicated to potential investors.
Additionally, projects should not be shy about trumpeting the thoroughness of the audit as a part of the overall public relations efforts; it will make the project more attractive to potential investors if they can see at a glance on ICO listings sites such as TokenMarket or by registering with blockchain services and listings company CoinList, that the project’s smart contracts and website are safe to interact with.
The leadership to deliver
And when thinking about auditing, it is not just security that should be a concern.
It is also important that the project leadership makes sure the smart contract does, in fact, do what it is meant to and that it does so efficiently. Badly written Solidity code can be expensive to execute on the Ethereum blockchain. Performant code matters! And don’t forget to advertise that the project has a bug bounty platform to reward security consultants and experts.
Only after the audit has been satisfactorily completed should a token sale be opened to private, pre-sale or public sale.
Leaders in the auditing space include companies such as hosho, which will help projects to nail down safe and secure smart contracts and websites. Founders Yo Sub Kwon and Hartej Sawhney have forged partnerships with Token Market and CoinFabric who provide ICO launch services for blockchain start-ups. The pair, and the company they represent seek to provide the thought leadership that can raise the standards across the sector through the excellence and leadership of hosho’s blockchain security offering.
It’s not worth cutting corners on securing your project and the applications that are intended to run on it, from ICO to live product.