When Smart Contracts Act Stupid: Is Your ICO Smart Contract Safe & Secure?
The potential inherent in smart contracts is immense. The nascent technology may be used for identity verification, secure data sharing, and for the management of tokens and raised funds in an initial coin offering/token sale – but just how clever are your smart contracts?
The Ethereum network boasts more than 1500 decentralized applications (dApps), all of which make use of smart contracts to accomplish a wide variety of tasks. The problem with smart contracts, however, is the fact that they are code-based and thus inherently prone to mistakes – some of which can be nothing less than catastrophic.
Smart Contract Basics
To put it simply, a smart contract is a code that contains a set of rules and executes automatically, without a third party, if the rules of the contract are met. This differs greatly from a paper contract, which is always enforced by a third party.
However, because smart contracts are code based, they are prone to errors, bugs, and weaknesses – which put funds at risk of theft and manipulation.
When Smart Contracts Act Stupid
One of the most notorious examples of a poorly-coded smart contract came from the Decentralized Autonomous Organization (DAO), which was designed to fund cryptocurrency projects not determined by any one person or group. Essentially, DAO token holders were allowed to vote on the projects which merited funding – which led to a total purchase of $250 million in ether before tragedy struck.
Two sections of the code in question were responsible for the collapse of the much-hyped DAO project, which resulted in a controversial hard fork of the Ethereum blockchain into Ethereum Classic.
The two functions responsible were ‘splitDAO’ and ‘withdrawRewardFor’ — though they were not vulnerable by themselves. Together, however, hackers were able to vacuum up 4 million ether. Consequently, the Ethereum community was more-or-less forced to perform a 51 percent attack on its own blockchain, re-writing it as though the stolen funds were never lost.
Another and more recent bug was discovered in the smart contract used by Parity. The smart contract in question was exploited and resulted in the loss of half a million ether — worth upwards of $169 million. 70 wallets were frozen and access to the money held within was lost.
Parity actually admitted to having been warned about the flaw months before the bug was triggered. However, they did not fix the issue, later stating:
However, rather than just having more audits, we strongly believe that more extensive and formal procedures and tooling around the deployment, monitoring and testing of contracts will be needed to achieve security. We believe that the entire ecosystem as a whole is in urgent need of such procedures and tooling to prevent similar issues from happening again, in particular, if and when the number and complexity of live contracts grows.
Parity was hacked again via smart contract vulnerabilities in June 2017, resulting in the theft of 150,000 ether.
What’s Wrong With Ethereum-based Smart Contracts?
Ethereum’s main problem is that it’s largely constructed in Solidity – an advanced coding language. As such, many programmers must learn an entirely new coding language, which increases the chance of human error.
Unfortunately, many new projects lack the experience and/or time to properly audit their smart contracts. This is where solutions like COINAdmin come in – which assist in the completion and subsequent audit of smart contracts and verify that the code is free from vulnerabilities.
COINAdmin has a dedicated team of blockchain developers who specialize in the development of ERC-20 and ERC-223 smart contracts. It also fully supports thorough third-party audits and handles everything on the technical front – affording ICO teams the ability to focus on other aspects of their business ventures.
What do you think about smart contract vulnerabilities and companies like COINAdmin? Let us know in the comments below!
Images courtesy of AdobeStock