Smart contracts enable people to do extraordinary things! For example, in 2015, two women set out on a journey to create a startup that would allow for a more efficient kidney transplant matching.
In the legal world, smart contract technology can significantly lower the costs of signing a legal agreement since no lawyer or other intermediary is needed. Smart contracts also allow crypto gamers to create, store and transfer NFTs. However, for all of this to function properly, ensuring smart contract security is the key.
In this article, we’ll first briefly explain what smart contracts are and go through their vulnerabilities. But, most importantly, we’ll cover smart contract security and how to ensure it.
Terms and concepts related to blockchain security are pretty technical, but we did our best to keep it simple so you can feel confident about what to do next in your crypto journey.
What are smart contracts?
Smart contracts are pieces of code on a blockchain where a network of computers runs smart contracts once predetermined conditions are met. The logic is pretty straightforward: if/when something happens, something else follows.
Smart contracts are beneficial since they automate the execution of agreements and workflows, helping to save time and minimize costs since no intermediary is needed. All participants can be sure of the wanted outcome.
Think of smart contracts as vending machines!
Image source: unsplash.com
For example, your lobby’s vending machine has a rule that if you insert a dollar, you can get a candy bar of your choice. When you insert your dollar, the vending machine verifies that it’s the correct amount and gives you your snack. This is how smart contracts work, too, except they’re much smarter and more secure.
Image source: dcxlearn.com
So, at the core, smart contracts are pieces of code that:
- Store rules
- Verify rules
- Self-execute rules
Deploying smart contracts
Smart contracts are widely used in the crypto gaming sector, and the business world is also beginning to embrace them. Their ability to execute automatically without intermediaries like governments, corporations and even lawyers is fascinating. There are numerous applications of smart contracts in the financial sector, IoT, supply chain, etc.
Types of smart contracts
The need for smart contract security tools can also depend on the type of smart contracts, so let’s quickly go over the four most popular types of smart contracts. They are categorized according to how programmers use them to create applications.
- Distributed Applications (DApps). DApps are digital applications that operate autonomously on a blockchain in combination with other smart contracts. They are the most common application-based codes that work with smart contracts.
- Decentralized Autonomous Organizations (DAOs). A DAO is a decentralized organization controlled by a group of people who agree with specific rules for a shared goal. Smart contracts are the backbone of these organizations—they define the rules established inside DAOs, which can’t be affected by external entities.
- Contracts of Applied Logics (ALCs). ALCs contain an application-based code that allows for communication across a smart contract with the front-end user interface. For example, ALCs help create and validate communication between IoT devices.
- Smart Legal Contracts – involves strict legal resources and are legally binding(also known as legally enforceable smart contracts). All the contractual agreements set are executed by a computer program automatically.
What are smart contract vulnerabilities?
Here are some of the most common smart contract security vulnerabilities:
1. DoS attacks
The Denial of Service (hence referred to as DoS) restricts authorized users from using smart contracts for a certain amount of time or permanently. Such attacks are done by overloading ports with requests or denying authentication.
2. Unencrypted files
Storing unencrypted information on the blockchain is one of the main threats to smart contract security—you can put your entire network in danger.
3. Not possible to upgrade
By definition, smart contracts are immutable—once you’ve put something on a blockchain, you can’t modify it. However, certain risks come with that, too. For instance, bugs may prevent your smart contracts from running smoothly.
4. Function default
Functions are visible by default, therefore, meaning everyone can execute them.
5. Reentrancy Attack
Hackers can call functions repeatedly, withdraw balances from smart contracts and transfer to unauthorized contracts until no funds are left.
6. Oracle manipulation
If the oracle is corrupted, it can send false information on-chain. For example, with flash loans, a hacker could dramatically increase the “price” of a token and use this manipulated price to receive more funds than they should.
How to ensure Ethereum smart contract security
Ethereum smart contracts are the most common. Let’s quickly look at how you can keep them safe according to the guidelines of ethereum.org.
Image source: unsplash.com
1. Develop your smart contracts according to the best practices
Do your best to write high-quality code.
- Make sure all of your code is stored in a version control system.
- Use pull requests to make all code modifications.
- Hire at least one independent reviewer to check your pull requests.
- Use a development environment when compiling, testing, and deploying smart contracts.
- Before merging each pull request, run your code using Mythril, Slither, or other basic code analysis tools.
- Describe your smart contract architecture in a simple language and document it properly so that others can review your code easily.
2. KISS (keep it simple, stupid)
The KISS principle is widely known among traditional software developers and is just as important when writing smart contracts.
One way to avoid pointless sophistication in your code is to reuse existing libraries like OpenZeppelin Contracts. They’ve been tested numerous times, and you’re much less likely to find bugs in them than trying to write code from scratch.
It’s also advised to create small functions and split business logic across multiple smart contracts—it helps to keep them modular.
3. Implement secure access controls
Functions marked external or public can be called by any network participant. This is necessary if you want them to be able to interact with your smart contracts. However, this may also quickly become problematic if any person can run sensitive operations, such as minting new NFTs.
You must design proper access controls if you want to ensure that no unauthorized use of smart contracts occurs. Two patterns—the ownable pattern and role-based control can help you do that.
4. Guard smart contract operations
Once your smart contract is deployed on the Ethereum blockchain, anyone can run public functions. You should implement internal safeguards beforehand to ensure correct contract behavior. Use these three statements: require(), assert(), revert().
5. Test your smart contracts extensively
Image source: unsplash.com
Since smart contracts are immutable, they require much more testing during their development. Looking for any unpredictable results will significantly increase your chances of implementing a secure smart contract code and ensure long-term user protection.
One of the best methods is to combine property-based testing with unit testing. Use static and dynamic analysis to do that.
7. Have your code reviewed independently
Testing by yourself is not enough, and it’s recommended to ask other developers to check your smart contract for possible vulnerabilities. You can organize a review of your code in two ways: commission a security audit (more on that later on) or set up a bug bounty.
7. Be ready for malicious exploits
Have a fallback plan ready in case someone attacks your smart contract. Such a plan should consist of three parts:
- Smart contract upgrades. While, by definition, smart contracts can’t be altered once deployed, you can still edit them a tiny bit with the help of upgrade patterns. You can read about it in detail here.
- Emergency stops. While upgrade mechanisms may help, they take time to implement, and hackers can still cause you damage in the meantime. So, in case your smart contract becomes too vulnerable after its deployment, you must have an emergency stop ready for untrusted contracts. It will block calls to vulnerable functions in your contract.
- Event monitoring. Logging and monitoring events will give you insights into possible hacker actions. For example, you could write a code that emits an event each time someone runs a critical operation, e.g., withdraws funds. Event monitoring will increase your chances of securing authorized users by performing an upgrade or pausing essential functions.
8. Create secure governance systems
If you want to decentralize your application and give control of key smart contracts to your community members, you need to be aware of the possible risks that come with such a governance model. For example, a hacker could take out a flash loan and carry out a malicious proposal with all the new voting power they’ve just acquired (it depends on the number of tokens held).
Use a timelock to prevent such attacks from happening. It delays administrative actions by preventing smart contracts from running specific function calls until a certain time has passed.
Another option is to assign a “voting weight” to each token. You can do it based on 1) the voting power of an address at a historical period or 2) the time the token has been locked up for.
Both ways help secure your decentralized governance systems by minimizing the potential to gather enough votes to influence on-chain votes quickly.
9. Protect yourself against potential vulnerabilities
Earlier in the article, we’ve listed five common smart contract vulnerabilities: DoS attacks, unencrypted files, difficulties upgrading smart contracts, function default, reentrancy attacks, and oracle manipulation. Below are some tips on how to defend against them.
- Make sure you first encrypt everything confidential before saving it on the blockchain.
- Include failsafe into your contracts.
- Check that all nodes have sufficient processing power and storage.
- Create smart contracts that can be upgraded with proxies and emergency stops.
- Create well-defined functions.
- Prevent reentrancy attacks by following the checks-effects-interactions pattern.
- Avoid oracle manipulation by using a decentralized oracle network that checks information from various sources, helping to steer clear of single points of failure.
Smart contract security audits
Image source: icommunity.io
Minor mistakes in smart contract code can cost you millions. Thus, smart contract developers must carry out security audits before deploying contracts. Plus, frequent security audits help to gather valuable analytical insights like specifics regarding vulnerabilities.
Here are the three standard steps of a security audit process:
- Auditors gather details on code specifications to understand the objectives and scope of the smart contract in question.
- You either get a manual or automated audit. Manual audits are usually more efficient since auditors don’t need to depend on software.
- Auditors draft the security audit report. It’s usually done after the initial stage of the audit has been completed. In this report, you should find your code issues and recommendations for resolving them. Once the issues are fixed, the auditors should provide you with the final report highlighting which remedial measures were implemented.
Smart contract security tools
Here are a few useful tools for ensuring a smooth smart contract development:
- Testing tools and libraries – for analyzing smart contracts and checking code accuracy.
- OpenZeppelin Defender Sentinels – for automatically monitoring smart contracts and responding to events.
- OpenZeppelin Defender Admin – for secure administration of smart contracts.
- ConsenSys Diligence – smart contract auditing services (note that this is just one of the plenty possible providers of security audits).
- Immunefi – a bug bounty platform that can help you to review your code and find vulnerabilities.
FAQs
What are smart contract security best practices?
- Write high-quality code to ensure a smooth development process.
- Keep your code simple, so other developers can easily audit it.
- Implement secure access controls.
- Design internal safeguards to ensure correct contract behavior.
- Test your smart contracts extensively.
- Commission security audits or set up a bug bounty.
- Design smart contract upgrades, emergency stops, and monitor events.
- Use a timelock to create secure governance systems.
What is a smart contract security audit?
A smart contract security audit thoroughly examines your smart contract code. Its goal is to find potential vulnerabilities and inefficient coding and provide smart contract owners with recommendations on removing bugs.
What is a smart contract security checklist?
To ensure your smart contract security, follow this checklist recommended by Ethereum creators:
- Review your smart contracts for common vulnerabilities with Slither or Crytic.
- Analyze special features of your smart contract, such as your upgradeability code or integration with 3rd party tokens.
- Document the most important security properties and evaluate them with automated test generators.
- Manually check issues that can’t always be found with automated tools: front-running transactions, risky interactions, or lack of privacy.
Julija Paškevičienė
Julija is a freelance content marketer. Specialized in content writing, social media, and finding the best dog memes, she helps businesses get their message across and create content that sells.
Further reading
All articles
Pay-to-Win in Web3: How Can It Help
Pay to Win is where a player can use additional funds outside the initial price of the game to gain an advantage against other players, usua...
What Is Tokenomics? [Understanding the Token Economy]
Many people new to Web3 believe that any crypto coin can become as big as bitcoin or Ethereum, even if nothing could be further from the tru...
6 Crypto Staking Misconceptions & Myths [2022]
Like most things in the crypto world, it can be hard to wade through all the information on staking. Your colleagues and friends likely have...