Saturday, May 25, 2024

Ethereum Smart Contract Framework Updated to Combat Security Concerns

One of the most popular blockchain networks in the world is Ethereum. According to recent data from CoinMarketCap, Ethereum has the greatest total number of developers—16% of all developers in the cryptocurrency industry.
Regrettably, security flaws have also made the Ethereum network incredibly vulnerable. In its “Global Web3 Security Report,” blockchain security company Beosin discovered that, in the third quarter of this year, cryptocurrency investors lost $282.96 million due to scams. The report also mentioned the $66.15 million in revenue that phishing scams brought in over the same time frame. The Ethereum blockchain experienced the greatest losses and events overall, per Beosin’s data.

Updated framework for reviewing smart contract code

According to Chaals Nevile, technical program director at the Enterprise Ethereum Alliance (EEA), a group that seeks to promote enterprise ethereum adoption as an open standard, there are issues with Ethereum that are known to be affecting the security of the ecosystem. The most evident issue is that there are problems in the Solidity compiler, which produces the byte code and other artifacts required for the deployment of smart contracts. While some issues are corrected as the compiler develops, others are introduced, according to Nevile.

The EEA formed the “EthTrust Security Levels Working Group in November 2020” to address these and other issues. The “EthTrust Security Levels Specification v1” was published in August 2022 by the organization. Since then, this standard has been used as a framework for developers, businesses, and clients to use and examine smart contract code created in Solidity, the primary programming language for Ethereum.

Nevile did note that new security discoveries and ongoing developments in the Ethereum network necessitated updating the EthTrust Security Levels Specification. He remarked, “For example, the v1 specification covers bugs up to about the year 2022, yet after we released v1, new bugs were found.”

Nevile mentioned that the EthTrust Security Levels Specification, Version 2.0, was released by the EEA today. Neville pointed out that the EthTrust Security Levels Specification v2 tackles a number of problems, including recently found Solidity compiler flaws, how rounding mistakes are handled, how read-only reentrancy attacks are handled more forcefully, and more.

Updates are essential because these particular problems have in the past made the Ethereum ecosystem vulnerable to security vulnerabilities. Reentrancy is the reason behind “The DAO” hack, according to Michael Lewellen, head of solutions architecture at OpenZeppelin, a security company creating an open-source framework to secure smart contracts, who spoke with Cryptonews about this. The first significant Ethereum hack, known as the DAO Hack, occurred in 2016 and raised awareness of security issues worldwide. Lewellen stated, “This was a textbook example of reentrancy.” $3.64 million worth of Ethereum was lost as a result of the DAO breach.

According to Nevile, reentrancy happens when a developer initiates a smart contract and then instructs the computer to change its behavior while it is still executing code. He uttered

“In essence, this indicates that a program is instructed to perform code up to a point, beyond which it is interrupted. The two requests may thus be confused as a result. Then, a program hacker might take advantage of this confusion to either alter the prompt or steal money from users.”

Will an industry standard be widely adopted?

Recognizing the seriousness of these occurrences, Lewellen said OpenZeppelin uses the EthTrust Security Levels v1 architecture to guard against such security flaws. “Many of our clients utilize this framework as a pre-audit evaluation. This makes it possible for clients to understand that, while conducting an audit, we are looking for specific occurrences.

According to an unidentified OpenZeppelin client who spoke with Cryptonews, the company has been lacking EthTrust in the past, thus this industry standard appears to be beneficial. The informant stated:

“Our prior security audit was unsuccessful due to a lack of precise instructions on the security requirements we were lacking. After examining and integrating the EthTrust standards into our codebase, we feel far more assured heading into our upcoming audit.”

However, Nevile noted that although the EthTrust standard v1 has received encouraging feedback, it is still difficult to inform developers and organizations about the existence of such an open standard. It is ideal for more recent Ethereum projects, he added in his letter. He stated:

“These standards may be helpful to projects like Uniswap, Aave, and others, but for the most part, they are common information to them. These requirements will probably be useful for projects that are just now being built and moving into production on Ethereum.”

Still up for debate is whether or not an industry standard of this kind will aid in thwarting Ethereum security flaws in the future. The founder and CEO of BankSocial, a financial services startup that uses blockchain technology, John Wingate, stated to Cryptonews that he finds it concerning that industry standards are evolving. According to him, “standards are always changing; methods, variables, data types, and object types are always depreciating in languages.”

Nevile revealed that work is currently underway on version 3 of the EthTrust specification, which addresses this risk. Every 16 months or so, we publish something new. I believe that a rewrite every 12 to 18 months is sufficient to keep things current.

Wingate contends that the only way to ensure that decentralized applications are following recommended practices that could stop security attacks is through automated, repeatable testing, even though this might be the case. He stated:

“This is the ability to configure your platform so that automated code testing occurs on a regular basis. Everyone can benefit from checking for exploits when an automated tool is updated in response to known bugs in the source code or compiler.”


Read more

Local News