Smart Contract Security Has Some Gaping Holes — Here’s How to Plug Them

As blockchain and crypto both continue to grow, so does the crime around them. It’s clear to see that exchange hacks are becoming more common and more costly, with damage occasionally running into the 9-figure range.

This isn’t a catastrophe, the industry isn’t under any real threat, but it shouldn’t be taken lightly either. If the world of blockchain and digital finance is to be taken seriously on a big scale, we need to assure users that it’s safe.

One area of blockchain that is in need of airtight security is smart contracts. These are a big part of the technology, and a common target for hackers when trying to infiltrate and steal from networks.

The KICKICO breach in July was a prime example of what can happen when smart contracts aren’t kept secure. Hackers obtained the private key to the KickCoin smart contract, and by accessing and tampering with it they managed to steal $7.7 million worth of coins.

Fortunately, in this case KICKICO was able to thwart the attack and recover the stolen funds, but it remains a harsh reminder of how smart contracts can be compromised with serious consequences.

As blockchain becomes more high-profile, it’s going to be vital to take the security of smart contracts seriously. But why aren’t they secure enough already?

A Few Holes to Plug

It isn’t like smart contract security doesn’t exist it does. Blockchain companies and projects take security seriously in all areas, because they have to. They’ve all seen what happens when exchanges like Mt. Gox and Bitfinex fail to put security first, and it’s not pretty.

But current security methods for smart contracts tend to come up short. They focus on certain threats while ignoring or failing to deal with others. For example, they pay a lot of attention to things like common vulnerabilities and errors in programming.

Sure, these are big issues that need to be addressed, but there are far more threats out there that also need attention.

The theft of keys, as we already mentioned, can be a recipe for disaster and is extremely tricky to prevent. Then there are all the vulnerabilities that aren’t common and well-known, flaws that only become apparent when it’s too late.

And that’s without mentioning malicious employees. It’s impossible to fully vet everyone that works on your project, and sometimes the allure of digital riches can outweigh company loyalty.

It’s clear that smart contract security has to become more comprehensive and reliable. It needs to cover all areas of risk, not just a select few.

But how do you protect against vulnerabilities you don’t even know exist, or the possibility of a rogue employee? It requires a slight shift in mindset, to look beyond the development stage of software and ahead to deployment.

How to Make Smart Contracts More Secure

Mythril is one project that’s exciting people in the blockchain world by promising to detect bugs and bring greater security to smart contracts smoothly and easily. It offers a detailed toolkit and a comprehensive way to analyze and secure smart contracts.

Then there’s QuillAudits, a platform designed for auditing smart contracts to ensure they’re free of vulnerabilities and running on efficient code.

Other Approaches Take a Alightly Different Route

SafeBlocks, for example, looks to the deployment stage of decentralized software, focusing on transaction traffic. In their platform, users will be able to set rules for their smart contracts to prevent unauthorized transactions. Like a Web Application Firewall (WAF) but for Smart Contracts instead of Apps.

How a “DAF” Works to Protect a Smart Contract

They promise continuous validation for transactions, ensuring that nothing takes place outside of the users’ conditions.

One feature allows users to set a transaction limit ensuring that, for example, no transaction ever exceeds 10 tokens. Even if your contract is compromised, there will be a limit on how much criminals can steal.

This approach gets around risks like dishonest employees and stolen keys, working in a similar way to Web Application Firewalls for traditional applications. It ensures that, no matter what, your pre-set rules will always be followed, and any suspicious behavior will be quickly caught.

In a world where crimes against blockchains and smart contracts can seem like a fact of life, platforms like these offer a ray of hope. They can help assure newcomers to the space that security fears are not an inevitable part of blockchain projects and encourage more participation in the whole industry.

1 Comment

  • Jay
    Posted February 14, 2019 6:58 am 0Likes

    Shame that Quantstamp isn’t mentioned despite being one of the forefront leaders in smart-contract security; even at the time of this article being written.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.