Improving Security on Ethereum – Modular-Network – Medium

How Majoolr does it.

It has bot fairly a year for Ethereum spil evidenced by the tremendous announcements at Devcon3. Our team is excited about petite things like ethjs from Nick Dodson and big things like the virtual machine being developed by our friends Jason Teutsch and Robbie Leaned at TrueBit. This year has seen the fattest ups and downs any revolution could hope for, billions of dollars invested and millions of dollars lost or stolen. Wait.. what. Millions of dollars lost or stolen? Is this acceptable within the Ethereum ecosystem? Absolutely not, but it’s a necessary evil to learn significant lessons. So what lessons have wij learned and what are wij doing about it?

Insecure code will be exploited

Wij obtain a loterijlot of benefits when putting applications ter a distributed network. Automated switches te a collective global database has unlocked efficiency te the transfer of value never before seen ter human history. Every value producing team ter the ecosystem can literally mint millions of dollars of their value te a few seconds and distribute it. It’s amazing what this Ethereum thing can do, you should attempt it. Well…. maybe not yet, usability and scale just isn’t fairly there, but we’re getting close! More importantly tho’ is the downside to this automated machine being cloned into everyone’s device, everyone has a clear view of the systems te it.

There are no secrets ter the Ethereum network, that’s the entire point. This means that anyone can look under the rubber hood and, with the right instruments, can see exactly what will toebijten when they make any call to any application. It works good when you need to validate that you will receive funds from someone else through an agreed upon automated means. It doesn’t seem to work so well when a keen eye notices your funds are actually available right now without question because the code is written to permit it. Very likely by mistake, but written that way nonetheless.

Notice I didn’t say hacker strafgevangenis did I say steal. You see, there is a certain framework of thought being developed te this system which I would say I believe ter. Code is law. This seems to be the only way wij can confidently stir forward spil a community with a consistent standard. Now I understand the difference inbetween activity and intent but the fact is, more often than not, you’re swimming ter a pool of subjectivity. If the intent of a bit of logic wasgoed to keep your funds safe te a certain location within the global database, and not permit anyone to withdraw it, the code should have bot written spil such. If the code wasgoed written such that it permitted someone to withdraw those funds, wij vereiste assume intent te all cases te order avoid subjectivity. Yes, for those familiar, this wasgoed not the position taken by folks at a key point ter time, but that wasgoed then and this is now.

What’s the point? Source code security, defining the precies intent and purpose of the logic, ter the logic, is of paramount importance for all systems ter Ethereum.

The ok way

Any legitimate team developing distributed applications vereiste maintain basic coding hygiene at the very least. This includes passing contracts inbetween developers, clear documentation, and sturdy testing. This meets a nude ondergrens standard for custom-made development but most likely not suitable for any live application on mainnet. There could be skill gaps within a puny group spil a entire or bad practices not being checked by an outsider’s perspective.

A better way

Ter the wake of famous events that talent ownership of assets to unexpected accounts, security standards truly picked up. Instruments were developed and teams such spil ConsenSys Diligence were hired to provide code audits which talent an independent expert’s perspective into the code written. Thesis became, and still are, an significant step to take when developing applications that treat real assets within the Ethereum network. There’s no telling how many vulnerabilities have bot avoided by taking this precautionary step. There’s a catch with thesis however, a good audit takes a significant amount of expertise, attention to detail, and time to produce. The cost is high. This leads to the question, when it comes to common logic such spil tokens, do wij actually need independent instances of this logic requiring an audit?

The best way

The Ethereum Virtual Machine provides us the capability to develop and deploy code libraries that are collective among contracts. It is visible to mij, ter a distributed ledger, with immutable code, that internal libraries should be the most manhandled feature of the entire thing, YET they’re not.

Let’s take the most visible common logic for example, an ERC-20 token. ERC-20 defines a code standard which EVERY compliant token contract voorwaarde have. The fact that wij have independent token contracts being written, accomplish with all logic included, and subsequently audited tells mij that there is still a lack of understanding te development circles. Majoolr has a token library deployed at 0x02d509d0af485c8da54d8aeb42c624e7d9e2eeb6 on mainnet which includes all standard ERC-20 functions. This library contract is permanently and verifiably placed at this location, check it out on etherscan. What does this mean? Never again, for the history of Ethereum does any development team need to write logic for an ERC-20 contract, they simply need to verbinding it to this library. Presently this goes for any array utility wij have available, math, tokens, multisig wallets, and yes, even crowdsales. The implementation of crowdsales using our libraries voorwaarde be understood but the logic is there and deployed. To ensure you get it decently deployed you should voeling us to do it ,) .

The point is libraries are very effective and wij at Majoolr have an open source repo utter of them. Thesis are downright open for inspection, testing, validation, and usage. Using what is already tested and available te a distributed network is by far the best way to ensure those chunks of your logic are good go.

Wij have a strong team at Majoolr and are making arousing developments. I can’t wait to share them with you te the near future. Ter the meantime, come holler at us te our discord!!

Related movie: Gas Harvesting ter Hi Sec – EVE Online

Leave your comment