Melonport And Oyente Release Bug Checking Tool
On June 19, 2017, digital asset management company Melonport AG, in partnership with developers at Oyente, revealed a beta version of an analysis tool designed to check for flaws in executable distributed code contracts (EDCCs).
The tool, also called Oyente from its namesake developers, was released to the public as open source code. It is compatible with any Ethereum-based EDCC language, including Soldity, Serpent, and LLL. Oyente was originally developed in an academic paper by National University of Singapore doctoral student Loi Luu. After running out of funding, Oyente was put on hold until February of 2017, when Melonport closed a funding round, raising 2.5 million Swiss francs and took interest in the project. According to Melonport, it was Oyente's potential “to greatly augment the Ethereum developer community’s ability to create safe and secure decentralized applications,” which drew them to partner and develop it. After six months of work, Oyente covers a great deal of Ethereum Virtual Machine (EVM) opcodes.
Reto Trinkler, CTO and Chairman of Melonport, touched on concerns of EDCC security when speaking of the Oyente tool. He said, "We believe analyzing disassembled opcodes from bytecode deployed to the blockchain and checking them against a set of properties is one of the most cost and time effective ways to reason about smart contract security to date. For the Melon protocol, this translates to a great open-source tool to help ensure quality and security standards in Melon modules."
Oyente published a blog describing changes to the code since its initial release. While most of the opcodes are supported on the EVM, some "are not possible to represent symbolically," such as DELEGATECALL and EXTCODECOPY. For opcodes such as these, developers at Oyente said they created context-sensitive analysis tools that reduce the potential for false positive results.
Luu expressed happiness to see the tool in use. "Oyente can be used to detect many common bugs found in smart contacts like reentrancy, transaction ordering dependence and so on. What’s more interesting is that Oyente’s design is modularized, so this allows advanced users to implement and plug in their own detection logic to check self-defined properties in their contracts. I look forward to seeing more contributions from the community to make Oyente even more powerful and useful."
The next steps for Oyente and Melonport are to continue to improve the tool before it comes out of beta testing. Future builds will implement support for ERC20 token tracking. The team reminds everyone that while the tool is still a work in progress, bugs may be present, so user feedback is crucial.
The development of Oyente brings more open source tools to the community at large. Mona El Isa, CEO of Melonport, expressed that the collaboration was endeavored upon with sharing in mind. "While formal verification is not a magical bullet for smart contract security, we’re very proud to be able to fund and share this open source symbolic execution tool with both our own module developers and the Ethereum community as a whole."