The Importance Of Audits And Secure Coding For Smart Contracts
When it comes to writing code, especially while creating smart contracts, security is of the utmost importance. That’s why EtherCamp asked Zeppelin to audit their decentralized startup team contract. This isn’t the first time Zeppelin has reviewed EtherCamp’s code, as the company previously performed public audits on the HackerGold (HKG) token and the ProjectKudos contract.
It’s called a public code audit because after Zeppelin works up a report on the quality of a project’s code, they publish the results online. While EtherCamp reaps the immediate benefits of having Zeppelin reveal severe security problems, potential complications, and general notes; making the results available to the greater community allows other coders to learn from previously made mistakes. Having code audited in such an open, transparent manner should also help to foster trust from the public.
The importance of secure code cannot be overstated, especially when writing smart contracts. Auditing the code is the only way to make sure a smart contract will do only what it’s been programmed to do. This isn’t simply about writing code so airtight no hackers can get in, but also about catching dangerous bugs. Leaving a bug in a piece of self-executing code is almost as bad as designing a killer robot without an off switch, allowing it to run amok and cause all sorts of chaos. Due to the nature of smart contracts, once a contract goes live, it’s not always easy to claw back the mistakes. A buggy contract could suddenly start misbehaving, which isn’t good for building confidence in those interested in the benefits of the blockchain.
Any weak or exploitable code can make blockchain-based technology, like smart contracts, look unreliable. While the blockchain is strong, a smart contract is only as secure (and strong) as its code. This type of vulnerability is what led to The DAO fiasco. A hacker was able to exploit a weakness in a smart contract and drain The DAO of over $50 million in pooled funds. Luckily, a hard fork was able to restore most of the lost investments. Aside from risky code almost allowing a substantial amount of money to be stolen, it actively damaged the reputation of blockchain-based technologies. The latter fact could be considered worse, seeing as how this disruptive tech is still very much in its developing stages.
This is why ensuring the security of smart contract code is so important. One of the first steps to securing code is to follow the lead of wise enterprises like EtherCamp and get the code audited by an outside source. This will ensure that custom smart contracts are following the best practice standards and reducing potential attack surfaces. An increase in public code audits would help to show the openness of this budding industry. Not only that, but it would have the obvious benefit of mitigating bugs and vulnerabilities, thereby making the whole blockchain ecosystem visibly safer.
Zeppelin, in particular, is doing their part to make writing secure smart contracts even easier. Through their OpenZeppelin project, they offer a framework of reusable and secure smart contracts that use standardized, tested, and community-reviewed code. Using proven code in smart contracts immediately increases their security and makes writing them simpler and more efficient. Zeppelin said:
Smart contract security is hard. We need better tools for developers and teams to build the next generation of blockchain-based smart contract applications. There is yet no community-standard code to help write smart contracts in a safe way. We’re introducing Zeppelin as a way to discuss, learn together, and build tools for a safer decentralized finance ecosystem.
Outside of utilizing help within the blockchain community, a programmer could also benefit from following industry-recommended security patterns. That means writing code in a way that doesn’t allow a malfunction to remain hidden. The idea is to write simple and modular code that allows for easier auditing. This makes it quicker to ensure a contract can do only what it was designed to do. Another recommended security pattern is to not write all the code from scratch, but instead use code that’s time-tested or community-reviewed, over newly created, untested code.
If there was a secure smart contract certification board, startups wouldn’t be required to get a stamp of approval, but one would be available to them. Receiving a certification from a board would help build trust in a company. The best a developer can do now is to utilize the secure bits of code that are already out there, and potentially pay for an outside party to audit their code.
Smart contract code security is a serious issue and shouldn’t be taken lightly. An investor’s money could be put at stake in a smart contract, and a simple bug could make a significant investment disappear for no reason other than a lack of audit.
The more secure smart contracts are, the better the blockchain will look. Blockchain-based technology has so many advantages in so many industries, it’s important to increase confidence in the whole ecosystem. Secure smart contracts with appropriate auditing are the foundations of blockchain adoption in the future - for any industry.