On July 27, 2017, at the DEF CON 25 hackathon conference, Comae Technologies founder, Matt Suiche revealed Porosity, a decompiler capable of deciphering the code that makes up executable distributed code contracts (EDCCs).
Porosity lends itself well to debugging, as it can revert EDCCs often programmed in languages like Solidity, to their basic code. As with any developing software, bugs often emerge in EDCCs which, if left unchecked, can result in costly hacks. The most infamous of these incidents may be the 2016 DAO hack, however more recently, an exploit in the EDCC code governing multi-signature Parity wallets resulted in millions of stolen Ether. Some of the funds were saved by a team of pro-ecosystem hackers, the White Hat Group, that preemptively quarantined Ether from affect wallets. According to Suiche, Porosity allows for the review of EDCCs for which there is "no way to provably go back and ensure that code is safe." As Suiche puts it, if any new vulnerabilities are discovered, affected EDCCs cannot be retroactively identified unless the developers previously retained the source code or publicly shared it.
Porosity effectively translates the Ethereum Virtual Machine (EVM) bytecode (by which EDCCs are written) and generates Solidity syntax. This code can be scanned to check for bugs and attack vectors, or audited to maintain integrity. According to Suiche, "Porosity removes a major roadblock to interacting with contracts of unknown origin and helps further the 'trust but verify' blockchain thinking."
Applications of the tool are likely to be a big hit with J.P. Morgan, as Porosity is being packaged and tested with Quorum, an enterprise-level Ethereum blockchain. Suiche confirms that developers can:
- “Scan private contracts sent to your node from other network participants.
- Incorporate into security & patching processes for private networks with formalized governance models.
- Automate scanning and analyze risk across semi-public Quorum networks.”
Porosity and innovations like it, which are used to eliminate exploits and bolster network security, help to bring peace of mind to developers who need the proper tools to audit their software and code.