Increase justice on the digital infrastructure in a rebellious manner
G360DAOBucket Voting - the fine balance between decentralization and efficiency in governance
One of the main challenges within DAOs is to make swift decisions when needed but have them made by a decentralized community. The trick is to find the right balance in effectiveness in decision making and avoiding censorship and centralization as result of key person dependency or coordinated whale actions. Centralization risk can be especially high in cases where a DAO offers the opportunity of token voting based on tradeable tokens or when certain persons get high reputation due to automat...
G360DAOSmart contracts and AI, a perfect combination?
In my second blog I wrote about the urge to test your smart contract for vulnerabilities. In that article I talked about how smart contracts can have big security flaws in them. To counter this, you can check your own smart contract for flaws. To do this you can use tooling to check if the smart contract code is correct. But all these steps take a lot of time, especially for someone who doesn’t know how to code. So, to make it easier and quicker, there is another solution. This solution is ca...
G360DAOHow partners and clients of Guardian360 B.V. will benefit from G360DAO
Guardian360 B.V. (Guardian360) was founded in 2015 as a privately held limited corporation (‘Besloten Vennootschap’ or B.V. in Dutch). In the past 6 years, Guardian360 has evolved into an independent software vendor that develops and maintains the Guardian360 Lighthouse Platform. Services include vulnerability scanning of IP-addresses and web applications, detection of intruders in networks, phishing simulations and give insights in deviations from laws, norms, and regulations. The Guardian36...
G360DAOBucket Voting - the fine balance between decentralization and efficiency in governance
One of the main challenges within DAOs is to make swift decisions when needed but have them made by a decentralized community. The trick is to find the right balance in effectiveness in decision making and avoiding censorship and centralization as result of key person dependency or coordinated whale actions. Centralization risk can be especially high in cases where a DAO offers the opportunity of token voting based on tradeable tokens or when certain persons get high reputation due to automat...
G360DAOSmart contracts and AI, a perfect combination?
In my second blog I wrote about the urge to test your smart contract for vulnerabilities. In that article I talked about how smart contracts can have big security flaws in them. To counter this, you can check your own smart contract for flaws. To do this you can use tooling to check if the smart contract code is correct. But all these steps take a lot of time, especially for someone who doesn’t know how to code. So, to make it easier and quicker, there is another solution. This solution is ca...
G360DAOHow partners and clients of Guardian360 B.V. will benefit from G360DAO
Guardian360 B.V. (Guardian360) was founded in 2015 as a privately held limited corporation (‘Besloten Vennootschap’ or B.V. in Dutch). In the past 6 years, Guardian360 has evolved into an independent software vendor that develops and maintains the Guardian360 Lighthouse Platform. Services include vulnerability scanning of IP-addresses and web applications, detection of intruders in networks, phishing simulations and give insights in deviations from laws, norms, and regulations. The Guardian36...
Increase justice on the digital infrastructure in a rebellious manner
Subscribe to G360DAO
Subscribe to G360DAO
Share Dialog
Share Dialog
In my first blog I talked about why smart contracts are essential for crypto, You can read my earlier blog on the G360DAO mirror. But what happens when the smart contract you coded isn’t secure? And how can you make it secure? Those questions will be answered in this blog.
Smart contracts can have big errors coded into them. And when those smart contracts are published with these errors, a lot of terrible things can happen. The smart contract can be attacked by criminal hackers and all the funds can be stolen. Another thing that can happen is that criminal hackers can hijack the smart contract to transfer funds to themselves.
But the worst thing of all is that once you publish your smart contract with those errors on the blockchain, that it cannot be changed afterwards. This is being referred to as immutability and is already discussed in my first blog. However, there is a side node to that. You could have smart contracts that are upgradeable, those contracts can be changed after the initial release if you programmed that possibility into the smart contract.
But that new freedom comes at a cost, because with the new patterns for an upgradeable smart contract it becomes centralized . Upgradeable smart contracts become centralized because their creators can update their code, leading to single points of failure. This means that if the creator of the contract makes a mistake or is malicious, it can affect the entire system. Additionally, if only one person handles updating the code, they can easily become a target for malicious actors. This lack of decentralization makes upgradeable smart contracts vulnerable to attack.
So, what if you do not want upgradeable smart contracts? Then, what you need to do is fix all the bugs before you publish your smart contract on the blockchain. For all that fixing you can use a couple of tools to help you, those tools are as followed (Watch out! A lot of technical terms coming up! ).
Slither
Is what they call a static analysis framework, which means an automatic mode of debugging your smart contract without executing the program, and it is easy to use! And works with Python ! Why is that good? Because Python has a wide range of libraries and frameworks that can be used to ease the development of smart contracts. Additionally, Python has a large and active community, which makes it easier to find help and resources when needed
Mythril
Mythril is a valuable tool to use for smart contract development because it provides an automated security analysis of Ethereum smart contracts. It uses symbolic execution and taint analysis to detect vulnerabilities such as integer overflow, transaction-ordering dependence, timestamp dependence, and others. This helps to show potential security issues before they are deployed. Mythril also supplies a deep understanding of the code being analyzed, allowing developers to understand exactly why a certain vulnerability exists. Additionally, Mythril is open source, so developers can change it to fit their specific needs.
Echidna
Echidna is a smart contract fuzzer tool that helps developers quickly and efficiently test their smart contracts for vulnerabilities. This tool tests your smart contract what happens when random data is given to the smart contract. It checks the smart contract and send back a bunch of vulnerabilities if it has found any. This way you can fix vulnerabilities in your smart contract. Additionally, Echidna can also be used to evaluate existing smart contracts for security vulnerabilities that may have been overlooked during development In this way your smart contract will be checked in three separate ways. But remember these three tools do not detect all vulnerabilities. So, if you really want to make sure if your smart contract is good to deploy on the blockchain then its better to ask an auditor to review the code. An auditor will not only look at known vulnerabilities, but they will also look for abuse cases, logic, and design flaws. So, you can be sure your smart contract is ready for deploying on the blockchain!
Next blog I will explore the use of AI in the detection of smart contract vulnerabilities.
Written by Tim Hoeksma
Tim is a third year HBO ICT student at the Hague University, with a speciality in Innovative Development. During his intern at Guardian360 he will perform research into vulnerabilities. With blogs, he will keep you up to date with his research.
In my first blog I talked about why smart contracts are essential for crypto, You can read my earlier blog on the G360DAO mirror. But what happens when the smart contract you coded isn’t secure? And how can you make it secure? Those questions will be answered in this blog.
Smart contracts can have big errors coded into them. And when those smart contracts are published with these errors, a lot of terrible things can happen. The smart contract can be attacked by criminal hackers and all the funds can be stolen. Another thing that can happen is that criminal hackers can hijack the smart contract to transfer funds to themselves.
But the worst thing of all is that once you publish your smart contract with those errors on the blockchain, that it cannot be changed afterwards. This is being referred to as immutability and is already discussed in my first blog. However, there is a side node to that. You could have smart contracts that are upgradeable, those contracts can be changed after the initial release if you programmed that possibility into the smart contract.
But that new freedom comes at a cost, because with the new patterns for an upgradeable smart contract it becomes centralized . Upgradeable smart contracts become centralized because their creators can update their code, leading to single points of failure. This means that if the creator of the contract makes a mistake or is malicious, it can affect the entire system. Additionally, if only one person handles updating the code, they can easily become a target for malicious actors. This lack of decentralization makes upgradeable smart contracts vulnerable to attack.
So, what if you do not want upgradeable smart contracts? Then, what you need to do is fix all the bugs before you publish your smart contract on the blockchain. For all that fixing you can use a couple of tools to help you, those tools are as followed (Watch out! A lot of technical terms coming up! ).
Slither
Is what they call a static analysis framework, which means an automatic mode of debugging your smart contract without executing the program, and it is easy to use! And works with Python ! Why is that good? Because Python has a wide range of libraries and frameworks that can be used to ease the development of smart contracts. Additionally, Python has a large and active community, which makes it easier to find help and resources when needed
Mythril
Mythril is a valuable tool to use for smart contract development because it provides an automated security analysis of Ethereum smart contracts. It uses symbolic execution and taint analysis to detect vulnerabilities such as integer overflow, transaction-ordering dependence, timestamp dependence, and others. This helps to show potential security issues before they are deployed. Mythril also supplies a deep understanding of the code being analyzed, allowing developers to understand exactly why a certain vulnerability exists. Additionally, Mythril is open source, so developers can change it to fit their specific needs.
Echidna
Echidna is a smart contract fuzzer tool that helps developers quickly and efficiently test their smart contracts for vulnerabilities. This tool tests your smart contract what happens when random data is given to the smart contract. It checks the smart contract and send back a bunch of vulnerabilities if it has found any. This way you can fix vulnerabilities in your smart contract. Additionally, Echidna can also be used to evaluate existing smart contracts for security vulnerabilities that may have been overlooked during development In this way your smart contract will be checked in three separate ways. But remember these three tools do not detect all vulnerabilities. So, if you really want to make sure if your smart contract is good to deploy on the blockchain then its better to ask an auditor to review the code. An auditor will not only look at known vulnerabilities, but they will also look for abuse cases, logic, and design flaws. So, you can be sure your smart contract is ready for deploying on the blockchain!
Next blog I will explore the use of AI in the detection of smart contract vulnerabilities.
Written by Tim Hoeksma
Tim is a third year HBO ICT student at the Hague University, with a speciality in Innovative Development. During his intern at Guardian360 he will perform research into vulnerabilities. With blogs, he will keep you up to date with his research.
<100 subscribers
<100 subscribers
No activity yet