In 2021 $1.5 billion were hacked from smart contracts. That’s why smart contract security experts are in high demand and can make up to 300k / USD. So how can you become a smart contract security expert?
We have just released a full security 101 course that goes into details on how to get started with blockchain security
The first step is to learn web development. You need to know html, CSS, JS, React, and NodeJS. The next step is to learn Blockchain development. There are many Blockchains, but most of the value locked in smart contracts is on Ethereum or on other Blockchains based on Ethereum. And most of these smart contracts use a programming language called Solidity. That’s why you should focus on learning Ethereum and Solidity.
After, the next step is to learn smart contract security. There are 2 aspects of smart contract security:
- Writing secure smart contract – in this case you defend your code against hackers
- Auditing smart contracts – in this case you try to attack a smart contract and find vulnerabilities
Writing Secure Smart Contracts
As a developer you have to understand that in addition to loss of funds, it is also hard to gain back trust once your contract is hacked. Security is a constant threat in web3. Unlike Web2, all your code is always public and cannot be changed one you deploy it. And since blockchain is immutable, fraudulent transactions cannot be reverted either. So it’s very important to test your code thoroughly before deploying to production.
Ethereum and complex blockchain programs are new and highly experimental. Therefore, you should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed. Following the security practices in this document is therefore only the beginning of the security work you will need to do as a smart contract developer.
While much of your programming experience will be relevant to Ethereum programming, there are some pitfalls to be aware of.
- Be extremely careful about external contract calls, which may execute malicious code and change control flow.
- Understand that your public functions are public, and may be called maliciously and in any order. The private data in smart contracts is also viewable by anyone.
- Keep gas costs and the block gas limit in mind.
- Be aware that timestamps are imprecise on a blockchain, miners can influence the time of execution of a transaction within a margin of several seconds.
- Randomness is non-trivial on blockchain, most approaches to random number generation are gameable on a blockchain.
During development, always upgrade to the latest version of any tool or library as soon as possible. This will safeguard you against known bugs. Bugs generally occur if your smart contract logic is too complex. So you should keep your contract as simple as possible. If you are implementing a complex feature divide your development into phases. New features should be thoroughly tested before release. It’s important to test your ENTIRE app before each release not just the new features. This was the mistake Compound protocol made which cost them $90 million.
To improve your chances of shipping fewer bugs to production, you should write test cases for each feature as you develop them. Unit testing also find bugs in your code as your contract grows. Projects like DappTools make it easy to find early stage bugs with its best in class fuzzing tests. You should look out for efficient tools that make finding bugs easier for you.
If you want devs to write more secure code, give them better tools
Another important thing to note here is that even private variables are visible on the blockchain. So you should not store sensitive data in your smart contract code.
Once all your code is working as expected it is important to be aware of the most common vulnerabilities in smart contract development. This will ensure you don’t fall for obvious mistakes such as:
- Reentrancy attacks which happens when the attacker takes over the control flow. For example calling a payable function more than once without actually paying for it
- Front running is another type of attack where the attacker is able to predict the behaviour of smart contract if it depends on transaction ordering or time
- Similarly, Access control attacks happen when an attacker is able to access to privileged information by escalating their permissions
If your contract handles a large amount of money, it’s advised to get your code audited before going live. Ultimately, hackers have more financial incentives than auditors so it’s a good practice to setup a bug bounty program on platforms like Immunefi.
Lastly, you can get insurance from Companies like Nexus mutual for your smart contract. They provide insurance against hacks and contract failures thereby increasing users’ trust in the application.
Auditing smart contracts
To become a smart contract auditor you need to learn how to detect smart contract vulnerabilities. You can do this manually, or by using some security tools. Some of the important security tools are listed below:
- Solidity Visual Auditor – This extension contributes security centric syntax and semantic highlighting, a detailed class outline and advanced Solidity code insights to Visual Studio Code
- Sūrya – Utility tool for smart contract systems, offering a number of visual outputs and information about the contracts’ structure. Also supports querying the function call graph.
- Solgraph – Generates a DOT graph that visualizes function control flow of a Solidity contract and highlights potential security vulnerabilities.
- EVM Lab – Rich tool package to interact with the EVM. Includes a VM, Etherchain API, and a trace-viewer.
- ethereum-graph-debugger – A graphical EVM debugger. Displays the entire program control flow graph.
- Piet – Web application helping understand smart contract architectures. Offers graphical representation and inspection of smart contracts as well as a markdown documentation generator.
Static and Dynamic Analysis
- MythX – MythX is a professional-grade cloud service that uses symbolic analysis and input fuzzing to detect common security bugs and verify the correctness of smart contract code. Using MythX requires an API key from mythx.io.
- Mythril – The Swiss army knife for smart contract security.
- Slither – Static analysis framework with detectors for many common Solidity issues. It has taint and value tracking capabilities and is written in Python.
- Contract-Library – Decompiler and security analysis tool for all deployed contracts.
- Echidna – The only available fuzzer for Ethereum software. Uses property testing to generate malicious inputs that break smart contracts.
- Manticore – Dynamic binary analysis tool with EVM support.
- Oyente – Analyze Ethereum code to find common vulnerabilities, based on this paper.
- Securify – Fully automated online static analyzer for smart contracts, providing a security report based on vulnerability patterns.
- SmartCheck – Static analysis of Solidity source code for security vulnerabilities and best practices.
- Octopus – Security Analysis tool for Blockchain Smart Contracts with support of EVM and (e)WASM.
- sFuzz – Efficient fuzzer inspired from AFL to find common vulnerabilities.
- Vertigo – Mutation Testing for Ethereum Smart Contracts.
Weakness OSSClassifcation & Test Cases
- SWC-registry – SWC definitions and a large repository of crafted and real-world samples of vulnerable smart contracts.
- SWC Pages – The SWC-registry repo published on Github Pages
- solidity-coverage – Code coverage for Solidity testing.
Linters and Formatters
Linters improve code quality by enforcing rules for style and composition, making code easier to read and review.
- Ethlint – Yet another Solidity linting.
- Solhint – A linter for Solidity that provides both Security and Style Guide validations.
- Prettier + Solidity Plugin – Prettier enforces basic style conventions in your code.
And finally, you need to learn how to write the report of a smart contract audit. For this, you can take some inspiration of existing smart contract audits.
Security is becoming a fundamentally important part of blockchain development. You as a blockchain engineer should educate your self and make web3 a safer place for everyone. Smart contract security is very interesting, and it’s also very well-paid. And to get started, you can checkout our course on smart contract security that we just released. It uses the latest version of Solidity and covers the main security vulnerabilities that you need to know.